| 2022-06-23 11:34:57 |
David Zuelke |
bug |
|
|
added bug |
| 2022-06-23 12:22:54 |
Ed Morley |
bug |
|
|
added subscriber Ed Morley |
| 2022-06-23 12:34:54 |
Simon Chopin |
tags |
|
rls-jj-incoming |
|
| 2022-06-23 12:35:08 |
Simon Chopin |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-06-23 12:35:08 |
Simon Chopin |
bug task added |
|
openssl (Ubuntu Jammy) |
|
| 2022-06-23 12:35:08 |
Simon Chopin |
nominated for series |
|
Ubuntu Kinetic |
|
| 2022-06-23 12:35:08 |
Simon Chopin |
bug task added |
|
openssl (Ubuntu Kinetic) |
|
| 2022-06-23 12:42:53 |
Simon Chopin |
bug task added |
|
nodejs (Ubuntu) |
|
| 2022-06-23 12:43:02 |
Simon Chopin |
nodejs (Ubuntu Jammy): status |
New |
Confirmed |
|
| 2022-06-23 12:43:04 |
Simon Chopin |
nodejs (Ubuntu Kinetic): status |
New |
Confirmed |
|
| 2022-06-23 15:35:44 |
Matthieu Clemenceau |
tags |
rls-jj-incoming |
fr-2496 rls-jj-incoming |
|
| 2022-06-23 16:30:21 |
Simon Chopin |
tags |
fr-2496 rls-jj-incoming |
fr-2496 |
|
| 2022-06-24 15:10:18 |
Simon Chopin |
nodejs (Ubuntu Jammy): importance |
Undecided |
Medium |
|
| 2022-06-24 15:10:20 |
Simon Chopin |
nodejs (Ubuntu Kinetic): importance |
Undecided |
Medium |
|
| 2022-06-24 15:20:37 |
Simon Chopin |
openssl (Ubuntu Jammy): status |
New |
Confirmed |
|
| 2022-06-24 15:20:39 |
Simon Chopin |
openssl (Ubuntu Kinetic): status |
New |
Fix Committed |
|
| 2022-06-24 15:20:43 |
Simon Chopin |
openssl (Ubuntu Jammy): importance |
Undecided |
High |
|
| 2022-06-24 15:20:49 |
Simon Chopin |
openssl (Ubuntu Kinetic): importance |
Undecided |
High |
|
| 2022-07-01 17:29:53 |
Launchpad Janitor |
openssl (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
| 2022-07-01 17:29:53 |
Launchpad Janitor |
cve linked |
|
2022-2068 |
|
| 2022-07-11 14:24:57 |
Simon Chopin |
description |
~ $ lsb-release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
https://launchpad.net/debian/+source/openssl/3.0.3-7 includes a single change, https://sources.debian.org/src/openssl/3.0.3-8/debian/patches/Remove-the-provider-section.patch/
That patch solves a problem with programs that use OpenSSL v1 (statically or dynamically linked); these still read /etc/ssl/openssl.cnf, but the v3-specific sections in the sid/jammy default config may cause a failure.
One example: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011051
Another example: a (non-Ubuntu) Node.js v16 (OpenSSL compiled statically) hits an error in its crypto lib:
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
Uncaught:
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
at Sign.sign (node:internal/crypto/sig:131:29) {
opensslErrorStack: [
'error:0E076071:configuration file routines:module_run:unknown module name',
'error:0E07506E:configuration file routines:module_load_dso:error loading dso',
'error:25070067:DSO support routines:DSO_load:could not load the shared library'
],
library: 'DSO support routines',
function: 'dlfcn_load',
reason: 'could not load the shared library',
code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}
Removing the relevant provider section lines (the Debian patch doesn't apply cleanly, hence the use of sed) fixes it:
~ $ sed -i '/_sect\b/s/^/# /' /etc/ssl/openssl.cnf
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
<Buffer c5 e7 ba 01 5a 33 3f 26 43 bb 4e 47 99 49 e4 c7 60 41 be c6 91 63 c6 5d 0a af 78 5c 15 4a 9f 1a e7 24 99 ce 6a f0 05 b5 48 96 4e 59 b8 d5 69 df 3c bc ... 206 more bytes>
I realize there is no libssl1.1 on jammy, but a statically linked OpenSSL is not uncommon (Node.js being a very prominent example).
