[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Mauricio Faria de Oliveira]

Update: this has been fixed in Focal (same fix commit):

openssl (1.1.1f-1ubuntu2.11) focal; urgency=medium

  * Fixup pointer authentication for armv8 systems that support it when
using the poly1305 MAC, preventing segmentation faults. (LP: #1960863)
- d/p/lp-1960863-crypto-poly1305-asm-fix-armv8-pointer-authenticat.patch

 -- Matthew Ruffell   Tue, 15 Feb 2022
10:10:01 +1300

** Changed in: openssl (Ubuntu Focal)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in OpenSSL:
  Fix Released
Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  Fix Released
Status in openssl package in Debian:
  Fix Released

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Bug Watch Updater]

** Changed in: openssl (Debian)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in OpenSSL:
  Fix Released
Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  Confirmed
Status in openssl package in Debian:
  Fix Released

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openssl (Ubuntu Focal)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in OpenSSL:
  Fix Released
Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  Confirmed
Status in openssl package in Debian:
  New

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Mathew Hodson]

** Bug watch removed: github.com/curl/curl/issues #8024
   https://github.com/curl/curl/issues/8024

** Also affects: openssl (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Changed in: openssl (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: openssl (Ubuntu)
   Importance: Undecided => Medium

** Changed in: openssl (Ubuntu Focal)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in OpenSSL:
  Fix Released
Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  New
Status in openssl package in Debian:
  New

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[David Hess]

If anybody needs a workaround, disable the CHACHA20 cipher suites which
use Poly1305:

$ openssl s_client -debug -showcerts -connect graph.facebook.com:443
-ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 -cipher
'ALL:!CHACHA20'

Unfortunately, it appears this can't be done system wide from
/etc/ssl/openssl.conf - it needs to be done in a tool specific way for
each tool using openssl (such as curl: https://curl.se/docs/ssl-
ciphers.html).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[David Hess]

To reproduce, be on an Arm v8.3 processor and do the following:

$ gdb $(which openssl)
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "aarch64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/openssl...
Reading symbols from 
/usr/lib/debug/.build-id/8c/c0ad363ae4508d48a68d9f9dafdbadf7bd264a.debug...
(gdb) break main
Breakpoint 1 at 0x32840: file ../apps/openssl.c, line 120.
(gdb) run s_client -showcerts -connect graph.facebook.com:443
Starting program: /usr/bin/openssl s_client -showcerts -connect 
graph.facebook.com:443
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".

Breakpoint 1, main (argc=5, argv=0xf478) at ../apps/openssl.c:120
120 ../apps/openssl.c: No such file or directory.
(gdb) break ../crypto/poly1305/poly1305.c:502
Breakpoint 2 at 0xf7e082c8: file ../crypto/poly1305/poly1305.c, line 502.
(gdb) c
Continuing.
CONNECTED(0003)

