Ubuntu
openssl package

Backport OPENSSL_strcasecmp fixes from 3.0 branch

Bug #1975347 reported by Davide Pesavento on 2022-05-21

This bug report is a duplicate of: Bug #1974037: openssl: EVP_EC_gen() segfault without init. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openssl (Ubuntu)	New	Undecided	Unassigned

Bug Description

The recent openssl update to 3.0.2-0ubuntu1.2 in jammy included some buggy changes related to OPENSSL_strcasecmp. Briefly, it's possible for OPENSSL_strcasecmp to be called before the global locale_t object has been initialized, causing a crash in strcasecmp_l. For example, this bug can be trivially triggered with the program below.

#include <openssl/evp.h>
int main()
{
EVP_PKEY_Q_keygen(NULL, NULL, "EC", "P-256");
}

The problem is already fixed in the openssl-3.0 branch. Please consider backporting this PR https://github.com/openssl/openssl/pull/18293 or updating the ubuntu package to a more recent commit of that branch that includes the fixes.

See original description

Davide Pesavento (davidepesa) on 2022-05-21

description:

updated

Revision history for this message

Simon Chopin (schopin) wrote on 2022-05-23:

I *think* this is a duplicate of https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1974037 but I'll keep it separate for now as the API used to trigger the issue isn't the same.

Revision history for this message

Davide Pesavento (davidepesa) wrote on 2022-05-23:

EVP_EC_gen() is just a macro that expands to EVP_PKEY_Q_keygen(), so yeah, it's exactly the same as https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1974037