Ubuntu

Blink SIP client segfaults with libgcrypt11 1.5.0-3ubuntu0.1

Reported by Tommi Siivola on 2012-06-15
170
This bug affects 32 people
Affects Status Importance Assigned to Milestone
python-gnutls (Ubuntu)
High
Unassigned
Lucid
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
High
Unassigned
Quantal
High
Unassigned
Raring
High
Unassigned

Bug Description

[Impact]
This regression was introduced from bug 423252

[Test Case]
Python 2.7.3 (default, Apr 20 2012, 22:44:07)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from gnutls.crypto import X509Certificate, X509PrivateKey
Segmentation fault (core dumped)

[Regression Potentional]
All known test cases pass so unless there is another corner case the regression potentional should be minimal.

I'm not sure to which package I should report this, but I use the Blink SIP client (http://icanblink.com/) and noticed that it segfaults at startup if I have libgcrypt11 1.5.0-3ubuntu0.1 installed, but if I force the older version 1.5.0-3 Blink works ok.

Blink is a Python app and I think I managed to find the line of Python code that causes the segfault. The line is 'from gnutls.crypto import X509Certificate, X509PrivateKey'. Here is what happens when I run it in the Python console:

I'm using 12.04, but I originally noticed the issue when I had 11.10 and the proposed updates enabled. One day there were some updates that broke Blink and going through the updates I discovered that reverting libgcrypt fixed it.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libgcrypt11 (Ubuntu):
status: New → Confirmed
gdi2k (gdi2k) wrote :

Thanks for finding the cause of this.

I have reported the issue to AG Projects via their support email, I hope they're able to fix it eventually.

Meanwhile I would be very interested in using the workaround you describe - downgrading libgcrypt11.

When I try this, it wants me to remove a lot of essential packages:

gdi2k@x200-1204:~$ sudo apt-get install libgcrypt11=1.5.0-3
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  glib-networking:i386 googleearth gstreamer0.10-plugins-good:i386 gtk2-engines:i386 gtk2-engines-murrine:i386 gtk2-engines-pixbuf:i386 ia32-libs ia32-libs-multiarch:i386 ibus-gtk:i386
  libcanberra-gtk-module:i386 libcanberra-gtk0:i386 libcups2:i386 libcupsimage2:i386 libcurl3:i386 libgail-common:i386 libgail18:i386 libgcrypt11:i386 libgnome-keyring0:i386 libgnutls26:i386 libgtk2.0-0:i386
  libldap-2.4-2:i386 librsvg2-common:i386 librtmp0:i386 libsoup-gnome2.4-1:i386 libsoup2.4-1:i386 libxslt1.1:i386 skype teamviewer7
The following packages will be DOWNGRADED:
  libgcrypt11
0 upgraded, 0 newly installed, 1 downgraded, 28 to remove and 0 not upgraded.
Need to get 280 kB of archives.
After this operation, 140 MB disk space will be freed.
Do you want to continue [Y/n]?

Were you able to downgrade the package without breaking / removing a lot of other packages?

Nicholas Wind (redhatnick) wrote :

My packages were a mess anyway from other potholes in Precise, so I just went ahead and reinstalled Precise which had the old package. Immediately after the install I did

echo libgcrypt11 hold | dpkg --set-selections

libgcrypt11 should now appear as as 'held-back' during any upgrade from apt. I've also held the package in aptitude and synaptic which seems to be holding down the fort. Update Manager still says there is an update available, but it doesn't show libgcrypt11 so I think I can hold on for a bit.

gdi2k (gdi2k) wrote :

I got a helpful response from Saúl Ibarra Corretgé at AG Projects, the makers of Blink. I will paste it below:

We do have plans to repackage Blink for Precise, it will happen after the next python-sipsimple release, but we have no ETA for that yet.

As for the crash, it happens somewhere in libcrypto, which is wrapped by python-gnutls, so there is nothing to fix in Blink. However, we are also the authors of python-gnutls, so if it's a problem in that library we will fix it. Unfortunately, the problem seems to be in libcrypto, not in python-gnutls, so there is not much we can do.

Nevertheless I'll have a look at this and see if there is anything to be fixed in python-gnutls.

Tommi Siivola (s-tommi) wrote :

I was able to downgrade libgcrypt11 package without any dependency issues on my laptop, but on my desktop apt-get wants to remove other packages besides libgcrypt11 because of dependency issues. The main difference between the two computers is that the laptop has 32-bit Ubuntu but the desktop has 64-bit.

Joe Petri (frizzofrizzo) wrote :

I solved reinstalling the package from ubuntu repository .
Tommi , you can get the one that suits better for your release at this place : http://packages.ubuntu.com/lucid/amd64/libgcrypt11/download by simply replacing lucid with your ubuntu version and amd64 with your system architecture .
Hope you'll be lucky .
Cheers.

vedavata (vedavrata) wrote :

 sudo apt-get install libgcrypt11=1.5.0-3
==
This command helped me...
But every new time of 'sudo apt-get upgrade' reinstall new version of libgcrypt11 (libgcrypt) and the problem returns... :-(
What to do?
How to fix?

Joe Petri (frizzofrizzo) wrote :

vedavrata take a look at comment #3 , thats the solution for you !

vedavata (vedavrata) wrote :

Dear Joe,
thank you!

When to clear this? :-)
And how? :-)

Joe Petri (frizzofrizzo) wrote :

Dear Vedavata, you're welcome !
I didn't understand what you meant exactly , i list the commands needed to make blink works again :

- install libgcrypt11 package, according with your ubuntu version and system architecture, in my case 64bit lucid ubuntu.

http://packages.ubuntu.com/lucid/amd64/libgcrypt11/download

another example 32bit precise ubuntu http://packages.ubuntu.com/precise/i386/libgcrypt11/download

- after you download, install the package by clicking on it or through terminal command sudo dpkg -i package_name.deb

- next echo libgcrypt11 hold | sudo dpkg --set-selections.

Thats it ! No more steps needed . About the definitive solution on libgcrypt11 package , we have to wait for blink's team ultimate work as gdi2k reported on comment #3.

Hope this will be useful for you and you'll have blink working again following the steps above.

Cheers.

Ulrich Lichtenegger (ulilicht) wrote :

hello to all, very helpful thread!

i tried to replace my libgrypt11, but this does not work because libldap-2.4-2 depends on it. removal of this package would remove A LOT of other packages.
i use kde, most of the other packages were kde specific.

does anybody know about another workaround?

cheers, uli

Hi,

I work for AG Projects, we are the upstream for the Blink SIP client and while testing this out I just found the apparent root cause for the libgcrypt11 crash: Ubuntu includes a patch called 'no_global_init_during_thread_callbacks.diff'. Removing it avoids the crash. This patch is not present on the Debian package nor upstream, but unfortunately I'm not aware of the internals of libgcrypt to assert it's correctness.

Cheers,

gdi2k (gdi2k) wrote :

Thank you Saul for identifying the issue. I've traced this patch back to this bug:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/423252

I don't understand the details, but maybe it's helpful to you in understanding what it does and how to avoid the issues with it.

Steve Langasek (vorlon) wrote :

Adam, this is reported to be a regression introduced by the changes from bug #423252. Can you have a look?

Changed in libgcrypt11 (Ubuntu):
assignee: nobody → Adam Stokes (adam-stokes)
importance: Undecided → Critical
tags: added: regression-update
Adam Stokes (adam-stokes) wrote :

Hi,

This is on my list to try and resolve this week. Thank you for your patience.

Adma

description: updated
Changed in libgcrypt11 (Ubuntu Quantal):
assignee: nobody → Adam Stokes (adam-stokes)
Changed in libgcrypt11 (Ubuntu Precise):
assignee: nobody → Adam Stokes (adam-stokes)
Changed in libgcrypt11 (Ubuntu Oneiric):
assignee: nobody → Adam Stokes (adam-stokes)
Changed in libgcrypt11 (Ubuntu Lucid):
assignee: nobody → Adam Stokes (adam-stokes)
milestone: none → lucid-updates
Changed in libgcrypt11 (Ubuntu Precise):
milestone: none → precise-updates
Changed in libgcrypt11 (Ubuntu Quantal):
milestone: none → quantal-updates
Changed in libgcrypt11 (Ubuntu Oneiric):
milestone: none → oneiric-updates
Changed in libgcrypt11 (Ubuntu Quantal):
importance: Undecided → Critical
Changed in libgcrypt11 (Ubuntu Lucid):
importance: Undecided → Critical
Changed in libgcrypt11 (Ubuntu Precise):
status: New → Confirmed
Changed in libgcrypt11 (Ubuntu Oneiric):
importance: Undecided → Critical
Changed in libgcrypt11 (Ubuntu Precise):
importance: Undecided → Critical
Changed in libgcrypt11 (Ubuntu Quantal):
status: New → In Progress
Changed in libgcrypt11 (Ubuntu Raring):
status: Confirmed → In Progress
Changed in libgcrypt11 (Ubuntu Precise):
status: Confirmed → In Progress
Changed in libgcrypt11 (Ubuntu Oneiric):
status: New → In Progress
Changed in libgcrypt11 (Ubuntu Lucid):
status: New → In Progress
Changed in libgcrypt11 (Ubuntu Raring):
milestone: none → ubuntu-13.04
Adam Stokes (adam-stokes) wrote :

