This bug was fixed in the package wget - 1.20.3-1ubuntu2
---
wget (1.20.3-1ubuntu2) focal; urgency=medium
* Cherry-pick upstream fix fix-ssl_init-for-openssl-1.1.1.patch:
- Fix initialization of openssl for 1.1.1 (LP: #1921518)
-- Julian Andres Klode Fri, 12 Nov 2021 18:09:1
Marking as verification-done, I'm happy with the described test
procedure to fulfill 3) (arguably all of it :D)
** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal
--
You received this bug notification because you are a member o
The wget package that was tested and approved on our setup (using PKA
1.3 engine) is the one you declared above - 1.20.3-1ubuntu2. The tests
were basic functionality tests for wget, including debugging to verify
that the engine is loaded exactly once.
Same for curl (exactly the same procedure).
-
for 1.20.3-1ubuntu2 in focal:
I have verified the configuration file is only loaded once, and 1) and
2) but 3) I did not manage to do. I tried this before the SRU with like
setting min TLS to 1.3 and check it's respected, but that did nothing,
and I don't have a custom engine handy that I could ch
Thank you for working with OpenSSL upstream, explaining the issue at
hand, for everyone to eventually understand what is going on, and
finally coming up with a solution on the OpenSSL side of the APIs that
is accepted by upstream into development v3 branch and stable 1.1.1
branch.
I have started p
following my request, OpenSSL just integrated a fix to avoid loading an
engine twice even if the configuration is parsed more than once:
https://github.com/openssl/openssl/commit/9b06ebb1edfddffea083ba36090af7eb7cad207b
Integrating this patch in the existing OpenSSL 1.1.1 package (or at
least pack
** No longer affects: openssl (Ubuntu Focal)
** No longer affects: openssl (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to wget in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" error
On Tue, Nov 16, 2021 at 03:24:21PM -, Vladimir Sokolovsky wrote:
> The fix was verified for wget and curl.
> Thanks a lot.
>
> When these new packages will be added to "updates" repository?
There is a minimum aging period of 7 days in -proposed and shortly after
that they will migrate to -upd
The fix was verified for wget and curl.
Thanks a lot.
When these new packages will be added to "updates" repository?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to wget in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Tit
I have done preliminary analysis of the grep and filed additional bugs
for
- bind9 and bind9-libs (LP: #1951097)
- freeradius (LP: #1951099)
- librabbitmq (LP: #1951102)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to wget in
** Attachment added: "archive grep for CONF_modules_load_file"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+attachment/5541087/+files/openssl-conf-modules-load-file-15-10%3A46%3A37.gz
--
You received this bug notification because you are a member of Ubuntu
Touch seeded pack
Hello Mahantesh, or anyone else affected,
Accepted wget into focal-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/wget/1.20.3-1ubuntu2
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki
** Changed in: wget (Ubuntu Focal)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to wget in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" error
Status
** Description changed:
[Impact]
openssl config file is being loaded twice, causing engines to be loaded twice
if specified therein, causing double free errors and other strange behavior.
[Test plan]
Run the command of the package being tested in
gdb -ex "break CONF_modules_load_
> How will you test that the change does not regress any wget behavior?
In default Ubuntu configuration, either no openssl configuration is provided,
or it contains no settings that affect wget. This code path changes how/when
openssl configuration is loaded and used by openssl. One should verif
How will you test that the change does not regress any wget behavior?
** Changed in: wget (Ubuntu Focal)
Status: In Progress => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to wget in Ubuntu.
https://bugs.la
The fix for curl is being tracked in bug 1940528
** No longer affects: curl (Ubuntu)
** No longer affects: curl (Ubuntu Focal)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1
There are possibly more applications with broken initialization that
need fixes, we will run a search for CONF_modules_load_file in all
Ubuntu packages to hopefully "catch them all".
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribe
I have uploaded a fixed wget for focal, verified that it only loads the
config file once.
** Description changed:
- "double free" error is seen when using curl utility. Error is from
- libcrypto.so which is part of the OpenSSL package. This happens only
- when OpenSSL is configured to use a dynam
In wget, this was fixed upstream in
commit 14e3712b8c39165219fa227bd11f6feae7b09a33
Author: Eneas U de Queiroz
Date: Mon Apr 22 11:03:25 2019 -0300
* src/openssl.c: fix ssl_init for openssl 1.1.1
ssl_init fails with openssl 1.1.1 when openssl.cnf is not found.