Breakpoint 2, Poly1305_Update (ctx=ctx@entry=0xaaba97f0, inp=, inp@entry=0xaab9e098 "\362Hd\025\245\223\351f\027\265 
b䓁\207, 
len=992, len@entry=1001)
at ../crypto/poly1305/poly1305.c:502
502 ../crypto/poly1305/poly1305.c: No such file or directory.
(gdb) s
poly1305_blocks_neon () at crypto/poly1305/poly1305-armv8.S:223
223 crypto/poly1305/poly1305-armv8.S: No such file or directory.
(gdb) bt
#0  poly1305_blocks_neon () at crypto/poly1305/poly1305-armv8.S:223
#1  0xf7e082dc in Poly1305_Update (ctx=ctx@entry=0xaaba97f0, 
inp=, inp@entry=0xaab9e098 "\362Hd\025\245\223\351f\027\265 
b䓁\207, 
len=, len@entry=1001) at ../crypto/poly1305/poly1305.c:502
#2  0xf7dd7834 in chacha20_poly1305_cipher (ctx=0xaaba95b0, 
out=0xaab9e098 "\362Hd\025\245\223\351f\027\265 
b䓁\207, 
in=0xaab9e098 "\362Hd\025\245\223\351f\027\265 
b䓁\207, 
len=1001) at ../crypto/evp/e_chacha20_poly1305.c:419
#3  0xf7ddc214 in EVP_DecryptUpdate (inl=1001, in=0xaab9e098 
"\362Hd\025\245\223\351f\027\265 
b䓁\207, 
outl=0xe360, 
out=0xaab9e098 "\362Hd\025\245\223\351f\027\265 
b䓁\207, 
ctx=0xaaba95b0) at ../crypto/evp/evp_enc.c:498
#4  EVP_DecryptUpdate (ctx=0xaaba95b0, out=0xaab9e098 
"\362Hd\025\245\223\351f\027\265 
b䓁\207, 
outl=0xe360, 
in=0xaab9e098 "\362Hd\025\245\223\351f\027\265 
b䓁\207, 
inl=1001) at ../crypto/evp/evp_enc.c:464
#5  0xf7f59d8c in tls13_enc (s=0xaab94ca0, recs=0xaab95a28, 
n_recs=, sending=0) at ../ssl/record/ssl3_record_tls13.c:173
#6  0xf7f58748 in ssl3_get_record (s=s@entry=0xaab94ca0) at 
../ssl/record/ssl3_record.c:529
#7  0xf7f55fc0 in ssl3_read_bytes (s=0xaab94ca0, type=22, 
recvd_type=0xe5ec, buf=0xaab98b30 "\002", len=4, peek=0, 
readbytes=0xe5f0) at ../ssl/record/rec_layer_s3.c:1323
#8  0xf7f84800 in tls_get_message_header (s=s@entry=0xaab94ca0, 
mt=mt@entry=0xe68c) at ../ssl/statem/statem_lib.c:1160
#9  0xf7f7af74 in read_state_machine (s=0xaab94ca0) at 
../ssl/statem/statem.c:579
#10 state_machine (s=0xaab94ca0, server=0) at ../ssl/statem/statem.c:434
#11 0xf7f55ce4 in ssl3_write_bytes (s=0xaab94ca0, type=23, 
buf_=0xaab89d90, len=0, written=0xe8e0) at 
../ssl/record/rec_layer_s3.c:390
#12 0xf7f66b74 in ssl_write_internal (s=s@entry=0xaab94ca0, 
buf=buf@entry=0xaab89d90, num=num@entry=0, 
written=written@entry=0xe8e0) at ../ssl/ssl_lib.c:1958
#13 0xf7f66ca0 in SSL_write (s=s@entry=0xaab94ca0, 
buf=buf@entry=0xaab89d90, num=num@entry=0) at ../ssl/ssl_lib.c:1972
#14 0xaab00250 in s_client_main (argc=, argv=) at ../apps/s_client.c:2859
#15 0xaaaeffd4 in do_cmd (prog=0xaab84740, argc=4, 
argv=0xf480) at ../apps/openssl.c:570
#16 0xaaadcc04 in main (argc=4, argv=0xf480) at 
../apps/openssl.c:189
(gdb) finish
Run till exit from #0  poly1305_blocks_neon () at 
crypto/poly1305/poly1305-armv8.S:223

Program received signal SIGSEGV, Segmentation fault.
0x0020f7e082dc in ?? ()
(gdb) bt
#0  0x0020f7e082dc in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in 

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[David Hess]

After a lot of sleuthing with gdb, I'm pretty confident this is the
source of (and fix for) the crash we are seeing with libssl1.1:arm64
1.1.1f-1ubuntu2.10:

https://github.com/openssl/openssl/commit/fcf6e9d056162d5af64c6f7209388a5c3be2ce57

It's a bug fix for some pointer authentication assembly instructions for
the Poly1305 arm64 assembly code. These instructions only execute (and
crash) on Arm v8.3 64 bit processors - they NOOP on other processors
that don't understand them.

Note, I have no idea why that code would not also be a problem and crash
under valgrind, but I've definitely narrowed this particular crash
outside of valgrind down to that location. Maybe it disables pointer
authentication?

