Bug#418140: libnet-ssleay-perl: segfault when checking CRL's

Sat, 07 Apr 2007 03:09:47 -0700 

Package: libnet-ssleay-perl
Version: 1.30-1
Severity: important


When I'm using IO::Socket::SSL with the SSL_check_crl option set to
true on Etch, I'm getting a segfault from within libcrypto (from
libssl); now I'm not sure which package is really at fault, I guess
IO::Socket::SSL is innocent so I'm reporting this against Net::SSLeay
(but it could be a problem in libssl0.9.8 of course).

I'm tagging this 'important' since I think checking CRL's is essential
for secure usage of the package (right?), so this renders the package
useless for those which want to use it safely.

On Sarge, my code works without problems.

Note that the versions of the packages are from unstable now because I
did upgrade them to unstable to check those, but the segfault did also
happen with the packages from testing.

$ gdb /usr/bin/perl
...
(gdb) run -w -MIO::Socket::SSL -e "IO::Socket::INET::new('IO::Socket::SSL', 
'PeerPort', 443, 'PeerAddr', 'may.not.even.exist', 'SSL_check_crl', 1)"
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210386752 (LWP 24477)]
0xb7c39999 in X509_VERIFY_PARAM_set_flags () from 
/usr/lib/i686/cmov/libcrypto.so.0.9.8
(gdb) bt
#0  0xb7c39999 in X509_VERIFY_PARAM_set_flags () from 
/usr/lib/i686/cmov/libcrypto.so.0.9.8
#1  0xb7c31257 in X509_STORE_CTX_set_flags () from 
/usr/lib/i686/cmov/libcrypto.so.0.9.8
#2  0xb7d0ebf3 in XS_Net__SSLeay_X509_STORE_CTX_set_flags ()
   from /usr/lib/perl5/auto/Net/SSLeay/SSLeay.so
#3  0x080bdad1 in Perl_pp_entersub ()
#4  0x080bc3a9 in Perl_runops_standard ()
#5  0x08063bfd in perl_run ()
#6  0x0805ffd1 in main ()


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19.3-vs2.2.0-rc12
Locale: LANG=de_CH, LC_CTYPE=de_CH (charmap=ISO-8859-1)

Versions of packages libnet-ssleay-perl depends on:
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libssl0.9.8                 0.9.8e-4     SSL shared libraries
ii  perl                        5.8.8-7      Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.8.7]   5.8.8-7      The Pathologically Eclectic Rubbis

libnet-ssleay-perl recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to