The stacktrace would seem to indicate that libssl indeed returned a null string here, from i2s_ASN1_INTEGER(NULL, X509_get_serialNumber(cert))
Relevant php7.0 code here: https://github.com/php/php- src/blob/f13fd9e72a13e80512f6c8b2302e42d4f252c479/ext/openssl/openssl.c#L2295 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1626883 Title: libssl 1.0.2g-1ubuntu4.4 causes PHP7 SSL cert validation to segfault Status in openssl package in Ubuntu: New Bug description: Last night unattended-upgrades upgraded the openssl packages (libssl1.0.0, libssl-dev, openssl) from version 1.0.2g-1ubuntu4.1 to version 1.0.2g-1ubuntu4.4 on a CI build server. Then everything that used PHP to connect to a HTTPS site started crashing when verifying the server cert. Like this: ``` jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$ DATABASE_DATABASE=wordpressmastere2e catchsegv wp plugin install --force --activate wp-cfm Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Import has a deprecated constructor in /var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop /vagrant/wordpress/wp-content/plugins/wordpress-importer/wordpress-importer.php on line 38 Notice: Undefined offset: 4 in phar:///usr/local/bin/wp/php/WP_CLI/DocParser.php on line 124 Segmentation fault (core dumped) *** Segmentation fault Register dump: RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 000000000000000c RSI: 000055665071af59 RDI: 0000000000000000 RBP: 0000556650a49e4e R8 : 0000556652364720 R9 : 0000000000000000 R10: 0000000000000000 R11: 00007fdb3c081730 R12: 000055665071af59 R13: 000000000000000c R14: 0000000000000000 R15: 00007fdb39418cf0 RSP: 00007ffc4bad7a08 RIP: 00007fdb3bf77d16 EFLAGS: 00010293 CS: 0033 FS: 0000 GS: 0000 Trap: 0000000e Error: 00000004 OldMask: 00000000 CR2: 00000000 FPUCW: 0000027f FPUSW: 00000000 TAG: 00000000 RIP: 00000000 RDP: 00000000 ST(0) 0000 0000000000000000 ST(1) 0000 0000000000000000 ST(2) 0000 0000000000000000 ST(3) 0000 0000000000000000 ST(4) 0000 0000000000000000 ST(5) 0000 0000000000000000 ST(6) 0000 0000000000000000 ST(7) 0000 0000000000000000 mxcsr: 1fa0 XMM0: 00000000000000000000000000000000 XMM1: 00000000000000000000000000000000 XMM2: 00000000000000000000000000000000 XMM3: 00000000000000000000000000000000 XMM4: 00000000000000000000000000000000 XMM5: 00000000000000000000000000000000 XMM6: 00000000000000000000000000000000 XMM7: 00000000000000000000000000000000 XMM8: 00000000000000000000000000000000 XMM9: 00000000000000000000000000000000 XMM10: 00000000000000000000000000000000 XMM11: 00000000000000000000000000000000 XMM12: 00000000000000000000000000000000 XMM13: 00000000000000000000000000000000 XMM14: 00000000000000000000000000000000 XMM15: 00000000000000000000000000000000 Backtrace: /lib/x86_64-linux-gnu/libc.so.6(strlen+0x26)[0x7fdb3bf77d16] php(add_assoc_string_ex+0x32)[0x556650677b12] php(zif_openssl_x509_parse+0x17c)[0x5566505312ec] php(dtrace_execute_internal+0x2a)[0x556650664b3a] php(+0x2e37e0)[0x5566506f97e0] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(zend_call_function+0x749)[0x556650666639] php(zif_call_user_func+0xb5)[0x5566505b39d5] php(dtrace_execute_internal+0x2a)[0x556650664b3a] php(+0x2e37e0)[0x5566506f97e0] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(zend_call_function+0x749)[0x556650666639] php(zif_call_user_func+0xb5)[0x5566505b39d5] php(dtrace_execute_internal+0x2a)[0x556650664b3a] php(+0x2e37e0)[0x5566506f97e0] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2e391d)[0x5566506f991d] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2ef65c)[0x55665070565c] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(+0x2efc7c)[0x556650705c7c] php(execute_ex+0x1b)[0x5566506b4e2b] php(dtrace_execute_ex+0xb1)[0x5566506649d1] php(zend_execute+0x1a7)[0x556650708bf7] php(zend_execute_scripts+0xc3)[0x556650674bd3] php(php_execute_script+0x2d0)[0x556650615470] php(+0x2f48b7)[0x55665070a8b7] php(main+0x474)[0x5566504fa084] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fdb3bf0d830] php(_start+0x29)[0x5566504fa1c9] ``` Apparently something in libssl now returns a NULL or not-NUL- terminated C string which the PHP function openssl_x509_parse then passes to strlen, which crashes. After downgrading to 1.0.2g-1ubuntu4.2 which luckily is still in the repos, everything works: ``` jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$ apt-cache policy libssl1.0.0 libssl1.0.0: Installed: 1.0.2g-1ubuntu4.2 Candidate: 1.0.2g-1ubuntu4.4 Version table: 1.0.2g-1ubuntu4.4 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages *** 1.0.2g-1ubuntu4.2 500 500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$ DATABASE_DATABASE=wordpressmastere2e catchsegv wp plugin install --force --activate wp-cfm Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Import has a deprecated constructor in /var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress/wp-content/plugins/wordpress-importer/wordpress-importer.php on line 38 Notice: Undefined offset: 4 in phar:///usr/local/bin/wp/php/WP_CLI/DocParser.php on line 124 Installing WP-CFM (1.4.5) Ladataan pakettia lähteestä https://downloads.wordpress.org/plugin/wp-cfm.zip... Using cached file '/home/jenkins/.wp-cli/cache/plugin/wp-cfm-1.4.5.zip'... Puretaan pakettia... Asennetaan lisäosaa... Poistetaan lisäosan vanhaa versiota... Lisäosa päivitetty onnistuneesti. Activating 'wp-cfm'... Warning: Plugin 'wp-cfm' is already active. jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$ ``` So the issue was introduced between 1.0.2g-1ubuntu4.2 and 1.0.2g- 1ubuntu4.4. The only patch between them that seems relevant is this: ``` diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch --- openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch 2016-09-22 12:17:31.000000000 +0000 @@ -0,0 +1,66 @@ +From ff553f837172ecb2b5c8eca257ec3c5619a4b299 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <st...@openssl.org> +Date: Sat, 17 Sep 2016 12:36:58 +0100 +Subject: [PATCH] Fix small OOB reads. + +In ssl3_get_client_certificate, ssl3_get_server_certificate and +ssl3_get_certificate_request check we have enough room +before reading a length. + +Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs. + +CVE-2016-6306 + +Reviewed-by: Richard Levitte <levi...@openssl.org> +Reviewed-by: Matt Caswell <m...@openssl.org> +--- + ssl/s3_clnt.c | 11 +++++++++++ + ssl/s3_srvr.c | 6 ++++++ + 2 files changed, 17 insertions(+) ``` I didn't try building a binary with that patch reverted though, as I'm happy using the 1.0.2g-1ubuntu4.2 version without the security updates for the time being, given that this build server is not accessible from untrusted networks. Of course, this might just as well be due to some insufficient error handling or otherwise improper libssl usage in php7.0, but the net effect is that the latest libssl makes the latest php7.0 in the stable Ubuntu 16.04 LTS version crash. ProblemType: Crash DistroRelease: Ubuntu 16.04 Package: php7.0-cli 7.0.8-0ubuntu0.16.04.2 ProcVersionSignature: Ubuntu 4.4.0-36.55-generic 4.4.16 Uname: Linux 4.4.0-36-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CrashCounter: 1 Date: Fri Sep 23 10:30:31 2016 ExecutablePath: /usr/bin/php7.0 ExecutableTimestamp: 1469647957 InstallationDate: Installed on 2016-05-18 (127 days ago) InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3) ProcCmdline: php /usr/local/bin/wp plugin install --force --activate wp-cfm ProcCwd: /var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress SegvAnalysis: Skipped: missing required field "Disassembly" Signal: 11 SourcePackage: php7.0 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
