View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000838bareos-corefile daemonpublic2017-07-25 22:432017-10-09 17:09
Reporterdebfx Assigned Tojoergs  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSDebianOS Version9
Product Version16.2.6 
Summary0000838: File corruption with SHA1 signature
DescriptionBareos 16.2.6 corrupts files when Signature=SHA1 is set in the FileSet configuration.

Tested with 16.2.4 and 16.2.6 with the Debian package (that uses gnutls as crypto backend) and sqlite3.

Very short file don't seem to be corrupted. Attached is an example of a corrupted restored file.

Downstream bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869608
Steps To ReproduceCopied from Debian bug:


1) install bareos 16.2.4 client and server packages - all with
defaults.
2) run a SelfTest backup of the client/server.
3) Restore a file from this backup - everything should be fine.

4) now change
Signature = SHA1
in /etc/bareos/bareos-dir.d/fileset/SelfTest.conf

5) run another SelfTest Full backup
6) restore a file from this new backup

The restored file is corrupted.
TagsNo tags attached.

Relationships

child of 0000836 closedjoergs Release bareos-16.2.7 

Activities

debfx

debfx

2017-07-25 22:43

reporter  

upgrade-from-grub-legacy.corrupt (1,524 bytes)
debfx

debfx

2017-07-25 22:44

reporter  

upgrade-from-grub-legacy.org (1,524 bytes)
tigerfoot

tigerfoot

2017-07-26 07:12

developer   ~0002689

This report started as a question on bareos-user ml
https://groups.google.com/forum/#!topic/bareos-users/ORFYCMF73tI

I hope you know the Debian limitation due to gnutls use ?

http://doc.bareos.org/master/html/bareos-manual-main-reference.html#x1-481000B.1.3

And you don't have data encryption.

16.2.x is working on bareos.org / bareos.com builds with openSUSE dir,sd,fd and windows (2003-2016)
debfx

debfx

2017-07-26 08:14

reporter   ~0002690

Yes, I'm aware of the feature limitations. However the amount of testing (or lack thereof) the gnutls backend receives is much more concerning to me.
joergs

joergs

2017-07-26 18:36

developer   ~0002692

It seam to work fine with packages from bareos.org/bareos.com.

gnutls (instead of openssl) is something we don't use in bareos.org/bareos.com packages, therefore it is not tested through our automated package testing and also not by https://github.com/bareos/bareos-regress.

We already do automated testing of Bareos for all platforms we support. That are 37 Linux distribution (different releases + platforms), multiple Windows versions and Solaris. The Linux variants for all 3 different database backends.

We are not able to test it with all possible compile options.
joergs

joergs

2017-07-26 22:04

developer  

0001-bugfix-prevents-file-corruptions-by-SHA1.patch (867 bytes)    
From 49be4618319e681a4ad79fde63e984df1748938c Mon Sep 17 00:00:00 2001
From: Joerg Steffens <joerg.steffens@bareos.com>
Date: Wed, 26 Jul 2017 21:57:38 +0200
Subject: [PATCH] bugfix: prevents file corruptions by SHA1

Fixes a bug when using SHA1 file signatures in Bareos version compiled
without openssl.

Fixes #838: File corruption with SHA1 signature
---
 src/lib/sha1.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lib/sha1.c b/src/lib/sha1.c
index 9972cb2..f67c466 100644
--- a/src/lib/sha1.c
+++ b/src/lib/sha1.c
@@ -20,7 +20,8 @@ A million repetitions of "a"
 #if __LITTLE_ENDIAN__
 #define LITTLE_ENDIAN
 #endif
-/* #define SHA1HANDSOFF * Copies data before messing with it. */
+/* #define SHA1HANDSOFF * Copies data before messing with it. Do not modify original data! */
+#define SHA1HANDSOFF
 
 #include "sha1.h"
 
-- 
2.7.4
0001-bugfix-prevents-file-corruptions-by-SHA1.patch (867 bytes)   
joergs

joergs

2017-07-26 22:09

developer   ~0002693

The attached patch solves the issue. Please note, that the file in question have not been modified since 2014, therefore this bug must have been there all the time.

Again, this bug have never affected bareos.org/bareos.com packages.

It might be a good idea, to participate on https://github.com/bareos/bareos-regress.
I've added a sha1 test there, and will publish it soon.
joergs

joergs

2017-08-07 15:41

developer   ~0002698

Fix committed to bareos bareos-16.2 branch with changesetid 7069.

Related Changesets

bareos: bareos-16.2 38d0aec7

2017-07-26 23:57

joergs

Ported: N/A

Details Diff		 bugfix: prevents file corruptions by SHA1

Fixes a bug when using SHA1 file signatures in Bareos version compiled
without openssl.

Fixes 0000838: File corruption with SHA1 signature		 Affected Issues
0000838
mod - src/lib/sha1.c Diff File

Issue History

Date Modified Username Field Change
2017-07-25 22:43 debfx New Issue
2017-07-25 22:43 debfx File Added: upgrade-from-grub-legacy.corrupt
2017-07-25 22:44 debfx File Added: upgrade-from-grub-legacy.org
2017-07-26 07:12 tigerfoot Note Added: 0002689
2017-07-26 08:14 debfx Note Added: 0002690
2017-07-26 18:36 joergs Note Added: 0002692
2017-07-26 22:04 joergs File Added: 0001-bugfix-prevents-file-corruptions-by-SHA1.patch
2017-07-26 22:09 joergs Note Added: 0002693
2017-07-26 22:09 joergs Status new => resolved
2017-07-26 22:09 joergs Resolution open => fixed
2017-07-26 22:09 joergs Assigned To => joergs
2017-08-07 15:41 joergs Changeset attached => bareos bareos-16.2 38d0aec7
2017-08-07 15:41 joergs Note Added: 0002698
2017-10-09 15:29 joergs Relationship added child of 0000836
2017-10-09 17:09 joergs Status resolved => closed