It appears the commit above was landed in OpenSSL 1.1.1i:

https://github.com/openssl/openssl/blob/OpenSSL_1_1_1i/crypto/poly1305/asm/poly1305-armv8.pl

Bottom line, in order to prevent crashes on Arm v8.3 processors I
believe addressing this requires an upgrade of libssl1.1 to OpenSSL
1.1.1i.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[David Hess]

More info about my environment:

Running under Parallels 17.1.1 (51537) on macOS Monterey 12.1 on an
Apple Silicon M1 Max. Ubuntu Ubuntu 20.04.3 LTS w/ libssl1.1:arm64
1.1.1f-1ubuntu2.10.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[David Hess]

Here's an interesting data point. If I run this under valgrind:

$ valgrind openssl s_client -showcerts -connect graph.facebook.com:443
==36982== Memcheck, a memory error detector
==36982== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==36982== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==36982== Command: openssl s_client -showcerts -connect graph.facebook.com:443
==36982== 
CONNECTED(0003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High 
Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 
High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = Menlo Park, O = "Facebook, Inc.", CN = 
*.facebook.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Menlo Park, O = "Facebook, Inc.", CN = 
*.facebook.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High 
Assurance Server CA
-BEGIN CERTIFICATE-
MIIGkTCCBXmgAwIBAgIQCivCRFoplTX8XaBRF4f4wDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0yMTEwMDMwMDAwMDBaFw0yMjAxMDEyMzU5NTla
MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpN
ZW5sbyBQYXJrMRcwFQYDVQQKEw5GYWNlYm9vaywgSW5jLjEXMBUGA1UEAwwOKi5m
YWNlYm9vay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ9cpj/+XqZgH6d
qstfu/ZUoA+jNBS8A2pE9naG2+/1fDQbFhAK/4N1wNQ69xh2o1KbUId1Qi9sDCWk
Fu6s9XAqo4ID9zCCA/MwHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjsw
HQYDVR0OBBYEFLARiFqEkLy4TD1U7suyuVQuqD6/MIG1BgNVHREEga0wgaqCDiou
ZmFjZWJvb2suY29tgg4qLmZhY2Vib29rLm5ldIILKi5mYmNkbi5uZXSCCyouZmJz
YnguY29tghAqLm0uZmFjZWJvb2suY29tgg8qLm1lc3Nlbmdlci5jb22CDioueHgu
ZmJjZG4ubmV0gg4qLnh5LmZiY2RuLm5ldIIOKi54ei5mYmNkbi5uZXSCDGZhY2Vi
b29rLmNvbYINbWVzc2VuZ2VyLmNvbTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9j
cmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNi5jcmwwNKAyoDCGLmh0
dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNi5jcmwwPgYD
VR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdp
Y2VydC5jb20vQ1BTMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUHMAh0dHA6
Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2VydHMu
ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJDQS5j
cnQwDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYAKXm+
8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF8Q4ALtQAABAMARzBFAiAB
3r54JbfoFtjAqiLdaY6fXb/o1jjaT9u4XCdN5xu7NAIhAKGf3c1Jzs2cXQcAu422
KlF9P2lXrpZyMmP4rJYTuev2AHYAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN
/tSLBeUAAAF8Q4AL8AAABAMARzBFAiEAq7yuxzQO7e+txL6xITlC/qIHDYvapOTh
Tl4NHC+rOj0CIFHm8wXHI/F0gsWQVv5Ot8Ij4RuEZEVMMau/AEMroZ2aAHUAQcjK
sd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF8Q4ALyAAABAMARjBEAiAB
b4Q1lYSN7rcuXUxkIzbum5dVe0caAHuVTYgU00HYkQIgFtebuk3zr+NVZ520RCGZ
fetkFZv08wHf7TJK+JBMnBwwDQYJKoZIhvcNAQELBQADggEBAIcfi8CHi/+QH4cW
BjjDEZnQtPaOG77WtdFW2UK3xt2GKk4qY5rfVKLFGT9vAZRx4ZHFfK6c1IADkNMe
42lwc0+gTBrqrx1Uu+11vAIektX3Lx5xfeCTY604NK1qCC6ISYB/U2NVy2l0skT/
1xKLH87I+P7IwgQtE2en7yt9bu03GPIU0DVkYzqvBxGCq599ae2gYIVZVRSe2Xhp
WVeBB03fhf+NNcbR4LZK7n1ohrUBs7rurc0z6iv8V6qRU+aj8tS8606iQhcjEm9h
SN8G9/0JXXR5oWD/pAScLRtBwvkmDJEyw9lwxiErjgnfFHL0iDUZvqk0gXiQq54v
IK957WY=
-END CERTIFICATE-
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High 
Assurance Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High 
Assurance EV Root CA
-BEGIN CERTIFICATE-
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Bento]

1.1.1f-1ubuntu2.09 was just updated in the repos to  1.1.1f-1ubuntu2.10
but no fix for this issue yet :-(

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Craig Anderson]

I have the same issue. It's preventing me from doing some fairly
important things, without an obvious workaround at the moment.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Bento]

I am encountering the same issue. IMHO there needs to be a newer OpenSSL
release for 20.04 LTS included in the repos.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Juan]

I installed the debug symbols and run OpenSSL however GDB is not
returned valuable information about the backtrace.

This is what I received:

GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "aarch64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from openssl...
Reading symbols from 
/usr/lib/debug/.build-id/a2/f3e269767a7410ab51fafa0461e7f051144517.debug...
(gdb) run s_client -showcerts -connect graph.facebook.com:443
Starting program: /usr/bin/openssl s_client -showcerts -connect 
graph.facebook.com:443
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
CONNECTED(0003)

Program received signal SIGSEGV, Segmentation fault.
0x0020f7e0809c in ?? ()
(gdb) bt
#0  0x0020f7e0809c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) frame 0
#0  0x0020f7e0809c in ?? ()

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Juan]

Another more accurate way of reproduce this bug:

Execute:

openssl s_client -showcerts -connect graph.facebook.com:443 https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Juan]

More information about the OpenSSL version:

Package: openssl
Architecture: arm64
Version: 1.1.1f-1ubuntu2.9
Multi-Arch: foreign
Priority: important
Section: utils
Origin: Ubuntu
Maintainer: Ubuntu Developers 
Original-Maintainer: Debian OpenSSL Team 

Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 1213
Depends: libc6 (>= 2.17), libssl1.1 (>= 1.1.1)
Suggests: ca-certificates
Filename: pool/main/o/openssl/openssl_1.1.1f-1ubuntu2.9_arm64.deb
Size: 598980
MD5sum: da89b21f3a0fe0fb5742b406ddcfe3f0
SHA1: 46000c169dc62b33e5a5cf0775597382576de1d3
SHA256: 62ccb4f98929011145f9d49cefa23a21388ee72aab46b304ad05fec6d46d7d2e
SHA512: 
27058d8acf628ad2b26926c779c444c7393d44c897f6d23b97c7fc89ae4b0af7dd6ef8d9c28d0aca87fde107235da
940c8a0cb068e5274d87776c44ecd9e399a

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Seth Arnold]

Ah, that's good for the health of your storage :)

Please follow up with the debug symbols and reproduction instructions.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Juan]

@Seth: The Ubuntu 20.04 that where I tested this issue was a virtualized
environments that runs  Parallels Desktop over a Mac OS.

I cannot reproduce this issue on Debian Buster 10 (Arm64) with OpenSSL
using the same virtualized environment.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Hendrawan Kuncoro]

same issue
my environment is inside docker

--
docker run -it --platform linux/arm64 ubuntu:20.04 /bin/bash

Linux 888c7f7b294c 5.10.47-linuxkit #1 SMP PREEMPT Sat Jul 3 21:50:16
UTC 2021 aarch64 aarch64 aarch64 GNU/Linux

curl 7.68.0 (aarch64-unknown-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f 
zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) 
libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 
pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos 
Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSocket

--

maybe that will help finding the root cause.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Seth Arnold]

Hmm, something else to keep in mind: many aarch64 systems run on SD
cards or USB memory sticks and those are notorious garbage.

Is this a reasonable hard drive or is this cheap flash storage? Are
there messages in dmesg that might indicate filesystem or block storage
errors?

If this isn't a real hard drive then your debugging time is probably
better spent replacing the storage as a first effort.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Seth Arnold]

Can you provide more information on your environment and how to
reproduce this? I wasn't able to reproduce this on my rpi3b+ running
focal, with either libssl1.1 1.1.1f-1ubuntu2.8 or 1.1.1f-1ubuntu2.9:

First, 1.1.1f-1ubuntu2.8 installed:

$ curl -v https://graph.facebook.com/v12.0/act_111/
*   Trying 157.240.3.20:443...
* TCP_NODELAY set
* Connected to graph.facebook.com (157.240.3.20) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Menlo Park; O=Facebook, Inc.; 
CN=*.facebook.com
*  start date: Nov  4 00:00:00 2021 GMT
*  expire date: Feb  2 23:59:59 2022 GMT
*  subjectAltName: host "graph.facebook.com" matched cert's "*.facebook.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High 
Assurance Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xc4c9dee0)
> GET /v12.0/act_111/ HTTP/2
> Host: graph.facebook.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 403 
< vary: Origin
< x-ad-account-usage: {"acc_id_util_pct":0}
< x-fb-rlafr: 0
< content-type: application/json; charset=UTF-8
< www-authenticate: OAuth "Facebook Platform" "insufficient_scope" "(#200) 
Provide valid app ID"
< access-control-allow-origin: *
< facebook-api-version: v12.0
< strict-transport-security: max-age=15552000; preload
< pragma: no-cache
< cache-control: no-store
< expires: Sat, 01 Jan 2000 00:00:00 GMT
< x-fb-request-id: AYFxZKGuw4Uidu_b6_RsyRn
< x-fb-trace-id: C1HBc2Oi1S3
< x-fb-rev: 1004746171
< x-fb-debug: 
yza+SwSrqD6mY1INQSyb5rcHmU89PziSoE3txYwg1BjWybYcgB36mUMVxq9bsRAJXZGkc34nNcSps5APpyG8QA==
< content-length: 125
< date: Wed, 17 Nov 2021 20:48:02 GMT
< alt-svc: h3=":443"; ma=3600, h3-29=":443"; ma=3600
< 
* Connection #0 to host graph.facebook.com left intact
{"error":{"message":"(#200) Provide valid app 
ID","type":"OAuthException","code":200,"fbtrace_id":"AYFxZKGuw4Uidu_b6_RsyRn"}}ubuntu@ubuntu:~
 $ wget https://graph.facebook.com/v12.0/act_111/
--2021-11-17 20:48:16--  https://graph.facebook.com/v12.0/act_111/
Resolving graph.facebook.com (graph.facebook.com)... 157.240.3.20, 
2a03:2880:f001:6:face:b00c:0:2
Connecting to graph.facebook.com (graph.facebook.com)|157.240.3.20|:443... 
connected.
HTTP request sent, awaiting response... 403 Forbidden
2021-11-17 20:48:16 ERROR 403: Forbidden.

ubuntu@ubuntu:~ 8 $


Next, 1.1.1f-1ubuntu2.9 installed:

ubuntu@ubuntu:~ 10s $ curl -v https://graph.facebook.com/v12.0/act_111/
*   Trying 157.240.3.20:443...
* TCP_NODELAY set
* Connected to graph.facebook.com (157.240.3.20) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Menlo Park; O=Facebook, Inc.; 
CN=*.facebook.com
*  start date: Nov  4 00:00:00 2021 GMT
*  expire date: Feb  2 23:59:59 2022 GMT
*  subjectAltName: host "graph.facebook.com" matched cert's "*.facebook.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High 
Assurance Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xf7766ee0)
> GET /v12.0/act_111/ HTTP/2
> Host: graph.facebook.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 403 
< 

[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

[Juan]

I observed that many users are affected by this bug. (See:
https://github.com/curl/curl/issues/8024)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  New

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp