Beta sqlite3/openssl package updates

[af123]

I've just pushed updated beta packages for sqlite3 and openssl. They are both minor updates:

• openssl 1.1.1.a -> 1.1.1.b
• sqlite 3.27.1 -> 3.27.2

 

[/df]

Is it possible that openssl-1.1.1b has broken something?

I get a segmentation fault apparently from an infinite recursion when running wget (1.20): here's it kicking off:

humax# gdb --args wget https://github.com/openssl/openssl/blob/master/include/openssl/crypto.h
GNU gdb (GDB) 7.1
...
Reading symbols from /mnt/hd2/mod/bin/wget...(no debugging symbols found)...done.
(gdb) b CRYPTO_malloc
Breakpoint 1 at 0x403c60
(gdb) r
Starting program: /mnt/hd2/mod/bin/wget https://github.com/openssl/openssl/blob/master/include/openssl/crypto.h
setpgrp failed in child: No such process

Redirecting output to 'wget-log.3'.

Breakpoint 1, 0x2ad33170 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
(gdb) c
Continuing.

Breakpoint 1, 0x2ad33170 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
(gdb) c
Continuing.

Breakpoint 1, 0x2ad33170 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
(gdb) c
Continuing.

Breakpoint 1, 0x2ad33170 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
(gdb) c
Continuing.

Breakpoint 1, 0x2ad33170 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
(gdb) bt
#0  0x2ad33170 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
#1  0x2ad331b0 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
#2  0x2ad331b0 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
#3  0x2ad331b0 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
#4  0x2ad331b0 in CRYPTO_malloc () from /mod/lib/libcrypto.so.1.1
#5  0x2ad33270 in CRYPTO_zalloc () from /mod/lib/libcrypto.so.1.1
#6  0x2add12ac in CRYPTO_THREAD_lock_new () from /mod/lib/libcrypto.so.1.1
#7  0x2ad27648 in ?? () from /mod/lib/libcrypto.so.1.1

I'm sure wget-1.20 worked fine in the beta test (I'd like to revert to openssl-1.1.1a as a test but opkg seems unhelpful in that respect). My wget-1.19.5 built against LibreSSL also works.

This issue has similar symptoms but the same circumstances don't apply exactly. There's a suggestion that the underlying issue is non-matching malloc initialisation in the executable vs the .so.

As a side issue, I wonder what functionality or build configuration makes these wget builds 2-3 times bigger than 1.12 (given that the fancy crypto is all in the OpenSSL .so)?

 

[MymsMan]

wget is used by autodecrypt so if there was a general problem I am sure it would have been reported before

 

[/df]

It might have been if anyone had patched their Humax DLNA server to use https!

The crash only happens when initialising SSL. Confirmed on a second machine with up-to-date beta packages and no history of software development.

 

[/df]

And fixed by downgrading:

humax# wget https://hummypkg.org.uk/hdrfoxt2/base/openssl_1.1.1.a-2_mipsel.opk
--2019-04-23 10:05:52--  https://hummypkg.org.uk/hdrfoxt2/base/openssl_1.1.1.a-2_mipsel.opk
Segmentation fault
humax# wget -U "" http://hummypkg.org.uk/hdrfoxt2/base/openssl_1.1.1.a-2_mipsel.opk
...
2019-04-23 10:11:52 (496 KB/s) - 'openssl_1.1.1.a-2_mipsel.opk' saved [5436792/5436792]

humax# opkg --force-downgrade install openssl_1.1.1.a-2_mipsel.opk 
Downgrading openssl on root from 1.1.1.b to 1.1.1.a-2...
Configuring openssl.
humax# wget  https://hummypkg.org.uk/hdrfoxt2/base/openssl_1.1.1.a-2_mipsel.opk
--2019-04-23 10:13:32--  https://hummypkg.org.uk/hdrfoxt2/base/openssl_1.1.1.a-2_mipsel.opk
Resolving hummypkg.org.uk... 2a00:5600:1600::50, 89.248.55.75
Connecting to hummypkg.org.uk|2a00:5600:1600::50|:443... failed: Address family not supported by protocol.
Connecting to hummypkg.org.uk|89.248.55.75|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2019-04-23 10:13:33 ERROR 403: Forbidden.

humax#

The last wget fails (intentionally) because the server rejects the User Agent, but the SSL bit worked. The first wget failed before making the SSL connection.

 

[af123]

Is it possible that openssl-1.1.1b has broken something?

Yes, thanks for the report. Beta testing works : )
I'll push up a fixed package shortly, as well as an updated wget since 1.20.3 has been released.

 

[/df]

Incidentally the original failure was trying to download the source package for lynx-2.8.8.

I managed to build Lynx on-box against these OpenSSL libs and was able to browse https://wiki.hummy.tv and download stuff, a more integrated user experience than wget/curl.

Is anyone likely to be interested in this? I could make a package, or provide the build config files. I had to reverse some #if 1 constructs in ncurses.h and term.h IIRC.

 

[Black Hole]

Is anyone likely to be interested in this?

How does this help? What does lynx do?

 

[/df]

If you follow the lynk, you can read about it. It's the original text-based browser.

Why might you want it?

• You're bored with copying links from a graphical web browser window into a telnet window to download them to the Humax disk.
• You want to download from a server that blocks wget's UA and can't remember how to spoof it.
• You want to use a browser that's guaranteed not to use JavaScript.
• Because it's there!

Obvs the last is the key one, although I suppose there might be a use case involving iPlayer and youtube-dl (not yet tested). Also, perhaps a local browser under our control on the box might help in developing the Portal functionality, which AFAIK is currently just a long-winded way to launch the iPlayer app.

 

[Black Hole]

Even as a text-based browser, there's no way to get its output onto the TV screen (which is where the native browser has the advantage).

Would you propose to run it through WebShell?

 

[peterworks]

Re wget - I have two boxes which (I believe) mirror each other. Overnight one updated the wget beta but the other does not have it installed. Can you advise what package(s) use this - I see autodecrypt is mentioned in this thread.
Thanks

Edit: I have used the telnet installed command and they both have the same packages installed except for wget

 

[prpr]

Overnight one updated the wget beta but the other does not have it installed. Can you advise what package(s) use this

BootHDR, youtube-dl and (indirectly) qtube.

 

[peterworks]

Thanks prpr

 

[/df]

Even as a text-based browser, there's no way to get its output onto the TV screen (which is where the native browser has the advantage).
...

I was thinking more of a debugging tool in this case.

 

[prpr]

Is it not time to remove libopenssl and polarssl from the repository?
Both are old (ancient/prehistoric), insecure and unnecessary.

And what about tidying up openssl-command and openssl ?