Bug#838652: marked as done (Segmentation fault in openssl)

[Debian Bug Tracking System]

Your message dated Sat, 24 Sep 2016 20:51:43 +0000
with message-id <e1bntvd-00028v...@franck.debian.org>
and subject line Bug#838652: fixed in openssl 1.0.1t-1+deb8u5
has caused the Debian Bug report #838652,
regarding Segmentation fault in openssl
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
838652: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838652
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openssl
Version: 1.0.1t-1+deb8u4
Severity: important

Dear OpenSSL maintainers,

the most recent Debian security update for openssl introduces a segmentation fault while running openssl:

# openssl x509 -noout -dates -subject -issuer -text -in /etc/ssl/certs/iserv.crt

notBefore=Oct  9 02:17:03 2015 GMT
notAfter=Oct  9 02:17:10 2017 GMT

subject= /C=DE/ST=Niedersachsen/L=Braunschweig/O=IServ GmbH/CN=dev2.iserv.eu/emailAddress=hostmas...@iserv.eu issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:28:21:16:be:a3:fe
    Signature Algorithm: sha256WithRSAEncryption

Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA

        Validity
            Not Before: Oct  9 02:17:03 2015 GMT
            Not After : Oct  9 02:17:10 2017 GMT

Subject: C=DE, ST=Niedersachsen, L=Braunschweig, O=IServ GmbH, CN=dev2.iserv.eu/emailAddress=hostmas...@iserv.eu

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:af:0c:91:61:91:4d:96:c4:30:87:e7:cc:e6:b4:
                    dc:5a:b4:73:6f:ef:ec:65:50:54:6c:2f:1c:84:df:
                    1d:38:b5:d2:f0:ac:83:e4:09:46:23:d5:02:23:ae:
                    2e:fa:48:3f:f2:82:c7:d6:4b:63:7d:65:98:9b:b0:
                    4c:ba:0d:96:12:7e:30:55:53:32:b9:99:0b:b9:9c:
                    8a:b2:79:60:30:4c:50:71:61:da:8c:6b:00:ee:39:
                    95:36:a1:b2:e3:38:fb:44:9e:ac:6f:ca:3c:d3:87:
                    ce:f8:20:fd:e4:bb:1a:70:57:4a:6e:05:64:3a:66:
                    aa:c8:b8:cb:91:49:ae:74:b0:38:3d:5d:15:45:0a:
                    77:31:f1:d3:bc:dd:f7:bd:8d:84:fc:7f:49:4e:f5:
                    b3:8f:87:ee:e0:12:18:6d:9f:f6:f1:56:26:23:ab:
                    78:cf:c9:00:7d:0b:ce:0c:eb:45:d1:e7:95:09:40:
                    d6:30:34:2b:ad:12:91:88:2b:d3:96:db:e2:ee:be:
                    72:eb:98:64:d0:17:de:56:21:a0:08:d4:58:7d:f1:
                    04:aa:06:ae:b0:83:12:0a:60:e1:59:cf:6e:41:66:
                    67:90:cf:b8:40:de:ef:fd:d3:e2:98:b8:a7:2b:98:
                    bd:9b:c3:9a:ec:fe:e9:06:82:22:b5:f7:e4:89:4d:
                    0b:bc:60:15:64:e3:0d:c6:fe:75:d8:ff:26:a5:d9:
                    d6:73:68:9a:61:4e:18:1c:d4:15:e6:b8:17:f0:18:
                    97:81:a9:a6:b4:41:17:1e:48:73:74:7b:42:61:f0:
                    30:56:ea:e2:36:31:55:0f:f3:86:5f:02:60:63:91:
                    6f:8a:80:91:e6:ce:d6:37:bb:2b:a3:a6:1c:be:4e:
                    f5:4f:d5:48:e5:b2:c8:76:1a:3e:1f:76:74:0d:80:
                    20:a4:31:f4:25:87:61:76:97:95:34:3b:70:cb:64:
                    4c:83:f0:a5:c3:d4:8a:64:08:ce:1b:13:b3:e8:52:
                    fe:18:2c:e3:dd:7e:7a:7f:e1:e3:d3:2a:59:af:bc:
                    c1:55:ce:bd:c3:b4:fe:b5:c5:ba:e8:12:7d:02:a7:
                    6f:4a:10:ba:8e:05:2b:c5:4e:cd:cc:22:0e:2b:ad:
                    6d:a1:6f:b3:60:75:93:75:56:7f:e6:a5:e4:e9:7b:
                    c2:c8:c3:95:ad:60:c6:4f:74:58:64:0e:76:7a:3f:
                    d0:66:16:0d:5b:ec:47:0d:16:27:f2:b9:d7:80:1b:
                    e0:5e:67:3c:75:5f:8b:4c:85:38:65:70:04:b6:02:
                    b6:5a:79:cc:bb:99:40:b3:e7:93:7c:15:a0:fd:61:
                    a4:56:62:ea:c4:01:4f:bb:07:ee:77:fa:ba:eb:88:
                    f7:20:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:

TLS Web Client Authentication, TLS Web Server Authentication

            X509v3 Subject Key Identifier:
                35:BD:44:3E:E6:27:C5:8D:EE:A5:7C:61:80:FF:8B:4A:87:2D:99:4E
            X509v3 Authority Key Identifier:

keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86

            X509v3 Subject Alternative Name:
                DNS:dev2.iserv.eu, DNS:iserv.eu, DNS:iserv.dev2.iserv.eu
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                Policy: 1.3.6.1.4.1.23223.1.2.3
                  CPS: http://www.startssl.com/policy.pdf
                  User Notice:
                    Organization: StartCom Certification Authority
Speicherzugriffsfehler (Speicherabzug geschrieben)

For us, this affects certificates issued after around beginning of October with StartSSL.

I can reproduce this issue on other machines running a different architecture.

Let me know if you need any more information to reproduce the problem.

One affected certificate is

-----BEGIN CERTIFICATE-----
MIIHmTCCBoGgAwIBAgIHCCghFr6j/jANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE
BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs
YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MTAwOTAy
MTcwM1oXDTE3MTAwOTAyMTcxMFowgY0xCzAJBgNVBAYTAkRFMRYwFAYDVQQIEw1O
aWVkZXJzYWNoc2VuMRUwEwYDVQQHEwxCcmF1bnNjaHdlaWcxEzARBgNVBAoTCklT
ZXJ2IEdtYkgxFjAUBgNVBAMTDWRldjIuaXNlcnYuZXUxIjAgBgkqhkiG9w0BCQEW
E2hvc3RtYXN0ZXJAaXNlcnYuZXUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCvDJFhkU2WxDCH58zmtNxatHNv7+xlUFRsLxyE3x04tdLwrIPkCUYj1QIj
ri76SD/ygsfWS2N9ZZibsEy6DZYSfjBVUzK5mQu5nIqyeWAwTFBxYdqMawDuOZU2
obLjOPtEnqxvyjzTh874IP3kuxpwV0puBWQ6ZqrIuMuRSa50sDg9XRVFCncx8dO8
3fe9jYT8f0lO9bOPh+7gEhhtn/bxViYjq3jPyQB9C84M60XR55UJQNYwNCutEpGI
K9OW2+LuvnLrmGTQF95WIaAI1Fh98QSqBq6wgxIKYOFZz25BZmeQz7hA3u/90+KY
uKcrmL2bw5rs/ukGgiK19+SJTQu8YBVk4w3G/nXY/yal2dZzaJphThgc1BXmuBfw
GJeBqaa0QRceSHN0e0Jh8DBW6uI2MVUP84ZfAmBjkW+KgJHmztY3uyujphy+TvVP
1Ujlssh2Gj4fdnQNgCCkMfQlh2F2l5U0O3DLZEyD8KXD1IpkCM4bE7PoUv4YLOPd
fnp/4ePTKlmvvMFVzr3DtP61xbroEn0Cp29KELqOBSvFTs3MIg4rrW2hb7NgdZN1
Vn/mpeTpe8LIw5WtYMZPdFhkDnZ6P9BmFg1b7EcNFifyudeAG+BeZzx1X4tMhThl
cAS2ArZaecy7mUCz55N8FaD9YaRWYurEAU+7B+53+rrriPcgEwIDAQABo4IC+zCC
AvcwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwIG
CCsGAQUFBwMBMB0GA1UdDgQWBBQ1vUQ+5ifFje6lfGGA/4tKhy2ZTjAfBgNVHSME
GDAWgBQR2yNF/VTManFvhIoD1773AS8mhjA3BgNVHREEMDAugg1kZXYyLmlzZXJ2
LmV1gghpc2Vydi5ldYITaXNlcnYuZGV2Mi5pc2Vydi5ldTCCAVYGA1UdIASCAU0w
ggFJMAgGBmeBDAECAjCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYi
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIw
geowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRo
aXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNz
IDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBv
bGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4g
Y29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNQYD
VR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0Mi1jcmwu
Y3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5z
dGFydHNzbC5jb20vc3ViL2NsYXNzMi9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKGNmh0
dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuc2VydmVyLmNh
LmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZI
hvcNAQELBQADggEBAAgtWiVpspne4FF4PYUrt0ecVOJA2sC5p5QCNwd52DT4YAWo
AjooYqZCACxSZ/Quxjo6AWHmEGLy2alZlvswgG28VVAusQyzDKMkwSLFWqTTKSZ6
EAvP0ShcatTtPSvEbaK5AvxYt7AHjRwOp1p0tpKQN3Opx6W+5kvr34wX7RVEUB1O
sSq1y2YAFyhnV4Ev/+3pxG/u5/R9a2P+DqTYcb0pvgrb6Mm/shIRPbAk4uPF7sKc
EV+/Q4Lg6QyTzDar4ixoZ11a2TZa8ZRwTjS9Ewr+vkch/j+ZTpuWcFv8VxAJg/si
mGNGSwKg1VnDz+EiH7hU4Sv44Gp3N0ksBxVMDRQ=
-----END CERTIFICATE-----

--
Mit freundlichen Grüßen,
Mario Lipinski

IServ GmbH
Bültenweg 73
38106 Braunschweig

Telefon:   0531-2243666-0
Fax:       0531-2243666-9
E-Mail:    i...@iserv.eu
Internet:  iserv.eu

USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822
Geschäftsführer: Benjamin Heindl, Jörg Ludwig

--- End Message ---

--- Begin Message ---

Source: openssl
Source-Version: 1.0.1t-1+deb8u5

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <k...@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 23 Sep 2016 19:48:42 +0200
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc 
libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1t-1+deb8u5
Distribution: jessie-security
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <k...@roeckx.be>
Description:
 libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl-doc - Secure Sockets Layer toolkit - development documentation
 libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
 libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
Closes: 838652 838659
Changes:
 openssl (1.0.1t-1+deb8u5) jessie-security; urgency=medium
 .
   * The patch for CVE-2016-2182 was missing a fix.  (Closes: #838652, #838659)
Checksums-Sha1:
 629ecf09872d0aac910024b3bdc10b004b78b83f 2258 openssl_1.0.1t-1+deb8u5.dsc
 b94e374c2d72d0f66ecd5cc650a180b003c16a26 106720 
openssl_1.0.1t-1+deb8u5.debian.tar.xz
 5167fbfeba6b7309a4b5293759ce9db199bc60af 1167176 
libssl-doc_1.0.1t-1+deb8u5_all.deb
 8493eb197d20ec1aceeb2a44139b6efbc2b4323b 664872 
openssl_1.0.1t-1+deb8u5_amd64.deb
 31a63b18d48965b551b27ba5f108905f3d83bee8 1047816 
libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb
 4bf7a0a2ddb318e4e3d34219704f6987c905292d 644234 
libcrypto1.0.0-udeb_1.0.1t-1+deb8u5_amd64.udeb
 739520dc196c0971c42d0c67514bdb2c3debbfb0 1282702 
libssl-dev_1.0.1t-1+deb8u5_amd64.deb
 6df4b9975998b34a05e60737bcde3fd9d7f49d66 2817040 
libssl1.0.0-dbg_1.0.1t-1+deb8u5_amd64.deb
Checksums-Sha256:
 165eb617542ab1e9bf810c215b586a57b926f3f6977c1a72af752754c7c90bea 2258 
openssl_1.0.1t-1+deb8u5.dsc
 c6723fbf370ec5544c9b1753d5ad06d4b343a341560fb8650dda135506312cd9 106720 
openssl_1.0.1t-1+deb8u5.debian.tar.xz
 484f318ebf58a4b68ad6226dc9ac6095bbf04643bcf04159e5fc0385e3ffff7a 1167176 
libssl-doc_1.0.1t-1+deb8u5_all.deb
 a70d960a12802daf27e86655d936aedeef52dd030809d6ba4cb0a1ee7f7097e5 664872 
openssl_1.0.1t-1+deb8u5_amd64.deb
 e38239b8ab5e2b944aafe1f7484f3cab1100f8807a2e104b026adebda71afba6 1047816 
libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb
 cbf364462f29ed37dedf1d93be003023b70532ca25525121383615217a5bc56b 644234 
libcrypto1.0.0-udeb_1.0.1t-1+deb8u5_amd64.udeb
 34f0dedc8b3520f96b440cf154e4f361ecfc565defa6182e307833f005d6b3d6 1282702 
libssl-dev_1.0.1t-1+deb8u5_amd64.deb
 0207369285dc8702034c648cd8b34dcf2dc32516da6623066cd0602dd9209070 2817040 
libssl1.0.0-dbg_1.0.1t-1+deb8u5_amd64.deb
Files:
 3945d3e76926e6850fdcbe9d0591eab9 2258 utils optional 
openssl_1.0.1t-1+deb8u5.dsc
 589ab2961b7ee3d5f5b20710ec2dd2f4 106720 utils optional 
openssl_1.0.1t-1+deb8u5.debian.tar.xz
 f9cde98571d22647e1276bdc96cdb371 1167176 doc optional 
libssl-doc_1.0.1t-1+deb8u5_all.deb
 3796988cdc8c65ac9516012274d04ec0 664872 utils optional 
openssl_1.0.1t-1+deb8u5_amd64.deb
 4eec8f37f881d69865fffe1243625c93 1047816 libs important 
libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb
 2b3eb30c955e22399aed2cfc7e5fb5ff 644234 debian-installer optional 
libcrypto1.0.0-udeb_1.0.1t-1+deb8u5_amd64.udeb
 8fd20c07bc1696bfc40fe5c062c869a5 1282702 libdevel optional 
libssl-dev_1.0.1t-1+deb8u5_amd64.deb
 5b480bf76683d1bf2e6b06b0a456d5ab 2817040 debug extra 
libssl1.0.0-dbg_1.0.1t-1+deb8u5_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJX5W6oAAoJEOPE3c0eTBJEO9wP/RhPTAtj6QCSqu3EDVWvNywF
wDL0TIZIpy9o4FO7WkpvIb544u2VZhxs7ydlwmMKLzAqFBaDF8Hm7km3WgVNBX8/
JdO1C9ovVwOZATVBCoA6SQ5UE4im1r1+tXaASyTOi18MAW7tWhO8JtlET6L0kSgM
sJPiWArt/B3JnTiBwcz3ubTX784F94x/7epRQ33FkEWHgIbVEb5V7GrXBi3NE5km
Lz98kDJ/fT0mbzEaA3dOIS0j1DzTzsuNU8DEKaUYdrPHIt51Ww8b2Sq567IokeCY
sTuYD4j0CblF61rC2fEEDJpPciPJSfJub5KTupu//eilmYfdpD/qlLJh5u/eDKRE
NxGVc7FmuYrb+nDVsxXueg0tDyFSHZk7ULwgLOSU+WRCgmeD2QnwwYX9EHtabZAI
tnZQaY7OXPgyFWwPxojY7c0luqu07ScnwMzn+bQUWfcjL3vJ6Nkfbtjgbz/DkUHz
dDfnWq0JIwB//vElRbRA9si5wwVIURxZB7iL2/v0FTBrtFM0P0ktN+z1NYEdBZxe
TAe3xGzlhijlRBF+/qY1bp5FsiDrfsKLMBlb6imBg9aDhHWIxdSJccEDKX4ro8ZZ
/rsZFLMzqIXe5mvoBuQHdRohC7avGc4Qij1tLTKAXU/WUQi3NqAduNpTkE5y8Hwz
HoJL647S2rMpkCE5LRTZ
=ZkY8
-----END PGP SIGNATURE-----

--- End Message ---