Re: Reg: Vulnerability CVE-2014-0160

[Alan Dunn <amdunn@xxxxxxxxx>]

Hi Andreas,

While we do not actually end up linking against libssl, we do use
-lssl as a linking flag, so maybe that's what Aris meant.  I'm not
sure we need to turn that off, but if you want to, the following patch
seemed to work for me.

Thanks,
- Alan

On Mon, Apr 14, 2014 at 2:55 AM, Andreas Schneider <asn@xxxxxxxxxxxxxx> wrote:
> On Saturday 12 April 2014 22:53:07 Aris Adamantiadis wrote:
>> Le 11/04/14 14:31, Andreas Schneider a écrit :
>> > Hi,
>> >
>> >> This is regarding the vulnerability CVE-2014-0160 (OpenSSL Heartbleed),
>> >> we understand that we use openSSL in our implementation.
>> >>
>> >> We link -lssl and use libcrypto.so in our compilation and linking,
>> >> Does this vulnerability has any impact in libssh, Share your thoughts
>> >> regarding this.
>>
>> Hi Andreas,
>>
>> Quick though here, maybe we should try to avoid linking with -lssl
>> because I don't think we use any API from libssl but only libcrypto.
>
> We do not link with -lssl.
>
> magrathea:~ # ldd /usr/lib64/libssh.so.4.4.1
>         linux-vdso.so.1 (0x00007fffadbfe000)
>         librt.so.1 => /lib64/librt.so.1 (0x00007f2657690000)
>         libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x00007f26572a4000)
>         libz.so.1 => /lib64/libz.so.1 (0x00007f265708e000)
>         libc.so.6 => /lib64/libc.so.6 (0x00007f2656cdf000)
>         /lib64/ld-linux-x86-64.so.2 (0x00007f2657b13000)
>         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2656ac0000)
>         libdl.so.2 => /lib64/libdl.so.2 (0x00007f26568bc000)
>
>
> Cheers,
>
>         -- andreas
>
> --
> Andreas Schneider                   GPG-ID: CC014E3D
> www.cryptomilk.org                asn@xxxxxxxxxxxxxx
>
>

From 6954f92d9f0641b2ab1fc9d8d0f5dc6a1562b041 Mon Sep 17 00:00:00 2001
From: Alan Dunn <amdunn@xxxxxxxxx>
Date: Sat, 12 Apr 2014 16:11:13 -0500
Subject: [PATCH] build: Do not link against libssl, only libcrypto


Signed-off-by: Alan Dunn <amdunn@xxxxxxxxx>
---
 src/CMakeLists.txt |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 1891a00..ae8eb6d 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -28,7 +28,7 @@ if (HAVE_LIBSOCKET)
   )
 endif (HAVE_LIBSOCKET)
 
-if (OPENSSL_LIBRARIES)
+if (OPENSSL_CRYPTO_LIBRARIES)
   set(LIBSSH_PRIVATE_INCLUDE_DIRS
     ${LIBSSH_PRIVATE_INCLUDE_DIRS}
     ${OPENSSL_INCLUDE_DIRS}
@@ -36,9 +36,9 @@ if (OPENSSL_LIBRARIES)
 
   set(LIBSSH_LINK_LIBRARIES
     ${LIBSSH_LINK_LIBRARIES}
-    ${OPENSSL_LIBRARIES}
+    ${OPENSSL_CRYPTO_LIBRARIES}
   )
-endif (OPENSSL_LIBRARIES)
+endif (OPENSSL_CRYPTO_LIBRARIES)
 
 if (GCRYPT_LIBRARY)
   set(LIBSSH_PRIVATE_INCLUDE_DIRS
-- 
1.7.9.5