Bug#568601: netatalk: PAM DHX2: libgcrypt versions mismatch

Discussion:

Add Reply

Yuxuan Wang

2010-02-06 02:10:01 UTC

Package: netatalk
Version: 2.0.5-3
Severity: important

after upgrade, the dhx2 auth is unusable, got the following log in
syslog:

afpd[25514]: PAM DHX2: libgcrypt versions mismatch. Need: 3086019268
afpd[25514]: DHX2: Couldn't generate p and g

looks like it's built against a different version of libgcrypt that
squeeze provides.

-- System Information:
Debian Release: squeeze/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages netatalk depends on:
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libcomerr2 1.41.9-1 common error description library
ii libcrack2 2.8.15-6+b1 pro-active password checker librar
ii libcups2 1.4.2-4 Common UNIX Printing System(tm) -
ii libdb4.8 4.8.26-1 Berkeley v4.8 Database Libraries [
ii libgcrypt11 1.4.4-6 LGPL Crypto library - runtime libr
ii libgnutls26 2.8.5-2 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii libpam-modules 1.1.0-4 Pluggable Authentication Modules f
ii libpam0g 1.1.0-4 Pluggable Authentication Modules l
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii netbase 4.40 Basic TCP/IP networking system
ii perl 5.10.1-9 Larry Wall's Practical Extraction
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages netatalk recommends:
ii cracklib-runtime 2.8.15-6+b1 runtime support for password check
ii db4.8-util 4.8.26-1 Berkeley v4.8 Database Utilities
ii libpam-cracklib 1.1.0-4 PAM module to enable cracklib supp
ii lsof 4.81.dfsg.1-1 List open files
ii procps 1:3.2.8-2 /proc file system utilities
ii rc 1.7.1-3 an implementation of the AT&T Plan

Versions of packages netatalk suggests:
pn db4.2-util <none> (no description available)
pn db4.7-util <none> (no description available)
pn groff <none> (no description available)
pn quota <none> (no description available)
ii texlive-binaries [texlive-bas 2009-5 Binaries for TeX Live

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs-dist-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org

Frank Lahm

2010-02-07 12:20:02 UTC

Permalink

Post by Yuxuan Wang
Package: netatalk
Version: 2.0.5-3
Severity: important
after upgrade, the dhx2 auth is unusable, got the following log in
afpd[25514]: PAM DHX2: libgcrypt versions mismatch. Need: 3086019268

It's trying to complain that the installed libgcrypt version is older
then the one used at compile time. Unfortunately the printf format
string has a %u instead of a %s so the "Need: X" is garbage. This has
already been adressed in Netatalk CVS.

Post by Yuxuan Wang
afpd[25514]: DHX2: Couldn't generate p and g
looks like it's built against a different version of libgcrypt that
squeeze provides.
Debian Release: squeeze/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libcomerr2 1.41.9-1 common error description library
ii libcrack2 2.8.15-6+b1 pro-active password checker librar
ii libcups2 1.4.2-4 Common UNIX Printing System(tm) -
ii libdb4.8 4.8.26-1 Berkeley v4.8 Database Libraries [
ii libgcrypt11 1.4.4-6 LGPL Crypto library - runtime libr
ii libgnutls26 2.8.5-2 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii libpam-modules 1.1.0-4 Pluggable Authentication Modules f
ii libpam0g 1.1.0-4 Pluggable Authentication Modules l
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii netbase 4.40 Basic TCP/IP networking system
ii perl 5.10.1-9 Larry Wall's Practical Extraction
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
ii cracklib-runtime 2.8.15-6+b1 runtime support for password check
ii db4.8-util 4.8.26-1 Berkeley v4.8 Database Utilities
ii libpam-cracklib 1.1.0-4 PAM module to enable cracklib supp
ii lsof 4.81.dfsg.1-1 List open files
ii procps 1:3.2.8-2 /proc file system utilities
ii rc 1.7.1-3 an implementation of the AT&T Plan
pn db4.2-util <none> (no description available)
pn db4.7-util <none> (no description available)
pn groff <none> (no description available)
pn quota <none> (no description available)
ii texlive-binaries [texlive-bas 2009-5 Binaries for TeX Live
-- no debconf information

I can't really give you a clue or tell if and how the Debian package
has a problem. You might try to install a newer version of libgcrypt
somehow.

Hth,
Frank, Netatalk Dev.

--
To UNSUBSCRIBE, email to debian-bugs-dist-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org

Jonas Smedegaard

2010-02-07 12:40:03 UTC

Permalink

Post by Frank Lahm

Post by Yuxuan Wang
after upgrade, the dhx2 auth is unusable, got the following log in
afpd[25514]: PAM DHX2: libgcrypt versions mismatch. Need: 3086019268

Thanks for the bugreport, Youxuan!

Post by Frank Lahm
It's trying to complain that the installed libgcrypt version is older
then the one used at compile time. Unfortunately the printf format
string has a %u instead of a %s so the "Need: X" is garbage. This has
already been adressed in Netatalk CVS.

Thanks for the

I guess the fix is to spit out an improved error message, not somehow
making netatalk more flexible about libgrcrypt version, right Frank?

Post by Frank Lahm
I can't really give you a clue or tell if and how the Debian package
has a problem. You might try to install a newer version of libgcrypt
somehow.

The Debian package has a problem in not declaring tight enough package
dependencies: Instead of a broken installation, the package should
refuse to install if a properly working libgcrypt could not be ensured
to also be available on the installed system. Such refusal could then
get detected by distrowide metatools to report when the package needed
to be recompiled.

Hope that clarifies :-)

@Youxuan: I agree with you on the urgency of this bugreport. Thanks
again!

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private

Frank Lahm

2010-02-07 12:50:01 UTC

Permalink

Hi Jonas,

Post by Jonas Smedegaard

Post by Yuxuan Wang
after upgrade, the dhx2 auth is unusable, got the following log in
afpd[25514]: PAM DHX2: libgcrypt versions mismatch. Need: 3086019268

Thanks for the bugreport, Youxuan!

It's trying to complain that the installed libgcrypt version is older then
the one used at compile time. Unfortunately the printf format string has a
%u instead of a %s so the "Need: X" is garbage. This has already been
adressed in Netatalk CVS.

Thanks for the
I guess the fix is to spit out an improved error message, not somehow making
netatalk more flexible about libgrcrypt version, right Frank?

I'm not sure what you're implying or asking here. The next version of
Netatalk will in this case ouput "Need
COMPILE_TIME_VERSION_AS_STRING".
Netatalk can't be "more flexible" about this requirement, because if
afpd has been compiled with version x.y.z, it is a requirement that
the installed version _at least_ is a high. It can be higher though of
course.

Regards!
-Frank

--
To UNSUBSCRIBE, email to debian-bugs-dist-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org

fishy

2010-02-07 12:40:03 UTC

Permalink

Manually upgrade libgcrypt11 to 1.4.5-2 fixed this problem, thanks.

Post by Frank Lahm

I can't really give you a clue or tell if and how the Debian package
has a problem. You might try to install a newer version of libgcrypt
somehow.
Hth,
Frank, Netatalk Dev.

--
regards,
fishy
--
To UNSUBSCRIBE, email to debian-bugs-dist-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org

Matijs van Zuijlen

2023-11-30 14:10:01 UTC

Permalink

Dear maintainer,

This problem still exists. I installed netatalk from testing on a Debian
server running stable, and libgcrypt was not updated at the same time
because the dependency in the netatalk package specifies '>= 1.10.0',
which matches the stable version 1.10.1, while testing's netatalk
actually needs libgcrypt 1.10.2. This lead to a flood of errors in the
logs. Updating the libgcrypt package to the testing version (1.10.2)
fixed that problem.

As far as I can tell, the solution would be for the netatalk package to
depend on (at least?) the libgcrypt version it was compiled with.

--
Kind regards,
Matijs van Zuijlen

Daniel Markstedt

2023-11-30 23:50:01 UTC

Permalink

Hi Matijs,

This is not something we can address in the netatalk package itself, since you're using an Unstable netatalk package with a Stable Debian version. (Netatalk was dropped from Debian 12 Bookworm.)

See this upstream discussion for more details: https://github.com/Netatalk/netatalk/discussions/574

Best regards,
Daniel

Post by Matijs van Zuijlen
Dear maintainer,
This problem still exists. I installed netatalk from testing on a Debian
server running stable, and libgcrypt was not updated at the same time
because the dependency in the netatalk package specifies '>= 1.10.0',
which matches the stable version 1.10.1, while testing's netatalk
actually needs libgcrypt 1.10.2. This lead to a flood of errors in the
logs. Updating the libgcrypt package to the testing version (1.10.2)
fixed that problem.
As far as I can tell, the solution would be for the netatalk package to
depend on (at least?) the libgcrypt version it was compiled with.
--
Kind regards,
Matijs van Zuijlen
--
pkg-netatalk-devel mailing list
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel

Matijs van Zuijlen

2023-12-01 09:20:01 UTC

Permalink

Hi Daniel,

Indeed, I am running Debian stable on my server with just netatalk and
some of its dependencies from testing, so my setup is a bit unconventional.

This is in fact the case because Netatalk was dropped from Debian 12,
and I didn't want to keep running the old version which has a security
issue.

However, I think installing netatalk from any Debian version should
still pull in the correct version of libgcrypt. Isn't that something
that can be addressed in the netatalk package? I can imagine later
versions of netatalk would need still newer versions of libgcrypt. The
current dependency specification would fail to pull those in.

Kind regards,
Matijs van Zuijlen

Post by Daniel Markstedt
Hi Matijs,
This is not something we can address in the netatalk package itself, since you're using an Unstable netatalk package with a Stable Debian version. (Netatalk was dropped from Debian 12 Bookworm.)
See this upstream discussion for more details: https://github.com/Netatalk/netatalk/discussions/574
Best regards,
Daniel

Daniel Markstedt

2023-12-01 12:20:02 UTC

Permalink

Hi Matijs,

I totally get your point and agree that this situation is not ideal.
Unfortunately, I don't think the exact dependent package version is something that we as package managers can or should hard code in this fashion.

Look at the "debian/control" file in the package repo:
https://salsa.debian.org/netatalk-team/netatalk/-/blob/debian/latest/debian/control#L20

See that "libgcrypt20-dev" is defined as a dependency without specifying a version.
It is actually debbuild (I think) that resolves the exact version dependency when it builds the package for a particular Debian version.

Hence, when debbuild builds a package for Bookworm Stable, the dependency resolves as libgcrypt20-dev==1.10.1 and when it's built for Unstable it gets resolved as libgcrypt20-dev==1.10.2.

So when you install the Unstable package on Bookworm you run into this dependency problem with libgcrypt20-dev.

Someone who knows Debian better could correct me if I'm wrong. :)

Does this make sense?

Daniel

Post by Matijs van Zuijlen
Hi Daniel,
Indeed, I am running Debian stable on my server with just netatalk and
some of its dependencies from testing, so my setup is a bit unconventional.
This is in fact the case because Netatalk was dropped from Debian 12,
and I didn't want to keep running the old version which has a security
issue.
However, I think installing netatalk from any Debian version should
still pull in the correct version of libgcrypt. Isn't that something
that can be addressed in the netatalk package? I can imagine later
versions of netatalk would need still newer versions of libgcrypt. The
current dependency specification would fail to pull those in.
Kind regards,
Matijs van Zuijlen

--
pkg-netatalk-devel mailing list
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel

Daniel Markstedt

2024-09-27 01:40:01 UTC

Permalink

We are fixing the overzealous libgcrypt version check upstream. (Better late than never.)

https://github.com/Netatalk/netatalk/issues/1550

The problem was a misinterpretation of the gcrypt API. The version validation is not supposed to be done against the version that the package was linked with, but with a package specified minimum version.