[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
This bug was fixed in the package curl - 7.68.0-1ubuntu2.10 --- curl (7.68.0-1ubuntu2.10) focal-security; urgency=medium * SECURITY UPDATE: OAUTH2 bypass - debian/patches/CVE-2022-22576.patch: check sasl additional parameters for conn resuse in lib/strcase.c, lib/strcase.h, lib/url.c, lib/urldata.h, lib/vtls/vtls.c. - CVE-2022-22576 * SECURITY UPDATE: Credential leak on redirect - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port in the info struct to make it available after the connection ended in lib/connect.c, lib/urldata.h. - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols or ports clear auth in lib/transfer.c. - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify these fix in tests/data/Makefile.inc, tests/data/test973, tests/data/test974, tests/data/test975, tests/data/test976. - CVE-2022-27774 * SECURITY UPDATE: Bad local IPV6 connection reuse - debian/patches/CVE-2022-27775.patch: include the zone id in the 'bundle' haskey in lib/conncache.c. - CVE-2022-27775 * SECURITY UPDATE: Auth/cookie leak on redirect - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects same host diff port in lib/http.c, lib/urldata.h. - CVE-2022-27776 -- Leonidas Da Silva Barbosa Mon, 25 Apr 2022 10:02:10 -0300 ** Changed in: curl (Ubuntu Focal) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22576 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-27774 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-27775 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-27776 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Fix Released Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
1) downgraded openssl to 1.1.1f-1ubuntu2.9 such that it doesn't have double free fix that was released in https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.10 2) installed old pka module from commit b0f32fa05298bf9e3997ea43fc1c11b90e0d662f 3) installed focal-updates version of curl Observed double free core dump: # dpkg-query -W | grep -e 1.1.1f -e curl -e pka curl7.68.0-1ubuntu2.7 libcurl3-gnutls:arm64 7.68.0-1ubuntu2.7 libcurl4:arm64 7.68.0-1ubuntu2.7 libpka1:arm64 1.3-1 libssl-dev:arm641.1.1f-1ubuntu2.9 libssl1.1:arm64 1.1.1f-1ubuntu2.9 openssl 1.1.1f-1ubuntu2.9 # curl -o /dev/null https://start.ubuntu.com/connectivity-check.html % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 576 100 5760 0 2117 0 --:--:-- --:--:-- --:--:-- 2117 double free or corruption (out) Aborted (core dumped) Upgraded to new curl: # dpkg-query -W | grep -e 1.1.1f -e curl -e pka curl7.68.0-1ubuntu2.8 libcurl3-gnutls:arm64 7.68.0-1ubuntu2.8 libcurl4:arm64 7.68.0-1ubuntu2.8 libpka1:arm64 1.3-1 libssl-dev:arm641.1.1f-1ubuntu2.9 libssl1.1:arm64 1.1.1f-1ubuntu2.9 openssl 1.1.1f-1ubuntu2.9 # curl -o /dev/null https://start.ubuntu.com/connectivity-check.html % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 576 100 5760 0 1894 0 --:--:-- --:--:-- --:--:-- 1888 Observed success without any double-free or segfault in openssl. Although this particular issue has already been fixed in openssl, it still makes sense to release this update of curl which includes correct openssl engine API usage. ** Tags removed: verification-needed verification-needed-focal ** Tags added: verification-done verification-done-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Fix Committed Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
Hi, I can't update curl, what should I do? This is the error code: The following packages have unmet dependencies: libcurl4-openssl-dev : Depends: libcurl4 (= 7.68.0-1ubuntu2.8) but 7.68.0-1ubuntu2.7 is to be installed E: Unable to correct problems, you have held broken packages. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Fix Committed Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
Autopkgtests have now all passed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Fix Committed Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
Hello Dimitri, or anyone else affected, Accepted curl into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.8 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: curl (Ubuntu Focal) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Fix Committed Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
Not only patch was missing, it was partially missing. reuploading again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Triaged Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
Reuploaded curl into focal proposed, with series fix & on top of security upload that has happened since. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Triaged Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
** Changed in: curl (Ubuntu Focal) Assignee: (unassigned) => Dimitri John Ledkov (xnox) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Triaged Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
I don't see the patch in debian/patches/series. Am I missing something? ** Changed in: curl (Ubuntu Focal) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Incomplete Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
Building test package in https://launchpad.net/~ci-train-ppa- service/+archive/ubuntu/4654 But also uploaded it into focal unapproved, which is currently soft frozen. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Confirmed Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly
** Patch added: "lp1940528-openssl-use-OPENSSL_init_ssl-with-1.1.0.patch" https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+attachment/5519059/+files/lp1940528-openssl-use-OPENSSL_init_ssl-with-1.1.0.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Confirmed Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 3380 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
