openssl 1.1.1-1ubuntu2.1~18.04.1 contains upstream bug 7350

Bug #1832659 reported by Steve Wills on 2019-06-13
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenSSL
Fix Released
Unknown
openssl (Ubuntu)
Status tracked in Eoan
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
Undecided
Unassigned
Eoan
Undecided
Unassigned

Bug Description

[Impact]

 * Regression was introduced in OpenSSL 1.1.1 and fixed in 1.1.1b that prevents initialising libcrypto/libssl multiple times, and/or with different options.
 * This breaks existing applications that correctly use init API, ie. initialise libcrypto before/separately from libssl and/or with different options.

[Test Case]

 * wget https://bugs.launchpad.net/ubuntu/cosmic/+source/openssl/+bug/1832659/+attachment/5270802/+files/test_multiple_libssl_libcrypto_init.py

 * python3 ./test_multiple_libssl_libcrypto_init.py

test_multiple_init (__main__.TestMultipleInit) ... ok

----------------------------------------------------------------------
Ran 1 test in 0.014s

OK

[Regression Potential]

 * This is a cherrypick from upstream, and is backwards compatible with existing code. Simply init succeeds under more conditions now, than it did previously in 1.1.1. Also with this fix, OpenSSL is back to how things used to work with 1.1.0 and prior releases.

[Original Bug report]

After the update of openssl in bionic, I started having an issue and after troubleshooting found this issue:

https://github.com/openssl/openssl/issues/7350

Applying the patch linked in that issue and rebuilding the openssl package avoided the issue.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: openssl 1.1.1-1ubuntu2.1~18.04.1
ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18
Uname: Linux 4.15.0-51-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Thu Jun 13 00:21:16 2019
InstallationDate: Installed on 2019-06-12 (0 days ago)
InstallationMedia: Ubuntu-Server 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: openssl
UpgradeStatus: No upgrade log present (probably fresh install)

Steve Wills (swills6) wrote :
Dimitri John Ledkov (xnox) wrote :

Can you please provide sources of your app / example of behaviour that needs fixing?

For us to prepare an SRU, we'd need to provide the following details:

https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

Would you be able to provide details requested there? as in fill out the below template's Impact, Test Case, Regression Potential sections

I've tried to understand the upstream issue linked, but i'm not affected so I am struggling a bit.

Something minimal is ideal, like a tiny main(){}; C function that like calls double init, and works with openssl 1.1.0 from bionic-release, but fails with openssl 1.1.1 from bionic-updates.

[Impact]

 * An explanation of the effects of the bug on users and

 * justification for backporting the fix to the stable release.

 * In addition, it is helpful, but not required, to include an
   explanation of how the upload fixes this bug.

[Test Case]

 * detailed instructions how to reproduce the bug

 * these should allow someone who is not familiar with the affected
   package to reproduce the bug and verify that the updated package fixes
   the problem.

[Regression Potential]

 * discussion of how regressions are most likely to manifest as a result of this change.

 * It is assumed that any SRU candidate patch is well-tested before
   upload and has a low overall risk of regression, but it's important
   to make the effort to think about what ''could'' happen in the
   event of a regression.

 * This both shows the SRU team that the risks have been considered,
   and provides guidance to testers in regression-testing the SRU.

[Other Info]

 * Anything else you think is useful to include
 * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
 * and address these questions in advance

Changed in openssl (Ubuntu Disco):
status: New → Fix Released
Changed in openssl (Ubuntu Eoan):
status: New → Fix Released
Dimitri John Ledkov (xnox) wrote :

The issue mentioned should be included in openssl 1.1.1b and hence fix released in disco and eoan.

Steve Wills (swills6) wrote :

FWIW, here's the code that's being used and the output before the patch is built and put in place:

https://github.com/saltstack/salt/blob/v2016.11.1/salt/utils/rsax931.py#L36

Traceback (most recent call last):
  File "/usr/bin/salt-call", line 11, in <module>
    salt_call()
  File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 374, in salt_call
    import salt.cli.call
  File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 9, in <module>
    import salt.cli.caller
  File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 18, in <module>
    import salt.loader
  File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 29, in <module>
    import salt.utils.event
  File "/usr/lib/python2.7/dist-packages/salt/utils/event.py", line 72, in <module>
    import salt.payload
  File "/usr/lib/python2.7/dist-packages/salt/payload.py", line 17, in <module>
    import salt.crypt
  File "/usr/lib/python2.7/dist-packages/salt/crypt.py", line 43, in <module>
    import salt.utils.rsax931
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 84, in <module>
    libcrypto = _init_libcrypto()
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 74, in _init_libcrypto
    raise OSError("Failed to initialize OpenSSL library (OPENSSL_init_crypto failed)")
OSError: Failed to initialize OpenSSL library (OPENSSL_init_crypto failed)

Changed in openssl:
status: Unknown → Fix Released
Dimitri John Ledkov (xnox) wrote :

@Steve

Ubuntu 18.04 ships salt 2017.7.4 which has been patched for openssl 1.1.1 compatibility.

Please see:

https://launchpad.net/ubuntu/+source/salt/2017.7.4+dfsg1-1ubuntu18.04.1

salt (2017.7.4+dfsg1-1ubuntu18.04.1) bionic; urgency=medium

  * Cherrypick two upstream patches to fix compat with OpenSSL 1.1.1,
    without these salt fails to start when OpenSSL is upgraded from 1.1.0
    to 1.1.1. LP: #1823332
  * Fix up install call in debian/rules to resolve FTBFS.

Are there reasons why you use v2016 salt? Why not use v2017 salt from ubuntu? Do you need to request upstream backport of https://github.com/saltstack/salt/pull/51655/files for v2016? Does patch from https://github.com/saltstack/salt/pull/51655/files work on v2016?

Steve Wills (swills6) wrote :

Yes, we have to use 2016 salt due to in house modules that need to be updated. If salt 2016 was updated, we would still have quite a bit of work to do. The fix in upstream works, in fact just removing OPENSSL_INIT_NO_LOAD_CONFIG works. But, it also worked before the openssl update. And I think that is really only a work around. I suspect others will hit similar issues separate from Salt, like mentioned in the upstream bug. I'm wondering, why did you use 1.1.1 instead of 1.1.1c?

Steve Wills (swills6) wrote :

Here's a reduced reproducer that is python but isn't salt. All it does is verify the bug in OpenSSL, should return 1 for both calls. I can post a version in C if that would be helpful. It fails with the current version in Bionic and succeeds with the bug fixed version.

tags: added: regression-update
tags: added: regression-release
Dimitri John Ledkov (xnox) wrote :

So bionic-release, disco, eoan are all good.

Regressions are in bionic-updates|-proposed and cosmic.

I.e. regression introduced in 1.1.1, present in 1.1.1a, fixed in 1.1.1b and later.

description: updated
Dimitri John Ledkov (xnox) wrote :
description: updated

Hello Steve, or anyone else affected,

Accepted openssl into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssl (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted openssl into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssl (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Steve Wills (swills6) wrote :

Hi,

The package version 1.1.1-1ubuntu2.1~18.04.3 does fix it for me, thanks!

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic

Thank you for taking the time to verify this stable release fix. We have noticed that you have used the verification-done tag for marking the bug as verified and would like to point out that due to a recent change in SRU bug verification policy fixes now have to be marked with per-release tags (i.e. verification-done-$RELEASE). Please remove the verification-done tag and add one for the release you have tested the package in. Thank you!

https://wiki.ubuntu.com/StableReleaseUpdates#Verification

Steve Wills (swills6) wrote :

It looks like the verification-done-bionic tag was added, so I don't understand this comment.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.1.1-1ubuntu2.1~18.04.3

---------------
openssl (1.1.1-1ubuntu2.1~18.04.3) bionic; urgency=medium

  * Fix path to Xorg for reboot notifications on desktop. LP: #1832421
  * Cherrypick upstream fix to allow succesful init of libssl and
    libcrypto using separate calls with different options. LP: #1832659

 -- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:50:28 +0100

Changed in openssl (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for openssl has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.