[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Marc Deslauriers]

> This experience makes me wonder how patches for the -security suites
(default for unattended-upgrades) are tested and QA'ed. Can anything be
done to the Ubuntu process to prevent things like this happening again?

For OpenSSL, we run it through a test suite and also test it with
commonly run software such as Apache, Wget, etc. In this instance, the
issue was an off-by-one which means it only affected certain
certificates, and unfortunately not the certs that were used in our test
suite. We've now added a test to parse all certs in the ca-
certificates.crt file so this particular issue doesn't happen again.

> Debian seems to have got this one right in the first shot (DSA is here
https://www.debian.org/security/2016/dsa-3673).

Debian hit the very same regression. See https://lists.debian.org
/debian-security-announce/2016/msg00255.html

> BTW: the links to upstream patches on the Ubuntu CVE page
(http://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2016-2182.html) are invalid caused by a version
string being appended to the commit hash

Thanks, I'll get that fixed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Mikkel Kirkgaard Nielsen]

Thanks for the fix.

I too can verify that our system doesn't segfault on Ubuntu 14.04
(trusty) using latest libssl1.0.0 (=1.0.1f-1ubuntu2.21);

# dpkg -l |grep libssl1.0.0
ii  libssl1.0.0:amd64  1.0.1f-1ubuntu2.21   
amd64Secure Sockets Layer toolkit - shared libraries

# php -r "echo 
gettype(openssl_x509_parse(file_get_contents('/etc/ssl/certs/ca-certificates.crt')));"
array


We'll definitely be reconsidering which systems will be applying security 
upgrades unattended in the future.

This experience makes me wonder how patches for the -security suites
(default for unattended-upgrades) are tested and QA'ed. Can anything be
done to the Ubuntu process to prevent things like this happening again?

I'm unfamiliar with how this is done currently so excuse my ignorance.
But I'm wondering why there seem to be no collaboration or correlation
between Ubuntu and Debian security updates. Debian seems to have got
this one right in the first shot (DSA is here
https://www.debian.org/security/2016/dsa-3673).

BTW: the links to upstream patches on the Ubuntu CVE page
(http://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2016-2182.html) are invalid caused by a version
string being appended to the commit hash (looks like borked wiki
syntax).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Olli Salli]

Thank you. I can verify libssl1.0.0 1.0.2g-1ubuntu4.5 no longer exhibits
the crash:

jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$
 apt-cache policy libssl1.0.0
libssl1.0.0:
  Installed: 1.0.2g-1ubuntu4.5
  Candidate: 1.0.2g-1ubuntu4.5
  Version table:
 *** 1.0.2g-1ubuntu4.5 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
100 /var/lib/dpkg/status
 1.0.2g-1ubuntu4.2 500
500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
 1.0.2g-1ubuntu4 500
500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$
 DATABASE_DATABASE=wordpressmastere2e wp plugin install --force --activate 
wp-cfm
Deprecated: Methods with the same name as their class will not be constructors 
in a future version of PHP; WP_Import has a deprecated constructor in 
/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress/wp-content/plugins/wordpress-importer/wordpress-importer.php
 on line 38
Notice: Undefined offset: 4 in 
phar:///usr/local/bin/wp/php/WP_CLI/DocParser.php on line 124
Installing WP-CFM (1.4.5)
Ladataan pakettia lähteestä https://downloads.wordpress.org/plugin/wp-cfm.zip...
Using cached file '/home/jenkins/.wp-cli/cache/plugin/wp-cfm-1.4.5.zip'...
Puretaan pakettia...
Asennetaan lisäosaa...
Poistetaan lisäosan vanhaa versiota...
Lisäosa päivitetty onnistuneesti.
Activating 'wp-cfm'...
Warning: Plugin 'wp-cfm' is already active.
jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Mathew Hodson]

** No longer affects: openssl (Ubuntu Yakkety)

** Changed in: openssl (Ubuntu)
   Status: Invalid => Fix Released

** Tags added: regression-update

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Marc Deslauriers]

** Changed in: openssl (Ubuntu Yakkety)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Launchpad Bug Tracker]

This bug was fixed in the package openssl - 1.0.2g-1ubuntu4.5

---
openssl (1.0.2g-1ubuntu4.5) xenial-security; urgency=medium

  * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883)
- debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow
  check in crypto/bn/bn_print.c.

 -- Marc Deslauriers   Fri, 23 Sep 2016
08:00:13 -0400

** Changed in: openssl (Ubuntu Xenial)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Launchpad Bug Tracker]

This bug was fixed in the package openssl - 1.0.1f-1ubuntu2.21

---
openssl (1.0.1f-1ubuntu2.21) trusty-security; urgency=medium

  * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883)
- debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow
  check in crypto/bn/bn_print.c.

 -- Marc Deslauriers   Fri, 23 Sep 2016
07:57:00 -0400

** Changed in: openssl (Ubuntu Trusty)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Launchpad Bug Tracker]

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.38

---
openssl (1.0.1-4ubuntu5.38) precise-security; urgency=medium

  * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883)
- debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow
  check in crypto/bn/bn_print.c.

 -- Marc Deslauriers   Fri, 23 Sep 2016
07:59:32 -0400

** Changed in: openssl (Ubuntu Precise)
   Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2182

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Marc Deslauriers]

Packages that fix this issue are currently being built in the security
team PPA:

https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages

They will be published as soon as they finish building and have gone
through QA.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[vdloo]

Can confirm that this affects 1.0.1-4ubuntu5.37 on 12.04

Reproducible by trying to openssl_x509_parse the ssl cert for
sourceforge with PHP 5.5.30-1+deb.sury.org~precise+1

$ openssl s_client -connect sourceforge.net:443   cert.txt
$ echo " segfault.php
$ php segfault.php
Segmentation fault (core dumped)

The backtrace:
$ gdb php
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.
(gdb) r segf.php
Starting program: /usr/bin/php segf.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x75c40f81 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x75c40f81 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x006e8e8d in add_assoc_string_ex ()
#2  0x004a67ba in zif_openssl_x509_parse ()
#3  0x006d4959 in dtrace_execute_internal ()
#4  0x007911de in ?? ()
#5  0x00754358 in execute_ex ()
#6  0x006d4846 in dtrace_execute_ex ()
#7  0x74f72ecc in ?? () from 
/usr/lib/php5/20121212/ioncube_loader_lin_5.5.so
#8  0x006e66b4 in zend_execute_scripts ()
#9  0x0068380d in php_execute_script ()
#10 0x007949c3 in ?? ()
#11 0x00465081 in main ()
(gdb)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Marc Deslauriers]

** Also affects: openssl (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: openssl (Ubuntu Yakkety)
   Importance: Medium
 Assignee: Marc Deslauriers (mdeslaur)
   Status: Confirmed

** Also affects: openssl (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: openssl (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: openssl (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: openssl (Ubuntu Precise)
   Status: New => Confirmed

** Changed in: openssl (Ubuntu Precise)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssl (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: openssl (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: openssl (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssl (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: openssl (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: openssl (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Andreas Rütten]

Also affected 1.0.1-4ubuntu5.37 on 12.04

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Marc Deslauriers]

I can reproduce this and will release an updated openssl package today.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Marc Deslauriers]

** Changed in: openssl (Ubuntu)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Mikkel Kirkgaard Nielsen]

Thanks @ollisa.

I had the same thoughts about 1.0.1f-1ubuntu2 so I found a downloadable
build at https://launchpad.net/ubuntu/+source/openssl/1.0.1f-
1ubuntu2.19. Installing just the ubuntu2.19 version of libssl1.0.0
solved the issue;

wget 
https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9679884/+files/libssl1.0.0_1.0.1f-1ubuntu2.19_amd64.deb
dpkg -i libssl1.0.0_1.0.1f-1ubuntu2.19_amd64.deb

Now the certs can be parsed without segfault;
# php -r "echo 
gettype(openssl_x509_parse(file_get_contents('/etc/ssl/certs/ca-certificates.crt')));"
array

A good idea would be to put the package on hold to prevent further
automatic upgrades. Though you'd then need to manually verify and unhold
when a fix is out

# apt-mark hold libssl1.0.0
libssl1.0.0 set on hold.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Olli Salli]

** Summary changed:

- libssl 1.0.2g-1ubuntu4.4 causes PHP7 SSL cert validation to segfault
+ libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation 
to segfault

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs