[Touch-packages] [Bug 1553819] Re: Regression in trusty's gnutls26, can't connect to servers with RSA-MD5 certs (cacert)
Wouldn't that mean that gnutls28 and openssl are vulnerable, then? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnutls26 in Ubuntu. https://bugs.launchpad.net/bugs/1553819 Title: Regression in trusty's gnutls26, can't connect to servers with RSA-MD5 certs (cacert) Status in gnutls26 package in Ubuntu: Won't Fix Bug description: Ubuntu version: 14.04 Affected package versions: - 2.12.23-12ubuntu2.4 - 2.12.23-12ubuntu2.5 Unaffected package versions: - 2.12.23-12ubuntu2.3 and older Description: When trying to connect to servers that have a RSA-MD5 signature in their certificate chain, gnutls26 fails to connect with "The signature algorithm is not supported." The root certificate of cacert uses RSA-MD5, so this can be reproduced by trying to connect to any server that uses their certs Downgrading to 2.12.23-12ubuntu2.3 workarounds the issue. This error originally appeared when trying to connect to jabber.ccc.de from bitlbee 3.2.1+otr4-1ubuntu0.2. gnutls28 is unaffected - The user who reported the issue moved to the bitlbee nightly build apt repo, which compiles against gnutls28 instead of 26, and that "fixed" the issue. OpenSSL has no issues connecting either. Actual behavior (with 2.12.23-12ubuntu2.4): $ gnutls-cli cacert.org Resolving 'cacert.org'... Connecting to '213.154.225.245:443'... *** Non fatal error: A TLS warning alert has been received. *** Received alert [112]: The server name sent was not recognized *** Fatal error: The signature algorithm is not supported. *** Handshake has failed GnuTLS error: The signature algorithm is not supported. Expected behavior (with 2.12.23-12ubuntu2.3): $ gnutls-cli cacert.org Resolving 'cacert.org'... Connecting to '213.154.225.245:443'... *** Non fatal error: A TLS warning alert has been received. *** Received alert [112]: The server name sent was not recognized - Ephemeral Diffie-Hellman parameters - Using prime: 2048 bits - Secret key: 2047 bits - Peer's public key: 2046 bits - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=AU,ST=NSW,L=Sydney,O=CAcert Inc.,CN=www.cacert.org', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 2048 bits, signed using RSA-SHA512, activated `2014-04-28 20:57:55 UTC', expires `2016-04-27 20:57:55 UTC', SHA-1 fingerprint `bea40d514ab303db57fa1598efdc02c9b519a910' - Certificate[1] info: - subject `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 4096 bits, signed using RSA-MD5 (broken!), activated `2003-03-30 12:29:49 UTC', expires `2033-03-29 12:29:49 UTC', SHA-1 fingerprint `135cec36f49cb8e93b1ab270cd80884676ce8f33' - The hostname in the certificate matches 'cacert.org'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-256-CBC - MAC: SHA256 - Compression: NULL - Handshake was completed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1553819/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1553819] [NEW] Regression in trusty's gnutls26, can't connect to servers with RSA-MD5 certs (cacert)
Public bug reported: Ubuntu version: 14.04 Affected package versions: - 2.12.23-12ubuntu2.4 - 2.12.23-12ubuntu2.5 Unaffected package versions: - 2.12.23-12ubuntu2.3 and older Description: When trying to connect to servers that have a RSA-MD5 signature in their certificate chain, gnutls26 fails to connect with "The signature algorithm is not supported." The root certificate of cacert uses RSA-MD5, so this can be reproduced by trying to connect to any server that uses their certs Downgrading to 2.12.23-12ubuntu2.3 workarounds the issue. This error originally appeared when trying to connect to jabber.ccc.de from bitlbee 3.2.1+otr4-1ubuntu0.2. gnutls28 is unaffected - The user who reported the issue moved to the bitlbee nightly build apt repo, which compiles against gnutls28 instead of 26, and that "fixed" the issue. OpenSSL has no issues connecting either. Actual behavior (with 2.12.23-12ubuntu2.4): $ gnutls-cli cacert.org Resolving 'cacert.org'... Connecting to '213.154.225.245:443'... *** Non fatal error: A TLS warning alert has been received. *** Received alert [112]: The server name sent was not recognized *** Fatal error: The signature algorithm is not supported. *** Handshake has failed GnuTLS error: The signature algorithm is not supported. Expected behavior (with 2.12.23-12ubuntu2.3): $ gnutls-cli cacert.org Resolving 'cacert.org'... Connecting to '213.154.225.245:443'... *** Non fatal error: A TLS warning alert has been received. *** Received alert [112]: The server name sent was not recognized - Ephemeral Diffie-Hellman parameters - Using prime: 2048 bits - Secret key: 2047 bits - Peer's public key: 2046 bits - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=AU,ST=NSW,L=Sydney,O=CAcert Inc.,CN=www.cacert.org', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 2048 bits, signed using RSA-SHA512, activated `2014-04-28 20:57:55 UTC', expires `2016-04-27 20:57:55 UTC', SHA-1 fingerprint `bea40d514ab303db57fa1598efdc02c9b519a910' - Certificate[1] info: - subject `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 4096 bits, signed using RSA-MD5 (broken!), activated `2003-03-30 12:29:49 UTC', expires `2033-03-29 12:29:49 UTC', SHA-1 fingerprint `135cec36f49cb8e93b1ab270cd80884676ce8f33' - The hostname in the certificate matches 'cacert.org'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-256-CBC - MAC: SHA256 - Compression: NULL - Handshake was completed ** Affects: gnutls26 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnutls26 in Ubuntu. https://bugs.launchpad.net/bugs/1553819 Title: Regression in trusty's gnutls26, can't connect to servers with RSA-MD5 certs (cacert) Status in gnutls26 package in Ubuntu: New Bug description: Ubuntu version: 14.04 Affected package versions: - 2.12.23-12ubuntu2.4 - 2.12.23-12ubuntu2.5 Unaffected package versions: - 2.12.23-12ubuntu2.3 and older Description: When trying to connect to servers that have a RSA-MD5 signature in their certificate chain, gnutls26 fails to connect with "The signature algorithm is not supported." The root certificate of cacert uses RSA-MD5, so this can be reproduced by trying to connect to any server that uses their certs Downgrading to 2.12.23-12ubuntu2.3 workarounds the issue. This error originally appeared when trying to connect to jabber.ccc.de from bitlbee 3.2.1+otr4-1ubuntu0.2. gnutls28 is unaffected - The user who reported the issue moved to the bitlbee nightly build apt repo, which compiles against gnutls28 instead of 26, and that "fixed" the issue. OpenSSL has no issues connecting either. Actual behavior (with 2.12.23-12ubuntu2.4): $ gnutls-cli cacert.org Resolving 'cacert.org'... Connecting to '213.154.225.245:443'... *** Non fatal error: A TLS warning alert has been received. *** Received alert [112]: The server name sent was not recognized *** Fatal error: The signature algorithm is not supported. *** Handshake has failed GnuTLS error: The signature algorithm is not supported. Expected behavior (with 2.12.23-12ubuntu2.3): $ gnutls-cli cacert.org Resolving 'cacert.org'... Connecting to '213.154.225.245:443'... *** Non fatal error: A TLS warning alert has been received. *** Received alert [112]: The server name sent was not recognized - Ephemeral Diffie-Hellman parameters - Using prime: 2048 bits - Secret key: 2047 bits - Peer's public key: 2046 bits - Certificate type: X.509 - Got a certificate list of 2 certificates.