Redundant calls
Further analysis of why config files are being loaded twice shows that
these are bugs in curl and wget, both call CONF_modules_load_file
directly during their initialization functions, while it is also being
called from OPENSSL_init_crypto and similar top-level functions:
For wget:
(gdb) bt
#0 C
The original bug report stated
> OpenSSL version is 1.1.1f
>
> The issue is not encountered if
> http://www.openssl.org/source/openssl-1.1.1f.tar.gz is used instead.
Does that mean you believe the double parsing issue is in one of the
patches in debian/patches in the Ubuntu package, and not an u
Loading the configuration only once will resolve this issue, and is the
recommended code fix.
On top of this bug fix, and as mentioned above, we recommend that future
versions will incorporate an API change that will shift the ownership on
releasing the pointers to the engine that allocated them o
So my understanding from #34 and #35 is that this is an upstream OpenSSL
issue, that should be discussed with the OpenSSL people.
The feedback in #34 suggests that this problem can be solved by not
parsing the configuration file twice, I have not investigated that as of
yet.
The feedback in #35 s
** Tags added: fr-1852
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" error
Status in openssl package in Ubuntu:
Incomplete
Status
Dmitrii,
Any update?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" error
Status in openssl package in Ubuntu:
Incomplete
Status in
While trying to understand why a fix in PKA that guards against multiple
destroys (https://github.com/Mellanox/pka/pull/37/files) didn't bypass
this issue, I found the following.
bind() operation of engines is expected to populate the pmeths and
ameths of an existing engine (https://github.com/gos
Hi,
Sorry for interrupting your thread, this bug has been prioritized on our
end (I work at NVIDIA) so I joined the triaging effort and I believe I
found the root cause for the crash. For the record, I used wget, but it
behaves the same to curl.
First of all, it seems that it isn't that far off f
Also I seem to be getting a SIGBUS signal only when function addresses
are not 4-byte aligned:
Thread 1 "curl" received signal SIGBUS, Bus error.
0x006358f58d277bf1 in ?? ()
Thread 1 "curl" received signal SIGBUS, Bus error.
0xb1b30b5cc1eb2dda in ?? ()
Thread 1 "curl" received signal SIGBUS, Bus
Vladimir,
stracing reveals that si_code is set to BUS_ADRALN so there is a problem
with address alignment.
strace curl https://example.com
--- SIGBUS {si_signo=SIGBUS, si_code=BUS_ADRALN, si_addr=0x3efd151115865b} ---
+++ killed by SIGBUS (core dumped) +++
Bus error (core dumped)
The fault is r
No I'm not able to reproduce the issues anymore. Hence I need detailed
logs from you. Including tracebacks with debug symbols installed, and
strace too. Because I have never seen "bus error" on my side.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages
Dimitri, we use the latest https://github.com/Mellanox/pka/tree/releases that
includes the fix proposed by you.
Aren't you able to reproduce this issue on your side anymore?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ope
@Vladimir
This is an improvement.
Previously we were getting: double free or corruption (out)
But now it is: Bus error
So some progress has been made.
Can you please install debug symbols, and generate a complete traceback
with debug symbols? or a core dump with debug symbols? (libcurl4-dbgsym
c
The issue is still reproduced:
# dpkg --list | grep 1.1.1f
ii libssl-dev:arm64 1.1.1f-1ubuntu2.9
arm64Secure Sockets Layer
toolkit - development files
ii libssl1.1:arm641.1.1
Vladimir, I did this in the same location as before -
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4654
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Dimitri, can you provide debs with your fixes and higher version, so apt
update will not remove your fix?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
Ope
1.1.1f-1ubuntu2.8 is security-only update to address CVE-2021-3711 &
CVE-2021-3712
The fixes from this bug report have been rebased on top of the security-
only update in the PPA provided earlier. It has been carrying
1.1.1f-1ubuntu2.9 since yesterday.
** CVE added: https://cve.mitre.org/cgi-bin/
No, they do not include the fixes from this bug.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" error
Status in openssl package in Ub
Ubuntu 20.04 updates repository was updated with:
libssl1.1/focal-updates,focal-security 1.1.1f-1ubuntu2.8 arm64 [upgradable
from: 1.1.1f-1ubuntu2.5]
openssl/focal-updates,focal-security 1.1.1f-1ubuntu2.8 arm64 [upgradable from:
1.1.1f-1ubuntu2.5]
Do these versions include the fixes above?
--
The updated openssl package does not change any behaviour w.r.t. config
or engine use. It only has three patches applied to prevent potential
use-after-free errors. It also relies on installing the new PKA engine
with patches from github.
Has the new PKA engine been recompiled and installed correc
The updated OpenSSL package is not behaving as expected, openssl config
file (/etc/ssl/openssl.cnf) has PKA dynamic engine enabled. But
execution of `openssl engine` doesn't show (PKA) engine as one of the
listings. And also, offloading to PKA doesn't happen by default. Ex:
Executing speed test of
@vladimir sokolovsky
Note, that the proposed PPA is built for all architectures, and all
configurations of the packages in questions as used in Ubuntu. Meaning,
they are all compiled in multiple configurations, which are mutually
incompatible. To ensure one installs the upgraded packages suitable
Actually, I see that the issue disappear only after
/usr/lib/ssl/openssl.cnf was changed by
libcrypto1.1-udeb_1.1.1f-1ubuntu2.6_arm64.udeb.
So, it may be the case that the bug is still there.
What is the proper way to install the fix?
--
You received this bug notification because you are a memb
without libcrypto1.1-udeb_1.1.1f-1ubuntu2.6_arm64.udeb the issue still
reproduced. So, how can I get this fix?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
*udeb, not use, thanks autocorrect
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" error
Status in openssl package in Ubuntu:
Incomp
You should not be installing use packages on an Ubuntu system. These
packages are only for use in the debian-installer environment.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net
Also libssl1.1-udeb depends on libc6-udeb which is not available:
# dpkg -i libssl1.1-udeb_1.1.1f-1ubuntu2.6_arm64.udeb
(Reading database ... 128018 files and directories currently installed.)
Preparing to unpack libssl1.1-udeb_1.1.1f-1ubuntu2.6_arm64.udeb ...
Unpacking libssl1.1-udeb (1.1.1f-1ubu
Note that there is a conflict between libcrypto and openssl:
# dpkg -i libcrypto1.1-udeb_1.1.1f-1ubuntu2.6_arm64.udeb
(Reading database ... 160240 files and directories currently installed.)
Preparing to unpack libcrypto1.1-udeb_1.1.1f-1ubuntu2.6_arm64.udeb ...
Unpacking libcrypto1.1-udeb (1.1.1f-
It is fine. For now I updated my local base OS image to include your
fixes.
Thanks again for the fast response and providing the fixes.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad
New curl & openssl will take some time to appear in focal-updates, as
focal-updates are frozen for 20.04.3 release on 26th of August at the
moment.
See https://discourse.ubuntu.com/t/focal-fossa-20-04-3-lts-point-
release-status-tracking/22948
--
You received this bug notification because you ar
Hi Dimitri,
I tested new openssl, curl and your patch for the pka engine and it fixed the
issue.
Please push the new curl and openssl to updates repository.
Thanks a lot.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to opens
Whilst I have identified broken/racy/incomplete behaviours in both curl
and openssl in ubuntu focal 20.04 and created SRUs for them in the above
mentioned bug reports; these do not fix crashes of the old PKA 1.0.0
engine.
Also PKA 1.0.0 does not appear to be compatible with 20.04 userspace
anymore
Openssl bug report
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656
** Changed in: openssl (Ubuntu)
Status: New => Incomplete
** Changed in: openssl (Ubuntu Focal)
Status: New => Incomplete
** Changed in: openssl (Ubuntu Focal)
Importance: Critical => Undecided
**
** Changed in: openssl (Ubuntu Focal)
Importance: Undecided => Critical
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" error
Statu
** Also affects: openssl (Ubuntu Focal)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" err
Curl bug report
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" error
Stat
Found curl missuse of openssl api; Found missing use-after-free fixes in
openssl; in addition to the pka engine fixes that are possible.
Imho all three should be fixed.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl
Cannot reproduce the issue when using `openssl s_client -connect` or
when using `wget` so it is specific to curl + openssl + engine at the
moment.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs
It appears that engine is destroyed multiple times.
Please see https://github.com/Mellanox/pka/pull/37 which can help to
guard against that.
Meanwhile I'm continuing to research as to why engine is destroyed
multiple times.
--
You received this bug notification because you are a member of Ubunt
** Changed in: openssl (Ubuntu)
Importance: Undecided => Critical
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchp
** Attachment added: "Core dump file"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+attachment/5493968/+files/core-curl.32878.localhost.localdomain.1619816112
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed
** Description changed:
"double free" error is seen when using curl utility. Error is from
libcrypto.so which is part of the OpenSSL package. This happens only
when OpenSSL is configured to use a dynamic engine.
OpenSSL version is 1.1.1f
- This issue is not encountered if
+ The issue
62 matches
Mail list logo