Contains updated patch to include the patch tagging guidelines (desc, origin, bug)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libgcrypt11 - 1.5.0-3ubuntu2

---------------
libgcrypt11 (1.5.0-3ubuntu2) raring-proposed; urgency=low

  [Howard Chu]
  * debian/patches/enable-global-init-secure-memory.patch:
    Fix regression during disable/suspend of secure memory
    (LP: #1013798)
 -- Adam Stokes <email address hidden> Mon, 05 Nov 2012 11:05:59 -0500

Changed in libgcrypt11 (Ubuntu Raring):
status: In Progress → Fix Released
Brian Murray (brian-murray) wrote :

I've uploaded this to the stable release queues.

Afaict this bug should not be marked as "fixed released" anymore because 1.5.0-3ubuntu2.1 reverted 1.5.0-3ubuntu2.

Changed in libgcrypt11 (Ubuntu Raring):
status: Fix Released → In Progress
carloslp (carloslp) wrote :

I can confirm that the patch that fixed LP: #423252 is breaking python-gnutls:

$ python
Python 2.7.3 (default, Sep 9 2012, 17:41:34)
[GCC 4.7.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import gnutls.crypto
Segmentation fault

(On Debian) there is only one reverse-dependency for python-gnutls on the archive:

$ apt-rdepends -r python-gnutls
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-gnutls
  Reverse Depends: mandos (1.6.0-1)
mandos

See: http://bugs.debian.org/658896

carloslp (carloslp) wrote :

See http://bugs.debian.org/368297 http://bugs.debian.org/658896 for an alternative patch to fix LP: #423252 that don't introduced any regression.

To fix this bug, the patch applied on LP: #423252 to libgcrypt (no-global-init-thread-callbacks.diff) should be reverted and the following patch http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=135;filename=fix-dropping-privileges-by-libgcrypt-secmem.diff;att=2;bug=368297 should be applied to OpenLDAP

carloslp (carloslp) wrote :

Actual comment on the Debian bug history with the patch and the explanation: http://bugs.debian.org/658896#104

Jack Bates (nottheoilrig) wrote :

I think this bug is a problem in the Python wrapper for the GnuTLS library. The Libgcrypt manual states that:

> The function gcry_check_version initializes some subsystems used by Libgcrypt
> and must be invoked before any other function in the library, with the exception of
> the GCRYCTL_SET_THREAD_CBS command (called via the gcry_control function).

Properly initializing the library resolves this bug.

Adam Stokes (adam-stokes) wrote :

Could I get others to verify the patch in comment #29?

Michael Dwyer (kalifg) wrote :

Verified. Applying the patch in #29 results in no segfault:

[Test Case]
Python 2.7.3 (default, Sep 26 2012, 21:51:14)
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from gnutls.crypto import X509Certificate, X509PrivateKey
>>>

Adam Stokes (adam-stokes) wrote :

Thank you Michael I really appreciate the testing. I'll get this packaged up this week and have an SRU sent out for the releases.

Thanks
Adam

You're welcome!

On Tue, Apr 2, 2013 at 8:31 AM, Adam Stokes <email address hidden>wrote:

> Thank you Michael I really appreciate the testing. I'll get this
> packaged up this week and have an SRU sent out for the releases.
>
> Thanks
> Adam
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1013798
>
> Title:
> Blink SIP client segfaults with libgcrypt11 1.5.0-3ubuntu0.1
>
> Status in “libgcrypt11” package in Ubuntu:
> In Progress
> Status in “libgcrypt11” source package in Lucid:
> In Progress
> Status in “libgcrypt11” source package in Oneiric:
> In Progress
> Status in “libgcrypt11” source package in Precise:
> In Progress
> Status in “libgcrypt11” source package in Quantal:
> In Progress
> Status in “libgcrypt11” source package in Raring:
> In Progress
>
> Bug description:
> [Impact]
> This regression was introduced from bug 423252
>
> [Test Case]
> Python 2.7.3 (default, Apr 20 2012, 22:44:07)
> [GCC 4.6.3] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
> >>> from gnutls.crypto import X509Certificate, X509PrivateKey
> Segmentation fault (core dumped)
>
> [Regression Potentional]
> All known test cases pass so unless there is another corner case the
> regression potentional should be minimal.
>
> I'm not sure to which package I should report this, but I use the
> Blink SIP client (http://icanblink.com/) and noticed that it segfaults
> at startup if I have libgcrypt11 1.5.0-3ubuntu0.1 installed, but if I
> force the older version 1.5.0-3 Blink works ok.
>
> Blink is a Python app and I think I managed to find the line of Python
> code that causes the segfault. The line is 'from gnutls.crypto import
> X509Certificate, X509PrivateKey'. Here is what happens when I run it
> in the Python console:
>
> I'm using 12.04, but I originally noticed the issue when I had 11.10
> and the proposed updates enabled. One day there were some updates that
> broke Blink and going through the updates I discovered that reverting
> libgcrypt fixed it.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798/+subscriptions
>

