| Summary: | libimobiledevice/usbmuxd fails with new version of GnuTLS | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | rosenp |
| Component: | libimobiledevice | Assignee: | Peter Robinson <pbrobinson> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | cfergeau, ehedgren, nmavrogi, pbrobinson |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libimobiledevice-1.2.0-8.fc24 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-20 06:22:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
rosenp
2016-10-15 05:44:09 UTC
Note that there are multiple issues concerning that. The following patch is also required to be applied: https://github.com/libimobiledevice/libimobiledevice/commit/23069d10341ce637fdad7321d447c53752dba48c I'll look at this shortly, will likely move to openssl (In reply to Peter Robinson from comment #2) > I'll look at this shortly, will likely move to openssl Please don't, if you cannot apply the patches please accept my commit access and I'll look into it.
> Please don't
Please don't do what? Please be specific.
don't switch to openssl (In reply to Nikos Mavrogiannopoulos from comment #5) > don't switch to openssl why? as I said before please be specific I think I was specific. If you want a reason for my suggestion is because I am the maintainer of gnutls and I would like to verify that the upstream fix works. (In reply to Nikos Mavrogiannopoulos from comment #7) > I think I was specific. If you want a reason for my suggestion is because I > am the maintainer of gnutls and I would like to verify that the upstream fix > works. I'm sorry all you said was "don't switch to openssl" without any reason as to why. That is NOT specific! The problem I have found with gnutls, and I've been considering this change for some time, is it doesn't have a stable API and randomly breaks stuff like this forcing things to unnecessarily pull in patches mid-stream to fix those issues. Literally everytime! I originally moved from openssl as I wasn't convinced of it's security, since heartbleed this has improved and they have the actual ability to communicate changes in API with proper details rather than just randomly breaking shit. (In reply to Peter Robinson from comment #8) > (In reply to Nikos Mavrogiannopoulos from comment #7) > > I think I was specific. If you want a reason for my suggestion is because I > > am the maintainer of gnutls and I would like to verify that the upstream fix > > works. > I'm sorry all you said was "don't switch to openssl" without any reason as > to why. That is NOT specific! > The problem I have found with gnutls, and I've been considering this change > for some time, is it doesn't have a stable API and randomly breaks stuff > like this forcing things to unnecessarily pull in patches mid-stream to fix > those issues. Literally everytime! While there have been ABI changes, the API hasn't changed for several years. What has changed though is thorough checking of input parameters (IMO a good thing), and that's what broke libimobiledevice. Unfortunately the libimobiledevice gnutls support was not very well written (as seen in the patches above). Notice that the patches above, enable TLS 1.0 (which exists since 1996), introduce error checking (which was not there) and fix wrong use of the API (such as setting invalid RSA keys). So for that particular case the gnutls API is unchanged but the introduced sanity checks to prevent applications from using invalid keys broke libimobile lib. I could help improving that by reviewing the upstream code, if you keep that support. > I originally moved from openssl as I > wasn't convinced of it's security, since heartbleed this has improved and > they have the actual ability to communicate changes in API with proper > details rather than just randomly breaking shit. Both are C libraries and I wouldn't try to make statements that one is more secure than the others. Such issues like heartbleed could happen to C libraries, but note that both libraries have had such issues found once in a decade or so. So security-wise I would say that both are equivalent or at least not far from each other. libimobiledevice-1.2.0-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e9b731e067 libimobiledevice-1.2.0-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e9b731e067 libimobiledevice-1.2.0-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |