Deadlock when reading a public key

Bug #1066032 reported by Ivo Timmermans on 2012-10-12
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenSSL
Fix Released
Unknown
openssl (Ubuntu)
High
Marc Deslauriers
Precise
High
Marc Deslauriers
Quantal
High
Marc Deslauriers
Raring
High
Marc Deslauriers

Bug Description

[SRU request]

[Impact]
A deadlock exists in the public key decoding code of openssl in Precise and Quantal. Users of openssl is environments where a large number of keys are being processed may hit it, causing the application to hang. This has been fixed in the development release by backporting a trivial patch from upstream.

[Test Case]
There is currently no known reliable way of reproducing the deadlock.
The openssl test suite passes with the patch, and the QRT scripts have been run successfully.

[Regression Potential]
The patch is trivial, and shouldn't cause any regressions. It has been used in a couple of upstream releases so far. If the patch does introduce a regression, it would affect public key decoding and would be apparent.

Original report:
We're experiencing deadlocks in Ubuntu 12.04 at our customers. After some investigation, a known bug in OpenSSL 1.0.1c (and other versions) is causing this. The bug itself was known since one day after this release (11th of May this year).

OpenSSL bug report: http://rt.openssl.org/Ticket/Display.html?id=2813&user=guest&pass=guest

Commit that fixes the issue in OpenSSL 1.0.1: http://cvs.openssl.org/chngview?cn=22570

For now, we're distributing a modified version of the OpenSSL packages for Ubuntu, but of course we're not the only ones with this bug.

Related branches

Changed in openssl:
status: Unknown → Fix Released
Changed in openssl (Ubuntu Precise):
status: New → Confirmed
Changed in openssl (Ubuntu Quantal):
status: New → Confirmed
T T (netti+ubuntu) wrote :

I'm hitting this bug also and was just wondering is a fix planed or should I try to get hold of the modified version of openssl?

Changed in openssl (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Ivo Timmermans (ivo) wrote :

Is there any progress to be reported?

Adam Koczur (sbv) wrote :

This is a real shame and embarrassment that this bug is still not fixed in the LTS even with the upstream patch being available for so long. Importance should be high as opposed to undecided. This bug was affecting my reverse proxy - Apache would fail every few hours which in a production environment is absurd. To produce fixed packages it took me half an hour, apparently Canonical need half a year.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1c-4ubuntu6

---------------
openssl (1.0.1c-4ubuntu6) raring; urgency=low

  * debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock
    when decoding public keys. (LP: #1066032)
 -- Marc Deslauriers <email address hidden> Wed, 06 Mar 2013 08:11:19 -0500

Changed in openssl (Ubuntu Raring):
status: Confirmed → Fix Released
Colin Watson (cjwatson) on 2013-03-07
Changed in openssl (Ubuntu Precise):
importance: Undecided → High
Changed in openssl (Ubuntu Quantal):
importance: Undecided → High
Changed in openssl (Ubuntu Raring):
importance: Undecided → High
description: updated
Dimitri John Ledkov (xnox) wrote :

Uploaded into precise-proposed and quantal-proposed, unapproved queues. Pending members of SRU team to review, accept and publish it in the -proposed pocket.

Changed in openssl (Ubuntu Quantal):
status: Confirmed → In Progress
Changed in openssl (Ubuntu Precise):
status: Confirmed → In Progress
Adam Koczur (sbv) wrote :

It's been a month now chaps. May we have an update on this, please?

Hello Ivo, or anyone else affected,

Accepted openssl into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openssl (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Brian Murray (brian-murray) wrote :

Hello Ivo, or anyone else affected,

Accepted openssl into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openssl (Ubuntu Precise):
status: In Progress → Fix Committed
Adam Koczur (sbv) wrote :

Brian, I've been running apache with openssl 1.0.1-4ubuntu5.9 for almost a week now and it appears to be pretty stable. No issues so far.

Felix Geyer (debfx) on 2013-04-25
tags: added: verification-done-precise
tags: added: verification-done-quantal
tags: removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.9

---------------
openssl (1.0.1-4ubuntu5.9) precise; urgency=low

  [ Dmitrijs Ledkovs ]
  * Enable arm assembly code. (LP: #1083498) (Closes: #676533)
  * Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)

  [ Marc Deslauriers ]
  * debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock
    when decoding public keys. (LP: #1066032)
 -- Dmitrijs Ledkovs <email address hidden> Mon, 15 Apr 2013 13:44:50 +0100

Changed in openssl (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1c-3ubuntu2.4

---------------
openssl (1.0.1c-3ubuntu2.4) quantal; urgency=low

  [ Dmitrijs Ledkovs ]
  * Enable arm assembly code. (LP: #1083498) (Closes: #676533)
  * Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)

  [ Marc Deslauriers ]
  * debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock
    when decoding public keys. (LP: #1066032)
 -- Dmitrijs Ledkovs <email address hidden> Thu, 04 Apr 2013 12:15:11 +0100

Changed in openssl (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.