Fall 2020 security package update

[th0ma7]

Issue for tracking all packages needing publishing following major updates to openssl, glib, gnutls & libgcrypt adressing multiple security issues namely:

• https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/version_id-194420/Openssl-Openssl-1.0.2g.html
• https://www.cvedetails.com/vulnerability-list/vendor_id-283/product_id-16275/version_id-260024/Gnome-Glib-2.56.1.html
• https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-4433/GNU-Gnutls.html
• https://www.cvedetails.com/vulnerability-list/vendor_id-4711/product_id-25777/Gnupg-Libgcrypt.html

Related PR:

• openssl: update to version 1.1.1h #4155: Update openssl (merged)
• glib, gnutls and libgcrypt security updates #4010: Update glib, gnutls & libgcrypt (merged)
• Update & fix build of ruTorrent #4209: Update ruTorrent (merged, see Package updates below)
• Update synocli net #4195: Update synocli-net (merged)
• tvheadend: Update to git hash 9ed76c0 from Oct 11th 2020 #4218 Update to tvheadend (merged)
• Update mosquitto (todo: create new PR after merge of sourceforge.net toolchain & kernel location change #4115)

Indirectly related PR:

• make all-supported and all-default #4200: Update to make all-supported with parallel build to ease publishing (merged)
• bitlbee: Remove obsolete package #4208: Remove bitlbee (merged)

Package updates

• boxbackup-client 0.12-2
• ffmpeg 4.3.1
• fossil-scm 2.12.1-2 (BUG: error while loading shared libraries: libssl.so.1.1: cannot open shared object file fixed with fix fossil-scm build #4241)
• git 2.28.0-16
• gnupg 2.2.23-3 (glib, gnutls and libgcrypt security updates #4010, update gnupg #4233)
• haproxy 2.2.4-22 (glib, gnutls and libgcrypt security updates #4010)
• links 2.21-2 (moved to synocli-net with Update synocli net #4195)
• mediainfo 20.08-11 (consolidate with Update & fix build of ruTorrent #4209)
• ntopng 4.2-3 (consolidate with Update ntopng to version 4.2 #4255 + download libmysqlclient package fix native/libmysqlclient: Fix download URL to align against cross/* #4245 + libzmq duplicate removal Remove duplicate zeromq (libzmq) #4254)
• sslh 1.21c-5 (glib, gnutls and libgcrypt security updates #4010 + fix with sslh: Update startup & configuration to work with new version #4246 + libcap sslh: Enable libcap support #4248)
• synocli-file 1.2-4 (update midnight commander to 4.8.25)
• rutorrent 3.10 (BUG: service does not start - consolidate with Update & fix build of ruTorrent #4209 and spk/rutorrent: fix startup issues #4234)
• tvheadend 20201011-9ed76c0-26 (Oct 11th 2020 tvheadend: Update to git hash 9ed76c0 from Oct 11th 2020 #4218)

Packages with new revision due to openssl update (PR #4155)

First stage

Before or in parallel with updated packages above

• python3
• python

Second Stage

• borgbackup
• deluge
• domoticz
• homeassistant
• icecast
• irssi
• itools (included in synocli-net, no dedicated package anymore)
• lidarr
• mtproxy
• mutt
• ntopng
• nzbdrone (sonarr)
• radarr
• synocli-disk
• synocli-monitor (update synocli-monitor #4329)
• synocli-net (consolidate with Update synocli net #4195 and glib, gnutls and libgcrypt security updates #4010)
• transmission
• tvheadend
• umurmur
• znc

Packages with new revision due to glib,gnutls or libgcrypt (PR #4010)

• ffmpeg
• chromaprint
• comskip
• gnupg
• sshfs (part of synocli-net)
• sslh (BUG: service does not start - fixed with sslh: Update startup & configuration to work with new version #4246)
• icecast
• irssi
• ntopng
• python
• python3
• rutorrent
• synocli-disk (update synocli-disk tools #4252)
• synocli-file (update synocli-file tools #4242)
• synocli-net (including fix build dependencies #4257)
• tvheadend

Packages with new revision due to rutorrent update (PR #4209)

• mediainfo
• rutorrent (BUG: service does not start)

To be confirmed (issue #3666)

• mono

Packages set for removal (PR #4208)

• bitlbee

[th0ma7]

Proposal:

1. Merge all PR starting with openssl: update to version 1.1.1h #4155 with rebasing for all subsequent to confirm proper github-action builds
2. As @hgy59 is proposing to start with a first block for python and python3 (with or without affiliated packages)?
3. I would suggest a second block including the classic 4x related to ffmpeg (e.g. chromaprint, comskip and tvheadend)
4. Perhaps releasing a few other "trivial" packages?
5. A pause for a week to confirm no major blockers emerge
6. Publish the remaining

Thoughts?

[hgy59]

1. Merge all PR starting with #4155 with rebasing for all subsequent to confirm proper github-action builds

Before this, we should merge #4191 to fix the Makefile of openssl 1.0.1 and then rebase #4155 before continuing with the proposed list.

I do not expect to publish mosquitto with the outdated openssl version, but I would like to see a working cross/openssl on the master before we switch to openssl 1.1.1.

[ymartin59]

So do I understand well it is worth waiting for glib/gnutls/libgcrypt merge before building and testing again python+python3?
From my point of view, there is no need to deliver Python related application packages.

[th0ma7]

Exactly as there are sub-dependencies that relies on this. But everything is building beautifully currently and addressing the last remaining bits such as spk package rev & changelogs.

[hgy59]

@ymartin59 I published synocli-net to the repo about 20 hours ago. It is shown in the web page but in the package center of my diskstations still the old version 1.4-4 is shown. And yes, I have activated the packages. Is there anything else that is missing or do we need to wait for a "cache update"?

[th0ma7]

I noticed from time to time that it can take as much as 48h+ to finally see the new packages...
Note that synocli-net is also indirectly affected by #4010 as well. Although not convinced is worth pushing another update...

[ymartin59]

There is a chance both combination of Package Center refresh period and Fastly caching configuration delay availability in users' DSM

[ymartin59]

I think Mono also requires another build #3666

[ymartin59]

@th0ma7 When building fossil-scm, openssl PLIST libraries have not been included into package... No idea if it is a transient error when building, or if it is a trouble with build chain changes.

[th0ma7]

I've just check with the tvheadend package I built this morning and everything looks good?

~/git-master/spksrc/cross/openssl$ cat PLIST | while read LINE
> do
> grep $LINE ~/git-master/spksrc/spk/tvheadend/work-apollolake-6.2.3/PLIST
> done
rsc:bin/c_rehash
bin:bin/openssl
lib:lib/engines-1.1/afalg.so
lib:lib/engines-1.1/capi.so
lib:lib/engines-1.1/padlock.so
lnk:lib/libcrypto.so
lib:lib/libcrypto.so.1.1
lnk:lib/libssl.so
lib:lib/libssl.so.1.1

Along with matching dependency tree:

~/git-master/spksrc/spk/tvheadend$ make dependency-tree
+ tvheadend
	+ busybox 1.26.2
	+ tvheadend 4.3
		+ openssl 1.1.1h
			+ zlib 1.2.11
		+ uriparser 0.9.1
		+ pcre2 10.35
		+ libiconv 1.15
		+ python 2.7.18
		...

Although just noticed that there are many many files missing!!!

$ make dependency-flat | while read DEP; do cat ../../$DEP/PLIST 2>/dev/null | while read LINE; do grep $LINE ~/git-master/spksrc/spk/tvheadend/work-apollolake-6.2.3/PLIST 2>/dev/null || echo "$LINE: ERROR"; done; done | grep ERROR | wc -l
668

[th0ma7]

I just tried it against fossil-scm and indeed there is an issue out there:

$ more PLIST 
bin:bin/fossil

Dependency tree looks good (although with a duplicate zlib):

fossil-scm$ make dependency-tree
+ fossil-scm
	+ fossil-scm 2.12.1
		+ zlib 1.2.11
		+ openssl 1.1.1h
			+ zlib 1.2.11

Question is: could this affect other PLIST from other dependencies resulting into bad spk?

I recall looking into the PLIST creation and I was always getting odd results when playing with that section of the code that really needs revamping as not using the magic cookie mechanism like everywhere else. I ended-up not touching it for now. Although perhaps changing other pieces of the code elsewhere had a side effect? <<-- Must have had side effects...

