openssl: EVP_EC_gen() segfault without init
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Debian) |
Fix Released
|
Unknown
|
|||
openssl (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jammy |
Fix Released
|
High
|
Unassigned | ||
Kinetic |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
The fix for https:/
The provided debdiff fixes the immediate issue and also settles on a new implementation not requiring the initialization in the first place.
[Test Plan]
Since this is a regression fix, we first need to check that the original bug hasn't cropped up again:
sudo locale-gen tr_TR.UTF-8
LANG=C curl https:/
LANG=tr_TF.UTF-8 curl https:/
For the regression itself:
sudo apt install libssl-dev
cat <<EOF > openssl_test.c
#include <openssl/evp.h>
int main()
{
EVP_
}
EOF
gcc openssl_test.c -lcrypto -lssl -o openssl_test
./openssl_test
[Where problems could occur]
This new patch set is relatively massive, on top of another massive one.
Some new regressions could crop up of a similar kind. Furthermore, the
homegrown string comparison function could be buggy, leading to algorithm name mismatches.
[Other info]
The patches all come from upstream and have been merged on their 3.0 maintenance branch.
[Original report]
Source: sscg
Version: 3.0.2-1
Severity: serious
Tags: ftbfs
https:/
...
1/10 generate_
04:32:21 MALLOC_PERTURB_=87 /<<PKGBUILDDIR>
...
Summary of Failures:
1/10 generate_
Ok: 9
Expected Fail: 0
Fail: 1
Unexpected Pass: 0
Skipped: 0
Timeout: 0
dh_auto_test: error: cd obj-x86_
make: *** [debian/rules:6: binary-arch] Error 25
This has also been reported on the openssl-users mailing list:
https://<email address hidden>
Related branches
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 5913 lines (+5452/-13)49 files modifieddebian/README.debian (+0/-8)
debian/changelog (+524/-0)
debian/control (+4/-1)
debian/libssl3.postinst (+226/-0)
debian/libssl3.templates (+42/-0)
debian/patches/Drop-the-last-ossl_init_casecmp-call.patch (+36/-0)
debian/patches/Set-systemwide-default-settings-for-libssl-users.patch (+2/-3)
debian/patches/lp1947588.patch (+97/-0)
debian/patches/series (+11/-0)
debian/patches/skip_tls1.1_seclevel3_tests.patch (+51/-0)
debian/patches/strcasecmp-implement-strcasecmp-and-strncasecmp.patch (+215/-0)
debian/patches/tests-use-seclevel-1.patch (+235/-0)
debian/patches/tls1.2-min-seclevel2.patch (+63/-0)
debian/patches/tolower-refine-the-tolower-code-to-avoid-a-memory-ac.patch (+139/-0)
debian/po/ar.po (+108/-0)
debian/po/ca.po (+117/-0)
debian/po/cs.po (+119/-0)
debian/po/da.po (+119/-0)
debian/po/de.po (+119/-0)
debian/po/el.po (+115/-0)
debian/po/es.po (+153/-0)
debian/po/eu.po (+114/-0)
debian/po/fi.po (+121/-0)
debian/po/fr.po (+128/-0)
debian/po/gl.po (+108/-0)
debian/po/hu.po (+101/-0)
debian/po/it.po (+117/-0)
debian/po/ja.po (+109/-0)
debian/po/ko.po (+104/-0)
debian/po/lt.po (+124/-0)
debian/po/ml.po (+106/-0)
debian/po/nb.po (+117/-0)
debian/po/nl.po (+130/-0)
debian/po/pl.po (+120/-0)
debian/po/pt.po (+115/-0)
debian/po/pt_BR.po (+131/-0)
debian/po/ro.po (+115/-0)
debian/po/ru.po (+119/-0)
debian/po/sk.po (+113/-0)
debian/po/sv.po (+126/-0)
debian/po/ta.po (+95/-0)
debian/po/templates.pot (+95/-0)
debian/po/tr.po (+118/-0)
debian/po/uk.po (+105/-0)
debian/po/vi.po (+107/-0)
debian/po/zh_CN.po (+106/-0)
debian/po/zh_TW.po (+98/-0)
debian/rules (+14/-0)
debian/tests/control (+1/-1)
Changed in openssl (Debian): | |
importance: | Undecided → Unknown |
status: | New → Fix Released |
Changed in openssl (Ubuntu Kinetic): | |
status: | Confirmed → In Progress |
description: | updated |
tags: | added: patch |
This issue has been introduced in 3.0.3 upstream but we've backported the patch set to Jammy as well. The cherry-picked fix is in Debian in 3.0.3-4.