Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767886 - dev-lang/python[ssl] automagic w/ dev-libs/openssl[sslv3]: ImportError: /usr/lib/python3.9/lib-dynload/_ssl.cpython-39-x86_64-linux-gnu.so: undefined symbol: SSLv3_method, version OPENSSL_1_1_0
Summary: dev-lang/python[ssl] automagic w/ dev-libs/openssl[sslv3]: ImportError: /usr/...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Python Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-29 19:19 UTC by Andreas Sturmlechner
Modified: 2021-02-03 11:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
sys-apps:pkgcore-0.10.14-r1.build.log (sys-apps:pkgcore-0.10.14-r1:20210129-182345.log,151.74 KB, text/x-log)
2021-01-29 19:19 UTC, Andreas Sturmlechner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Sturmlechner gentoo-dev 2021-01-29 19:19:05 UTC
Created attachment 685134 [details]
sys-apps:pkgcore-0.10.14-r1.build.log

I've recently dropped USE=sslv3 from dev-libs/openssl again, and some revdeps of python (which had been built against dev-libs/openssl[ssl,sslv3]) now show breakage, such as:


Generating plugin cache
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/snakeoil/modules.py", line 78, in load_any
    return import_module(name)
  File "/usr/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 972, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 790, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/var/tmp/portage/sys-apps/pkgcore-0.10.14-r1/work/pkgcore-0.10.14-python3_9/src/pkgcore/sync/sqfs.py", line 4, in <module>
    from pkgcore.sync.http import http_syncer
  File "/var/tmp/portage/sys-apps/pkgcore-0.10.14-r1/work/pkgcore-0.10.14-python3_9/src/pkgcore/sync/http.py", line 5, in <module>
    import ssl
  File "/usr/lib/python3.9/ssl.py", line 98, in <module>
    import _ssl             # if we can't import it, let the error propagate
ImportError: /usr/lib/python3.9/lib-dynload/_ssl.cpython-39-x86_64-linux-gnu.so: undefined symbol: SSLv3_method, version OPENSSL_1_1_0
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-29 19:23:09 UTC
I guess we should just force not using SSLv3 unconditionally here, correct?
Comment 2 Andreas Sturmlechner gentoo-dev 2021-01-29 19:29:55 UTC
If there is a way in the build system yes, any revdep depending on such would have probably been found out about by now.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-29 19:38:49 UTC
Of course there isn't.  Apparently upstream is checking for some defines directly in the module code, e.g.:

#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
    case PY_SSL_VERSION_SSL3:
        ctx = SSL_CTX_new(SSLv3_method());
        break;
#endif

I guess the simplest method would be to inject OPENSSL_NO_SSL3 somehow.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-29 19:47:02 UTC
Actually, it would be probably easier to just patch the code out than manage to inject the #define without actually hardcoding it in sysconfig.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-02-03 09:23:56 UTC
A fix is included in 3.10.0a5 patchset.  Will backport to older versions when they have a release or we have a security fix to backport.
Comment 6 Larry the Git Cow gentoo-dev 2021-02-03 11:56:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae90c3fb460cd008653638b0221292d932bc6052

commit ae90c3fb460cd008653638b0221292d932bc6052
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-03 09:15:59 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-03 11:56:31 +0000

    dev-lang/python: Bump to 3.10.0a5
    
    The patchset now force-disables SSLv3.
    
    Bug: https://bugs.gentoo.org/767886
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                    |   3 +
 dev-lang/python/python-3.10.0_alpha5.ebuild | 353 ++++++++++++++++++++++++++++
 2 files changed, 356 insertions(+)