<div dir="ltr">We should probably understand first the motivation for the original patch.<div><br></div><div>At the moment (without any digging into the VCS), I would prefer the dynamic linking for security reasons.</div><div>With the patch, we need to binNMU on each security upload, while without it we only need to binNMU if a header is changed.</div><div><br></div><div>Kaplan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 27, 2015 at 8:22 PM, Declercq Laurent <span dir="ltr"><<a href="mailto:l.declercq@nuxwin.com" target="_blank">l.declercq@nuxwin.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Le 26/04/2015 14:07, Lior Kaplan a écrit :<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It seems we can remove the patch, as since 2011 -lcrypto is indeed added later in acinclude.m4.<br>
<br>
See upstream commit a286fa3523b230fded3204d8b09381675f70d85c<br>
<br>
Kaplan<br>
</blockquote>
<br></span>
Re;<br>
<br>
According to my previous mails, I've made some tests and I've refreshed the patch to force usage of the static openssl archive.<br>
<br>
First, I give you some info about my environment:<br>
<br>
##############################################################################<br>
root@jessie:/usr/local/src/phpswitcher/php-5.6.8# lsb_release -a<br>
No LSB modules are available.<br>
Distributor ID:Â Â Debian<br>
Description:Â Â Debian GNU/Linux 8.0 (jessie)<br>
Release:Â Â 8.0<br>
Codename:Â Â jessie<br>
<br>
root@jessie:/usr/local/src/phpswitcher/php-5.6.8# dpkg-architecture<br>
DEB_BUILD_ARCH=amd64<br>
DEB_BUILD_ARCH_BITS=64<br>
DEB_BUILD_ARCH_CPU=amd64<br>
DEB_BUILD_ARCH_ENDIAN=little<br>
DEB_BUILD_ARCH_OS=linux<br>
DEB_BUILD_GNU_CPU=x86_64<br>
DEB_BUILD_GNU_SYSTEM=linux-gnu<br>
DEB_BUILD_GNU_TYPE=x86_64-linux-gnu<br>
DEB_BUILD_MULTIARCH=x86_64-linux-gnu<br>
DEB_HOST_ARCH=amd64<br>
DEB_HOST_ARCH_BITS=64<br>
DEB_HOST_ARCH_CPU=amd64<br>
DEB_HOST_ARCH_ENDIAN=little<br>
DEB_HOST_ARCH_OS=linux<br>
DEB_HOST_GNU_CPU=x86_64<br>
DEB_HOST_GNU_SYSTEM=linux-gnu<br>
DEB_HOST_GNU_TYPE=x86_64-linux-gnu<br>
DEB_HOST_MULTIARCH=x86_64-linux-gnu<br>
DEB_TARGET_ARCH=amd64<br>
DEB_TARGET_ARCH_BITS=64<br>
DEB_TARGET_ARCH_CPU=amd64<br>
DEB_TARGET_ARCH_ENDIAN=little<br>
DEB_TARGET_ARCH_OS=linux<br>
DEB_TARGET_GNU_CPU=x86_64<br>
DEB_TARGET_GNU_SYSTEM=linux-gnu<br>
DEB_TARGET_GNU_TYPE=x86_64-linux-gnu<br>
DEB_TARGET_MULTIARCH=x86_64-linux-gnu<br>
<br>
root@jessie:/usr/local/src/phpswitcher/php-5.6.8# dpkg-buildflags<br>
CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security<br>
CPPFLAGS=-D_FORTIFY_SOURCE=2<br>
CXXFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security<br>
FCFLAGS=-g -O2 -fstack-protector-strong<br>
FFLAGS=-g -O2 -fstack-protector-strong<br>
GCJFLAGS=-g -O2 -fstack-protector-strong<br>
LDFLAGS=-Wl,-z,relro<br>
OBJCFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security<br>
OBJCXXFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security<br>
##############################################################################<br>
<br>
Now comes the result with your current patch applied:<br>
<br>
##############################################################################<br>
root@jessie:/var/www/imscp/gui/plugins/PhpSwitcher/PhpCompiler# ldd /usr/bin/php<br>
  linux-vdso.so.1 (0x00007ffdfd7fb000)<br>
  libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fa7a7f02000)<br>
  libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fa7a7ce7000)<br>
  libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fa7a7acf000)<br>
  libonig.so.2 => /usr/lib/x86_64-linux-gnu/libonig.so.2 (0x00007fa7a7865000)<br>
  libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fa7a746a000)<br>
  libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fa7a7209000)<br>
  <a href="http://libdb-5.3.so" target="_blank">libdb-5.3.so</a> => /usr/lib/x86_64-linux-gnu/<a href="http://libdb-5.3.so" target="_blank">libdb-5.3.so</a> (0x00007fa7a6e48000)<br>
  libqdbm.so.14 => /usr/lib/libqdbm.so.14 (0x00007fa7a6bfb000)<br>
  libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007fa7a69ea000)<br>
  libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa7a677c000)<br>
  librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa7a6574000)<br>
  libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fa7a6272000)<br>
  libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa7a606e000)<br>
  libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fa7a5e56000)<br>
  libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fa7a5aee000)<br>
  libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007fa7a58a4000)<br>
  libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007fa7a55d0000)<br>
  libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007fa7a539e000)<br>
  libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fa7a519a000)<br>
  libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa7a4df1000)<br>
  libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa7a4bd3000)<br>
  /lib64/ld-linux-x86-64.so.2 (0x00007fa7a8145000)<br>
  liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fa7a49b0000)<br>
  libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007fa7a47a3000)<br>
  libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007fa7a459f000)<br>
##############################################################################<br>
<br>
As you can see here openssl is still dynamically linked which is bad in regard of the expected result.<br>
<br>
Now, with my refreshed patch (applied on PHP 5.6.8 (upstream)):<br>
<br>
##############################################################################<br>
jessie:/usr/local/src/phpswitcher/php-5.6.8# ldd cgi-build/sapi/cli/php<br>
  linux-vdso.so.1 (0x00007ffe337f8000)<br>
  libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fd2e7428000)<br>
  libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fd2e720d000)<br>
  libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fd2e6ff5000)<br>
  libonig.so.2 => /usr/lib/x86_64-linux-gnu/libonig.so.2 (0x00007fd2e6d8b000)<br>
  libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fd2e6a80000)<br>
  <a href="http://libdb-5.3.so" target="_blank">libdb-5.3.so</a> => /usr/lib/x86_64-linux-gnu/<a href="http://libdb-5.3.so" target="_blank">libdb-5.3.so</a> (0x00007fd2e66be000)<br>
  libqdbm.so.14 => /usr/lib/libqdbm.so.14 (0x00007fd2e6471000)<br>
  libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007fd2e6261000)<br>
  libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd2e5ff2000)<br>
  librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fd2e5dea000)<br>
  libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fd2e5ae9000)<br>
  libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd2e58e4000)<br>
  libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fd2e56cc000)<br>
  libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fd2e5365000)<br>
  libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007fd2e511a000)<br>
  libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007fd2e4e46000)<br>
  libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007fd2e4c15000)<br>
  libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fd2e4a10000)<br>
  libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd2e4667000)<br>
  /lib64/ld-linux-x86-64.so.2 (0x00007fd2e766b000)<br>
  libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fd2e4451000)<br>
  libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd2e4233000)<br>
  liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fd2e4010000)<br>
  libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007fd2e3e03000)<br>
  libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007fd2e3bff000)<br>
##############################################################################<br>
<br>
As you can see here both libssl.so and libcrypto.so are not longer listed but openssl is here as it is expected (part of php -i output):<br>
<br>
OpenSSL support => enabled<br>
OpenSSL Library Version => OpenSSL 1.0.1k 8 Jan 2015<br>
OpenSSL Header Version => OpenSSL 1.0.1k 8 Jan 2015<br>
<br>
The patch which is attached to this mail has been done against PHP 5.6.8 ( upstream ).<br>
<br>
Should I create a report and submit the patch officially or not?<br>
<br>
<br>
Thank you for your interest.<div class="HOEnZb"><div class="h5"><br>
<br>
-- <br>
Laurent Declercq<br>
iHMS/i-MSCP Project Lead<br>
<br>
</div></div></blockquote></div><br></div>