Changed in libgcrypt11 (Ubuntu Precise):
status: In Progress → Invalid
Changed in libgcrypt11 (Ubuntu Quantal):
status: In Progress → Invalid
Changed in libgcrypt11 (Ubuntu Raring):
status: In Progress → Invalid
Sebastien Bacher (seb128) wrote :

Thanks Adam, I've sponsored those debdiffs

Changed in python-gnutls (Ubuntu Quantal):
importance: Undecided → High
status: New → In Progress
Changed in python-gnutls (Ubuntu Precise):
importance: Undecided → High
status: New → In Progress
Changed in python-gnutls (Ubuntu Raring):
importance: Undecided → High
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-gnutls - 1.2.4-1ubuntu1

---------------
python-gnutls (1.2.4-1ubuntu1) raring; urgency=low

  [ Jack Bates ]
  * gcry_check_version must be invoked before any other function in the
    library, with the exception of the GCRYCTL_SET_THREAD_CBS command (called
    via the gcry_control function). (LP: #1013798)
 -- Adam Stokes <email address hidden> Tue, 02 Apr 2013 09:55:26 -0400

Changed in python-gnutls (Ubuntu Raring):
status: Fix Committed → Fix Released

Hello Tommi, or anyone else affected,

Accepted python-gnutls into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/python-gnutls/1.2.4-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python-gnutls (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in python-gnutls (Ubuntu Precise):
status: In Progress → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Tommi, or anyone else affected,

Accepted python-gnutls into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/python-gnutls/1.2.0-2.1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Tommi Siivola (s-tommi) wrote :

The package python_gnutls 1.2.0-2.1ubuntu0.1 fixes the problem for me, with Ubuntu 12.04.2 LTS.

Blink and the Python console import command segfault with version 1.2.0-2.1, but both start working when I install version 1.2.0-2.1ubuntu0.1 from the proposed updates repository.

tags: added: verification-done
removed: verification-needed
tags: added: verification-done-precise verification-needed
removed: verification-done
David D Lowe (flimm) wrote :

The proposed update in Quantal fixed it for me.

Adam Stokes (adam-stokes) wrote :

Thanks David, setting verified for quantal

tags: added: verification-done-quantal
tags: removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-gnutls - 1.2.4-1ubuntu0.1

---------------
python-gnutls (1.2.4-1ubuntu0.1) quantal-proposed; urgency=low

  [ Jack Bates ]
  * gcry_check_version must be invoked before any other function in the
    library, with the exception of the GCRYCTL_SET_THREAD_CBS command (called
    via the gcry_control function). (LP: #1013798)
 -- Adam Stokes <email address hidden> Tue, 02 Apr 2013 09:49:23 -0400

Changed in python-gnutls (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-gnutls - 1.2.0-2.1ubuntu0.1

---------------
python-gnutls (1.2.0-2.1ubuntu0.1) precise-proposed; urgency=low

  [ Jack Bates ]
  * gcry_check_version must be invoked before any other function in the
    library, with the exception of the GCRYCTL_SET_THREAD_CBS command (called
    via the gcry_control function). (LP: #1013798)
 -- Adam Stokes <email address hidden> Tue, 02 Apr 2013 09:42:32 -0400

Changed in python-gnutls (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in libgcrypt11 (Ubuntu Lucid):
assignee: Adam Stokes (adam-stokes) → nobody
status: In Progress → Invalid
Changed in libgcrypt11 (Ubuntu Oneiric):
status: In Progress → Invalid
no longer affects: libgcrypt11 (Ubuntu)
no longer affects: libgcrypt11 (Ubuntu Lucid)
no longer affects: libgcrypt11 (Ubuntu Oneiric)
no longer affects: libgcrypt11 (Ubuntu Precise)
no longer affects: libgcrypt11 (Ubuntu Quantal)
no longer affects: libgcrypt11 (Ubuntu Raring)

Hi there,

We updated and released python-gnutls 1.2.5, which includes Jack's fix (thanks a lot!) so Ubuntu no longer needs to patch it.

Sorry for the delay.

Cheers,

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.