[Bug 2212] New: openssl version check should ignore status nibble

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Mar 20 17:16:41 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2212

            Bug ID: 2212
           Summary: openssl version check should ignore status nibble
           Product: Portable OpenSSH
           Version: 6.5p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: vapier at gentoo.org

the current version check in entropy.c looks like:
   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
   if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||

this causes it to pay attention to the last nibble in the version field
which makes no sense.  the only thing that part does is track whether
the openssl in use is a dev, beta, or release.  so if you install
1.0.2-beta1, then build openssh, then install 1.0.2 (the release), this
check rejects the openssl version.

this is documented in the openssl header:
/* Numeric release version identifier:
 * MNNFFPPS: major minor fix patch status
 * The status nibble has one of the values 0 for development, 1 to e
for betas
 * 1 to 14, and f for release.  The patch level is exactly that.
 * For example:
 * 0.9.3-dev      0x00903000 
 * 0.9.3-beta1    0x00903001
...

simple patch to fix the openssh code:
-   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L :
~0xff0L;
+   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xfffffL :
~0xff0L;

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list