Curl corrupts large POSTs to SSL servers

Bug #137849 reported by Gustavo Niemeyer on 2007-09-06
Affects Status Importance Assigned to Milestone
curl (Ubuntu)
Martin Pitt

Bug Description

Binary package hint: libcurl3-gnutls

The curl version currently present in Dapper (0.15.1) has a bug which
corrupts POSTs when sent to SSL servers.

The bug and the respective fix is described at:

The small diff may also be found applied in the CVS repository:

We currently have a few Landscape clients wedged due to this problem.

Henrik Nilsen Omma (henrik) wrote :

Hi Gustavo,

Thanks for reporting and finding a patch. To get this into dapper we need to follow the SRU process at:

I've reordered the info in the original report along the lines of the SRU requirements.

1. Impact - Affects several Landscape users.

2. Development version - the bug is fixed in newer versions of curl from Edgy

3. Patch - MISSING - We still need a patch speciffic to Dapper attached to this bug.

4. Reproducing - MISSING - Reproduction steps are needed for the validation phase.

5. Regression potential - This is a 5 line fix that has already been live in Ubuntu since Edgy. The regression potential is small.

Changed in curl:
importance: Undecided → High
status: New → Confirmed
Gustavo Niemeyer (niemeyer) wrote :
Gustavo Niemeyer (niemeyer) wrote :
Martin Pitt (pitti) wrote :

Taking for sponsoring. The patch looks fine, I'll generate the debdiff from the attached source package blob.

Changed in curl:
assignee: nobody → pitti
importance: Undecided → High
status: New → In Progress
Martin Pitt (pitti) wrote :

Fixed in Edgy and later.

Changed in curl:
status: Confirmed → Fix Released
Martin Pitt (pitti) wrote :

I cleaned up and fixed the source package, this is the debdiff. Thanks, Gustavo, for digging out the patch!

The reproducer script does not seem to work for me. With the current dapper curl, I already get the expected result:

[dapper] 0 martin@donald:~/ubuntu/curl$ python

Expected: 9a0d55a0c6d0a1f7d3aa335fdb07fadb

At least I still get the correct result with the new curl, and it still seems to work. However, a proper SRU bug needs a working verification recipe before it can be moved to -updates. Can you please update the reproducer script?

Gustavo Niemeyer (niemeyer) wrote :

Ok, I see the problem. The installed "curl" binary is linked against OpenSSL instead of GnuTLS.

I'm attaching another script, which uses pycurl to perform the same logic.

Can you please try it out?

Gustavo Niemeyer (niemeyer) wrote :

Also notice that due to the bug nature, it may not *always* fail.

Colin Watson (cjwatson) wrote :

To speed things up, I reviewed this too, and confirmed that Gustavo's new reproduction script fails before his patch and succeeds afterwards.

I sponsored this upload and have accepted it into dapper-proposed. Please test the build that will arrive there shortly.

Changed in curl:
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

Gustavo tested it and it worked for him.

Martin Pitt (pitti) wrote :

I tested the -proposed packages myself. Gustavo's reproducer fails with the old version and works with the new one, and curl'ing some https:// pages still works properly.

I consider this sufficiently verified, the package can go to -updates tomorrow.

Gustavo Niemeyer (niemeyer) wrote :

Yes, we've run the test script in our own environment with the
proposed package and confirmed that it works.

Martin Pitt (pitti) wrote :

Copied to daper-updates.

Changed in curl:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers