Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

[Kurt Roeckx]

On Wed, May 02, 2018 at 07:26:02PM +0200, Sebastian Andrzej Siewior wrote:
> On 2018-05-02 18:34:35 [+0200], Kurt Roeckx wrote:
> > On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote:
> > > * https://github.com/openssl/openssl/pull/5967
> > > 
> > >   """
> > >   Commit d316cdc introduced some extra
> > >   checks into the session-cache update procedure, intended to prevent
> > >   the caching of sessions whose resumption would lead to a handshake
> > >   failure, since if the server is authenticating the client, there needs 
> > > to
> > >   be an application-set "session id context" to match up to the 
> > > authentication
> > >   context. While that change is effective for its stated purpose, there
> > >   was also some collatoral damage introduced along with the fix -- clients
> > >   that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
> > >   their usage of session caching was erroneously denied.
> > > 
> > >   Fix the scope of the original commit by limiting it to only acting
> > >   when the SSL is a server SSL.
> > >   """
> > 
> > Is it urgunt to fix this in testing/unstable?
> 
> If he is sure that this fixes his issue then I don't mind doing an
> upload. I can even prepare a 1.1.0h-2 with this patch included.
> [unless upstream plans a release soon]

There are no plans, currently I think 1.1.1 will be the next release.


Kurt

Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

[Sebastian Andrzej Siewior]

On 2018-05-02 18:34:35 [+0200], Kurt Roeckx wrote:
> On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote:
> > * https://github.com/openssl/openssl/pull/5967
> > 
> >   """
> >   Commit d316cdc introduced some extra
> >   checks into the session-cache update procedure, intended to prevent
> >   the caching of sessions whose resumption would lead to a handshake
> >   failure, since if the server is authenticating the client, there needs to
> >   be an application-set "session id context" to match up to the 
> > authentication
> >   context. While that change is effective for its stated purpose, there
> >   was also some collatoral damage introduced along with the fix -- clients
> >   that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
> >   their usage of session caching was erroneously denied.
> > 
> >   Fix the scope of the original commit by limiting it to only acting
> >   when the SSL is a server SSL.
> >   """
> 
> Is it urgunt to fix this in testing/unstable?

If he is sure that this fixes his issue then I don't mind doing an
upload. I can even prepare a 1.1.0h-2 with this patch included.
[unless upstream plans a release soon]

> Kurt

Sebastian

Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

[Kurt Roeckx]

On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote:
> * https://github.com/openssl/openssl/pull/5967
> 
>   """
>   Commit d316cdc introduced some extra
>   checks into the session-cache update procedure, intended to prevent
>   the caching of sessions whose resumption would lead to a handshake
>   failure, since if the server is authenticating the client, there needs to
>   be an application-set "session id context" to match up to the authentication
>   context. While that change is effective for its stated purpose, there
>   was also some collatoral damage introduced along with the fix -- clients
>   that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
>   their usage of session caching was erroneously denied.
> 
>   Fix the scope of the original commit by limiting it to only acting
>   when the SSL is a server SSL.
>   """

Is it urgunt to fix this in testing/unstable?


Kurt

Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

[Kurt Roeckx]

On Fri, Apr 06, 2018 at 01:58:03PM +0100, Simon McVittie wrote:
> Package: osc
> Version: 0.162.1-1
> Severity: grave
> Justification: osc tool becomes mostly unusable
> 
> This is probably a bug in libssl1.1 or in python-m2crypto, but I'm
> reporting it against osc for now, because that's the only place I know
> how to reproduce it at the moment. X-Debbugs-Cc'd to the lower-level
> packages' maintainers.
> 
> Steps to reproduce:
> 
> * have an account on any OBS instance (I used :
>   anyone can register there, but an account is required to use the API)
> * be in a temporary directory
> * rm -fr binaries
> * osc -A https://api.opensuse.org getbinaries openSUSE:Leap:15.0 \
>   hello standard x86_64
>   (or some project/package combination that exists on your OBS)
> 
> Expected result: osc downloads hello into ./binaries
> 
> Actual result: osc usually segfaults in glibc malloc-related functions,
> probably due to memory corruption; sometimes glibc detects the memory
> corruption itself and aborts instead.
> 
> Workaround: Downgrading libssl1.1 to 1.1.0f-3+deb9u2 from stable-security
> makes osc work correctly, so presumably this is a behaviour change
> between 1.1.0f and 1.1.0h, either a regression or something that triggers
> a pre-existing bug in python-m2crypto (or possibly osc).

Can you run it under valgrind?


Kurt