[Touch-packages] [Bug 1529445] Re: Several memory/file descriptor leaks in gstreamer 1.6.0
Sorry for the delay testing this, just got my dev pc back. Both test cases from the description are passing with the wily-proposed packages, version 1.6.3-1ubuntu1 Thanks! ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gst-plugins-base1.0 in Ubuntu. https://bugs.launchpad.net/bugs/1529445 Title: Several memory/file descriptor leaks in gstreamer 1.6.0 Status in gst-plugins-base1.0 package in Ubuntu: Fix Released Status in gstreamer1.0 package in Ubuntu: Fix Released Status in gst-plugins-base1.0 source package in Wily: Fix Committed Status in gstreamer1.0 source package in Wily: Fix Committed Bug description: Ubuntu 15.10 includes gstreamer 1.6.0. There were several important leak fixes in 1.6.1, some of which also meant holding references to file descriptors around, which can result in crashes once the fd limit is hit. Upstream bugs: https://bugzilla.gnome.org/show_bug.cgi?id=755867 https://bugzilla.gnome.org/show_bug.cgi?id=756552 https://bugzilla.gnome.org/show_bug.cgi?id=756611 All of these were fixed in 1.6.1 What motivated me to investigate this bug is a 'random' crash in pidgin after several hours of leaking file descriptors, which looks exactly like bug #1479715 but happened even after applying that patch. Turns out that it wasn't pidgin holding the references that kept those file descriptors open, but it was gstreamer itself. I'd fill the whole SRU template here but i'm afraid there are too many patches that need to be applied to fix these bugs properly (some of them in gst-plugins-base, some of them in libgstreamer, and I don't know exactly which ones are needed) and anything less than updating to 1.6.1 or 1.6.2 would be wrong, IMO. The whole 1.6.x branch is bugfixes only. [Test Case] * Download https://bugzilla.gnome.org/attachment.cgi?id=313241 to playbin-leak.c * Optionally change the "a.ogg" uri to a valid path to a sound in the local system (maybe "file:///usr/share/sounds/alsa/Noise.wav"). Some leaks and warnings appear anyway even without changing this. * Build with: gcc -Wall $(pkg-config --cflags gstreamer-1.0 gtk+-3.0 glib-2.0) playbin-leak.c $(pkg-config --libs gstreamer-1.0 gtk+-3.0 glib-2.0) * Run as: GOBJECT_DEBUG=instance-count GTK_DEBUG=interactive ./a.out * Let it run, see warnings after some iterations, watch it leak. Alternatively, how i've been testing this so far, which roughly imitates the pidgin crash (but probably only applies to a subset of the leaks) * Get a ubuntu 15.10 VM without sound card (so that pulseaudio fails to play sounds) * Do this: cd /usr/share/sounds/alsa valgrind --track-fds=yes gst-play-1.0 --audiosink=pulsesink Noise.wav Noise.wav Noise.wav * File descriptors open at exit should be 4, not 10 (it leaks two for each time it plays) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gst-plugins-base1.0/+bug/1529445/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1529445] [NEW] Several memory/file descriptor leaks in gstreamer 1.6.0
Public bug reported: Ubuntu 15.10 includes gstreamer 1.6.0. There were several important leak fixes in 1.6.1, some of which also meant holding references to file descriptors around, which can result in crashes once the fd limit is hit. Upstream bugs: https://bugzilla.gnome.org/show_bug.cgi?id=755867 https://bugzilla.gnome.org/show_bug.cgi?id=756552 https://bugzilla.gnome.org/show_bug.cgi?id=756611 All of these were fixed in 1.6.1 What motivated me to investigate this bug is a 'random' crash in pidgin after several hours of leaking file descriptors, which looks exactly like bug #1479715 but happened even after applying that patch. Turns out that it wasn't pidgin holding the references that kept those file descriptors open, but it was gstreamer itself. I'd fill the whole SRU template here but i'm afraid there are too many patches that need to be applied to fix these bugs properly (some of them in gst-plugins-base, some of them in libgstreamer, and I don't know exactly which ones are needed) and anything less than updating to 1.6.1 or 1.6.2 would be wrong, IMO. The whole 1.6.x branch is bugfixes only. [Test Case] * Download https://bugzilla.gnome.org/attachment.cgi?id=313241 to playbin-leak.c * Optionally change the "a.ogg" uri to a valid path to a sound in the local system (maybe "file:///usr/share/sounds/alsa/Noise.wav"). Some leaks and warnings appear anyway even without changing this. * Build with: gcc -Wall $(pkg-config --cflags gstreamer-1.0 gtk+-3.0 glib-2.0) playbin-leak.c $(pkg-config --libs gstreamer-1.0 gtk+-3.0 glib-2.0) * Run as: GOBJECT_DEBUG=instance-count GTK_DEBUG=interactive ./a.out * Let it run, see warnings after some iterations, watch it leak. Alternatively, how i've been testing this so far, which roughly imitates the pidgin crash (but probably only applies to a subset of the leaks) * Get a ubuntu 15.10 VM without sound card (so that pulseaudio fails to play sounds) * Do this: cd /usr/share/sounds/alsa valgrind --track-fds=yes gst-play-1.0 --audiosink=pulsesink Noise.wav Noise.wav Noise.wav * File descriptors open at exit should be 4, not 10 (it leaks two for each time it plays) ** Affects: gst-plugins-base1.0 (Ubuntu) Importance: Undecided Status: New ** Affects: gstreamer1.0 (Ubuntu) Importance: Undecided Status: New ** Also affects: gstreamer1.0 (Ubuntu) Importance: Undecided Status: New ** Description changed: Ubuntu 15.10 includes gstreamer 1.6.0. There were several important leak fixes in 1.6.1, some of which also meant holding references to file descriptors around, which can result in crashes once the fd limit is hit. Upstream bugs: https://bugzilla.gnome.org/show_bug.cgi?id=755867 https://bugzilla.gnome.org/show_bug.cgi?id=756552 https://bugzilla.gnome.org/show_bug.cgi?id=756611 All of these were fixed in 1.6.1 What motivated me to investigate this bug is a 'random' crash in pidgin after several hours of leaking file descriptors, which looks exactly - like #1479715 but happened even after applying that patch. Turns out + like bug #1479715 but happened even after applying that patch. Turns out that it wasn't pidgin holding the references that kept those file descriptors open, but it was gstreamer itself. I'd fill the whole SRU template here but i'm afraid there are too many patches that need to be applied to fix these bugs properly (some of them in gst-plugins-base, some of them in libgstreamer, and I don't know exactly which ones are needed) and anything less than updating to 1.6.1 or 1.6.2 would be wrong, IMO. The whole 1.6.x branch is bugfixes only. [Test Case] - * Download https://bugzilla.gnome.org/attachment.cgi?id=313241 to + * Download https://bugzilla.gnome.org/attachment.cgi?id=313241 to playbin-leak.c - * Optionally change the "a.ogg" uri to a valid path to a sound in the + * Optionally change the "a.ogg" uri to a valid path to a sound in the local system (maybe "file:///usr/share/sounds/alsa/Noise.wav"). Some leaks and warnings appear anyway even without changing this. - * Build with: + * Build with: gcc -Wall $(pkg-config --cflags gstreamer-1.0 gtk+-3.0 glib-2.0) playbin-leak.c $(pkg-config --libs gstreamer-1.0 gtk+-3.0 glib-2.0) - * Run as: + * Run as: GOBJECT_DEBUG=instance-count GTK_DEBUG=interactive ./a.out * Let it run, see warnings after some iterations, watch it leak. + Alternatively, how i've been testing this so far, which roughly imitates + the pidgin crash (but probably only applies to a subset of the leaks) - Alternatively, how i've been testing this so far, which roughly imitates the pidgin crash (but probably only applies to a subset of the leaks) - - * Get a ubuntu 15.10 VM without sound card (so that pulseaudio fails to + * Get a ubuntu 15.10 VM without sound card (so that pulseaudio fails to play sounds) - * Do this: + * Do this: cd /usr/share/sounds/alsa