# curl -o /dev/null https://start.ubuntu.com/connectivity-check.html
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 576 100 576 0 0 1894 0 --:--:-- --:--:-- --:--:-- 1888
Observed success without any double-free or segfault in openssl.
Although this particular issue has already been fixed in openssl, it still makes sense to release this update of curl which includes correct openssl engine API usage.
1) downgraded openssl to 1.1.1f-1ubuntu2.9 such that it doesn't have double free fix that was released in https:/ /launchpad. net/ubuntu/ +source/ openssl/ 1.1.1f- 1ubuntu2. 10
2) installed old pka module from commit b0f32fa05298bf9 e3997ea43fc1c11 b90e0d662f
3) installed focal-updates version of curl
Observed double free core dump:
# dpkg-query -W | grep -e 1.1.1f -e curl -e pka gnutls: arm64 7.68.0-1ubuntu2.7
curl 7.68.0-1ubuntu2.7
libcurl3-
libcurl4:arm64 7.68.0-1ubuntu2.7
libpka1:arm64 1.3-1
libssl-dev:arm64 1.1.1f-1ubuntu2.9
libssl1.1:arm64 1.1.1f-1ubuntu2.9
openssl 1.1.1f-1ubuntu2.9
# curl -o /dev/null https:/ /start. ubuntu. com/connectivit y-check. html
Dload Upload Total Spent Left Speed
% Total % Received % Xferd Average Speed Time Time Time Current
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 576 100 576 0 0 2117 0 --:--:-- --:--:-- --:--:-- 2117
double free or corruption (out)
Aborted (core dumped)
Upgraded to new curl:
# dpkg-query -W | grep -e 1.1.1f -e curl -e pka gnutls: arm64 7.68.0-1ubuntu2.8
curl 7.68.0-1ubuntu2.8
libcurl3-
libcurl4:arm64 7.68.0-1ubuntu2.8
libpka1:arm64 1.3-1
libssl-dev:arm64 1.1.1f-1ubuntu2.9
libssl1.1:arm64 1.1.1f-1ubuntu2.9
openssl 1.1.1f-1ubuntu2.9
# curl -o /dev/null https:/ /start. ubuntu. com/connectivit y-check. html
Dload Upload Total Spent Left Speed
% Total % Received % Xferd Average Speed Time Time Time Current
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 576 100 576 0 0 1894 0 --:--:-- --:--:-- --:--:-- 1888
Observed success without any double-free or segfault in openssl.
Although this particular issue has already been fixed in openssl, it still makes sense to release this update of curl which includes correct openssl engine API usage.