Ubuntu
curl package

Segmentation fault with self signed certificate

Bug #1310636 reported by Marcos Agüero
24
This bug affects 5 people
Affects Status Importance Assigned to Milestone
curl (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

When requesting an HTTPS url hxxps://harrowmedia.com/ (WARNING! known to host malware), disabling options CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST, libcurl3-gnutls produces a segmentation fault:

(gdb) run
Starting program: /home/wiredrat/src/curl_poc/curl_gnutls https://harrowmedia.com/
[Depuración de hilo usando libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Nuevo Thread 0x7ffff2c2b700 (LWP 25858)]
[Thread 0x7ffff2c2b700 (LWP 25858) terminado]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6e9db19 in gnutls_x509_crt_import () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
(gdb) bt
#0 0x00007ffff6e9db19 in gnutls_x509_crt_import () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
#1 0x00007ffff7bc1ec9 in gtls_connect_step3 (conn=conn@entry=0x65aa50, sockindex=sockindex@entry=0) at vtls/gtls.c:708
#2 0x00007ffff7bc2a7a in gtls_connect_common (conn=conn@entry=0x65aa50, sockindex=sockindex@entry=0, nonblocking=nonblocking@entry=true,
    done=done@entry=0x7fffffffdde5) at vtls/gtls.c:918
#3 0x00007ffff7bc2e0d in Curl_gtls_connect_nonblocking (conn=conn@entry=0x65aa50, sockindex=sockindex@entry=0,
    done=done@entry=0x7fffffffdde5) at vtls/gtls.c:933
#4 0x00007ffff7bc3540 in Curl_ssl_connect_nonblocking (conn=conn@entry=0x65aa50, sockindex=sockindex@entry=0, done=0x7fffffffdde5)
    at vtls/vtls.c:293
#5 0x00007ffff7b86ffe in https_connecting (conn=0x65aa50, done=<optimized out>) at http.c:1354
#6 0x00007ffff7ba9571 in multi_runsingle (multi=multi@entry=0x6514f0, now=..., data=data@entry=0x648750) at multi.c:1195
#7 0x00007ffff7baa1c1 in curl_multi_perform (multi_handle=multi_handle@entry=0x6514f0,
    running_handles=running_handles@entry=0x7fffffffdea4) at multi.c:1752
#8 0x00007ffff7ba1923 in easy_transfer (multi=0x6514f0) at easy.c:705
#9 easy_perform (events=false, data=0x648750) at easy.c:784
#10 curl_easy_perform (easy=0x648750) at easy.c:803
#11 0x0000000000400b06 in main ()

Attached PoC can reproduce the issue against this url. The problem do not appear when linking against libcurl3-openssl. I suspect the problem is related to malformed certificate.

Revision history for this message
Marcos Agüero (wiredrat) wrote :
Revision history for this message
Marcos Agüero (wiredrat) wrote :

Attached openssl s_client -showcertis for offending domain.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in curl (Ubuntu):
status: New → Confirmed
Revision history for this message
lynxis lazus (lynxis-6) wrote :

The crash itself is fixed by gtls: fix NULL pointer dereference / 386ed2d5904566cbc455a50ee7a57d70385e1f02. Released in 7.37.0 http://curl.haxx.se/changes.html)

I applied the patch gtls: fix NULL onto 7.35.0-1ubuntu2. The test program is now returning 'curl_easy_perform() failed: SSL connect error'.
Using 7.37.1 (on archlinux) the test program returning the website as expected. #1348564 should fix this bug

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.