OpenSSL problem again


#1

Hi,

today i got message from Google, because of OpenSSL vulnerability.
With a quick search i found it in libcocos2dcpp.so:OpenSSL 1.0.1l 15 Jan 2015
I use Cocos Studio, precompiled cocos2d-x.
Devs doing something against this with some update?
Or how can i solve it self?

Thank you


#2

I’m sorry? I don’t follow. We did have an OpenSSL issue in v2.2.6 at one point. But nothing I know about at this time.


#3

I just created an application, compiled it, then "grep"ped and 1.0.1 version comming out. :confused:
cocos version is 3.6
I don’t understand too.


#4

I’d consider upgrading and trying this again with v3.10 or the latest from GitHub.

so you did this?

cocos new .....
cocos compile -p .....
grep openssl

What was the exact grep command you used? I’ll test this with the latest from GitHub.

I thought that 1.0.1l was ok. I believe it was 1.0.1 (a-f) that has the issue and g+ is fine.


#5

Got the same email:

Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL. If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher.

The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. The latest versions of OpenSSL can be downloaded here. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep “OpenSSL”).


#6

I got the same warning from Google today…

We’re using cocos2djs 3.6.1. We need a hotfix, please.

Can we update OpenSSL and keep the version of engine, @slackmoehrle?


#7

I received the same warning from Google for games that are running Cocos2d-x 2.2.6.
Cocos2d-x 2.2.6 uses a vulnerable version of OpenSSL 1.0.1h inside of curl LIBCURL_VERSION “7.26.0” (maybe elsewhere in Cocos2d-x, but not certain).

EDIT: I might have responded too quickly… currently looking into what exactly I have in my game that uses openSSL. Will update later after some testing.


#8

I got the same warning email from Google Play, for a game built with Cocos2d-x v3.9.

It looks like dependency chain is libcurl -> libssl, and libcurl is being included in the Android build:

Correct me if I’m wrong please someone, but I thought curl had been replaced with native http stack on Android, so should this still be required?

(In my case though the OpenSSL dependency is also for libwebsocket compiled with ssl support)

If you’re compiling external dependencies from source it should be fairly straightforward to upgrade. There is actually an existing PR for it here - https://github.com/cocos2d/cocos2d-x-3rd-party-libs-src/pull/80

Hopefully the ultimatum from Google will raise the priority of having this upgraded or removed from binary dependencies…


#9

Thanks everyone. I will have someone read this thread!


#10

yep, probable we have to release a v2.2.7 with this fix and a new v3.11 with this fix already applied on it.


#11

@ricardo v3.11 already fix it?

I have created an issue: https://github.com/cocos2d/cocos2d-x/issues/15359.


#12

If you want to check it:
$ unzip -p YourApp.apk | strings | grep “OpenSSL”

Or like this, it’s nice:

#!/bin/bash

# USAGE: testopenssl.sh APK_File

sslworkdir="ssl_work_dir"
if [ ! -d $sslworkdir ]; then
  mkdir $sslworkdir
fi
unzip -q "$1" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'\r\n'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSL\s\d+\.\d+\.\d+\w+\s\d+\s\w+\s\d+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
    echo "Found OpenSSL versions"
    printf "%s\n" "${opensslarr[@]}"
    heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
    #Stackoverflow syntax highlight fix closing 'block comment' */
    if [ ${#heartbeatarr[@]} -gt 0 ]; then
        echo "Files that contains heartbeat methods:"
    printf "%s\n" "${heartbeatarr[@]}"
    else
        echo "No libraries contain heartbeat methods"
    fi
else
    echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir

Thanks devs!


#13

@zhangxm I think we are using “1.0.1l” for v3.11, and we should use 1.0.1r or higher.
so, it is not fixed on v3.11.


#14

@ricardo Got it. I think we can upgrade to latest version if possible.


#15

+1 Yes please release v2.2.7 to fix this issue.


#16

Hi @ricardo and @zhangxm:

Do you still support Cocos Studio 1.x on 3.11?

I’m waiting a response in this post:

Our game was created using Cocos Studio 1.6 and we need a confirmation to upgrade the engine.


#17

browse to "arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-attackers-to-decrypt-https-traffic/"
above link included in google email, on last paragraph:

People using OpenSSL version 1.0.2 should upgrade to 1.0.2f, while those still using version 1.0.1 should install 1.0.1r. Thursday’s OpenSSL advisory also reminded users that support for version 1.0.1 will end at the end of this year, after which no security fixes will be available. Support for versions 0.9.8 and 1.0.0 ended in December.

should cocos2d-x libcurl upgraded to 1.0.2?


#18

@patriciog I think you just need to replace libcurl or OpenSSL.

@leledumbo549 I think we should update to v1.0.2f.


#19

I can’t find the warning in my Google Play Developer console.
Sure, I got that email too but I can’t see
the warning anywhere in the console.


#20

Then…

  • What should be replace, libcurl or OpenSSL?
  • Both of them?
  • Are they compatible with Cocos2d-js 3.6.1?
  • We are using AssetManager. Will it be affected?

Let me know if you need more info about we are using.

Best and Thanks!