Further testing:

$ make dependency-flat | while read DEP; do cat ../../$DEP/PLIST | while read LINE; do grep $LINE ~/git-master/spksrc/spk/fossil-scm/work-apollolake-6.2.3/PLIST || echo "$LINE: ERROR"; done; done
bin:bin/fossil
rsc:bin/c_rehash: ERROR
bin:bin/openssl: ERROR
lib:lib/engines-1.1/afalg.so: ERROR
lib:lib/engines-1.1/capi.so: ERROR
lib:lib/engines-1.1/padlock.so: ERROR
lnk:lib/libcrypto.so: ERROR
lib:lib/libcrypto.so.1.1: ERROR
lnk:lib/libssl.so: ERROR
lib:lib/libssl.so.1.1: ERROR
lnk:lib/libz.so: ERROR
lnk:lib/libz.so.1: ERROR
lib:lib/libz.so.1.2.11: ERROR

[th0ma7]

I'll do a git-bisect and try to figure out where the issue is exactly... more to come with hopefully a fix shortly.

Investigating and issue has been on-going for quite long... really really really long... We definitively need to rework the PLIST in order to validate that each and every PLIST of all dependencies is properly processed, included and that the resulting files are all included (last part tar should tell). Further more, as mentioned previously, I had found odd-behavior when trying to rework part of that code so I never pushed upstream any changes due to unknown bugs..

Findings so far (re-using/backporting fossil-scm as it easily triggers the problem) :

bad - HEAD is now at 1c5cf293 cross/nmap: cflags are actually no longer required
bad - HEAD is now at 7f816fea openssl: update to version 1.0.2u
bad - HEAD is now at 272d8b62 wallabag: update wallabag to 2.3.8 and various fixes (#4179)
bad - HEAD is now at 0373760e python3: upgrade to 3.7.7 + homeassistant build fixes (#3953)
bad - HEAD is now at a8cbf704 incorporate fixes for mistakes with rebase
bad - HEAD is now at a52d9f65 update transmission to 3.00 (#4009)
bad - HEAD is now at fc7a6e01 fossil-scm: initial package for version 2.10 (#3909)
bad - HEAD is now at 33324b9b znc: update to 1.7.5
bad - HEAD is now at 5df16e10 synocli-file: initial package version
bad - HEAD is now at ab347af3 Update templates

To the point where I downloaded the fossil-scm package online and the issue was already existing at that time:

$ tar -xvf fossil-scm.v1.f15047[apollolake-avoton-braswell-broadwell-broadwellnk-bromolow-cedarview-denverton-dockerx64-grantley-kvmx64-x86-x86_64].spk
package.tgz
INFO
scripts/
scripts/service-setup
scripts/start-stop-status
scripts/preupgrade
scripts/postuninst
scripts/installer
scripts/postupgrade
scripts/preinst
scripts/preuninst
scripts/postinst
PACKAGE_ICON.PNG
PACKAGE_ICON_256.PNG
syno_signature.asc

$ tar -zxvf package.tgz 
app/
app/images/
app/images/fossil-scm-256.png
app/images/fossil-scm-64.png
app/images/fossil-scm-24.png
app/images/fossil-scm-72.png
app/images/fossil-scm-48.png
app/images/fossil-scm-32.png
app/images/fossil-scm-16.png
bin/
bin/fossil

[th0ma7]

I need help from somebody to tell me that I am completely mistaking and crazy...

• fossil-scm package seems to trigger the problem, always.
• At the opposite zsh works out all right.

Findings so far the issue has been going since at least March 2019.
Actually I've stopped searching at that point just because I now doubt that my method is right.
A second opinion would be much appreciated.

commit ab347af3e91141c0125a67306dde97b9f73c01c6 (HEAD)
Author: hgy59 <hpgy59@gmail.com>
Date:   Sat Mar 30 09:06:52 2019 +0100

[th0ma7]

BTW @ymartin59 let me know how if you need some help to deploy other packages.
I might be able to find a few spare cycles over the week-end to help out.

[th0ma7]

Foud a few cycles to publish mediainfo, done.

[ymartin59]

@th0ma7 Do not hesitate to pick any package you are interested in. According to remaining list, most of them require "update" process to publish latest version.

[th0ma7]

@hgy59 was links 2.21-2 (todo: move to synocli-net with #4195) completed par of the new release of synocli-net ?

[th0ma7]

@hgy59 thnx for releasing ntop and lua. I was working on haproxy but work on this got lost on my failed hard drive before I was able to push my git upstream.

[BenjV]

There is a security alert for Openssl with a high risk classification reported.
see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711
and
https://www.openssl.org/news/vulnerabilities.html

This is fixed in Openssl 1.1.1l.
Is it a good idea to upgrade to this openssl version?

[hgy59]

Closing this, as all remaining packages are covered by #4820.