Would it be possible to get this Debian sid change ported to jammy? |
[Impact]
While the default configuration works fine for every package that uses the system libssl3, any software that uses libssl1.1, either separately packaged (e.g. as an upgrade leftover) or vendored in (as in nodejs in our own archive) will fail to load the configuration as they don't have any notion of providers.
If the provider section isn't present in the configuration, libssl3 will load the default provider, which means that commenting out the section won't impact the behavior of standard libssl3 users.
[Test Plan]
On a system with a pristine openssl configuration:
$ sudo apt install nodejs
$ nodejs - <<EOF
var crypto = require('crypto')
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
var sign = crypto.createSign('RSA-SHA256');
sign.update(Buffer.from("hello"));
sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}));
EOF
Without the fix, the nodejs execution will have a non-zero return code and an uncaught exception with the following line:
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
With the fix, there shouldn't be any output, and an exit code of 0.
[Where problems could occur]
There could easily be user errors when trying to merge the new configuration, for instance if they enabled the legacy provider, as they might comment out the default provider loading section (which is necessary if any other provider is explicitly loaded).
[Other Info]
Dear SRU team, please do not move this from -proposed to -updates before
the apt phasing fix has reached it first:
https://bugs.launchpad.net/charm-mysql-innodb-cluster/+bug/1979244
[Original report]
~ $ lsb-release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
https://launchpad.net/debian/+source/openssl/3.0.3-7 includes a single change, https://sources.debian.org/src/openssl/3.0.3-8/debian/patches/Remove-the-provider-section.patch/
That patch solves a problem with programs that use OpenSSL v1 (statically or dynamically linked); these still read /etc/ssl/openssl.cnf, but the v3-specific sections in the sid/jammy default config may cause a failure.
One example: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011051
Another example: a (non-Ubuntu) Node.js v16 (OpenSSL compiled statically) hits an error in its crypto lib:
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
Uncaught:
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
at Sign.sign (node:internal/crypto/sig:131:29) {
opensslErrorStack: [
'error:0E076071:configuration file routines:module_run:unknown module name',
'error:0E07506E:configuration file routines:module_load_dso:error loading dso',
'error:25070067:DSO support routines:DSO_load:could not load the shared library'
],
library: 'DSO support routines',
function: 'dlfcn_load',
reason: 'could not load the shared library',
code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}
Removing the relevant provider section lines (the Debian patch doesn't apply cleanly, hence the use of sed) fixes it:
~ $ sed -i '/_sect\b/s/^/# /' /etc/ssl/openssl.cnf
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
<Buffer c5 e7 ba 01 5a 33 3f 26 43 bb 4e 47 99 49 e4 c7 60 41 be c6 91 63 c6 5d 0a af 78 5c 15 4a 9f 1a e7 24 99 ce 6a f0 05 b5 48 96 4e 59 b8 d5 69 df 3c bc ... 206 more bytes>
I realize there is no libssl1.1 on jammy, but a statically linked OpenSSL is not uncommon (Node.js being a very prominent example).
Would it be possible to get this Debian sid change ported to jammy? |
|
| 2022-07-13 09:24:39 |
Robie Basak |
summary |
openssl 3.0.3-7 needs port from sid to jammy |
Apps expecting an OpenSSL 1.1 -formatted openssl.cnf fail |
|
| 2022-07-13 09:26:13 |
Robie Basak |
openssl (Ubuntu Jammy): status |
Confirmed |
Incomplete |
|
| 2022-07-13 09:26:43 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
| 2022-07-26 17:51:28 |
Simon Chopin |
description |
[Impact]
While the default configuration works fine for every package that uses the system libssl3, any software that uses libssl1.1, either separately packaged (e.g. as an upgrade leftover) or vendored in (as in nodejs in our own archive) will fail to load the configuration as they don't have any notion of providers.
If the provider section isn't present in the configuration, libssl3 will load the default provider, which means that commenting out the section won't impact the behavior of standard libssl3 users.
[Test Plan]
On a system with a pristine openssl configuration:
$ sudo apt install nodejs
$ nodejs - <<EOF
var crypto = require('crypto')
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
var sign = crypto.createSign('RSA-SHA256');
sign.update(Buffer.from("hello"));
sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}));
EOF
Without the fix, the nodejs execution will have a non-zero return code and an uncaught exception with the following line:
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
With the fix, there shouldn't be any output, and an exit code of 0.
[Where problems could occur]
There could easily be user errors when trying to merge the new configuration, for instance if they enabled the legacy provider, as they might comment out the default provider loading section (which is necessary if any other provider is explicitly loaded).
[Other Info]
Dear SRU team, please do not move this from -proposed to -updates before
the apt phasing fix has reached it first:
https://bugs.launchpad.net/charm-mysql-innodb-cluster/+bug/1979244
[Original report]
~ $ lsb-release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
https://launchpad.net/debian/+source/openssl/3.0.3-7 includes a single change, https://sources.debian.org/src/openssl/3.0.3-8/debian/patches/Remove-the-provider-section.patch/
That patch solves a problem with programs that use OpenSSL v1 (statically or dynamically linked); these still read /etc/ssl/openssl.cnf, but the v3-specific sections in the sid/jammy default config may cause a failure.
One example: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011051
Another example: a (non-Ubuntu) Node.js v16 (OpenSSL compiled statically) hits an error in its crypto lib:
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
Uncaught:
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
at Sign.sign (node:internal/crypto/sig:131:29) {
opensslErrorStack: [
'error:0E076071:configuration file routines:module_run:unknown module name',
'error:0E07506E:configuration file routines:module_load_dso:error loading dso',
'error:25070067:DSO support routines:DSO_load:could not load the shared library'
],
library: 'DSO support routines',
function: 'dlfcn_load',
reason: 'could not load the shared library',
code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}
Removing the relevant provider section lines (the Debian patch doesn't apply cleanly, hence the use of sed) fixes it:
~ $ sed -i '/_sect\b/s/^/# /' /etc/ssl/openssl.cnf
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
<Buffer c5 e7 ba 01 5a 33 3f 26 43 bb 4e 47 99 49 e4 c7 60 41 be c6 91 63 c6 5d 0a af 78 5c 15 4a 9f 1a e7 24 99 ce 6a f0 05 b5 48 96 4e 59 b8 d5 69 df 3c bc ... 206 more bytes>
I realize there is no libssl1.1 on jammy, but a statically linked OpenSSL is not uncommon (Node.js being a very prominent example).
Would it be possible to get this Debian sid change ported to jammy? |
[Impact]
While the default configuration works fine for every package that uses the system libssl3, libssl1.1.1 (which implicitly loads the configuration on OPENSSL_crypto_init()) fails to parse it.
Our nodejs package vendors openssl 1.1.1, which means it will trigger this bug. In addition, upstream NodeJS explicitly points their statically-linked OpenSSL to this file as well, and ships 1.1.1 in their current LTS (branch 16.x).
Finally, we can also expect breakage for third-party packages that still depends on libssl1.1.
If the provider section isn't present in the configuration, libssl3 will load the default provider, which means that commenting out the section won't impact the behavior of standard libssl3 users.
[Test Plan]
On a system with a pristine openssl configuration:
$ sudo apt install nodejs
$ nodejs - <<EOF
var crypto = require('crypto')
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
var sign = crypto.createSign('RSA-SHA256');
sign.update(Buffer.from("hello"));
sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}));
EOF
Without the fix, the nodejs execution will have a non-zero return code and an uncaught exception with the following line:
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
With the fix, there shouldn't be any output, and an exit code of 0.
[Where problems could occur]
There could easily be user errors when trying to merge the new configuration, for instance if they enabled the legacy provider, as they might comment out the default provider loading section (which is necessary if any other provider is explicitly loaded).
[Other Info]
Dear SRU team, please do not move this from -proposed to -updates before
the apt phasing fix has reached it first:
https://bugs.launchpad.net/charm-mysql-innodb-cluster/+bug/1979244
[Original report]
~ $ lsb-release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
https://launchpad.net/debian/+source/openssl/3.0.3-7 includes a single change, https://sources.debian.org/src/openssl/3.0.3-8/debian/patches/Remove-the-provider-section.patch/
That patch solves a problem with programs that use OpenSSL v1 (statically or dynamically linked); these still read /etc/ssl/openssl.cnf, but the v3-specific sections in the sid/jammy default config may cause a failure.
One example: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011051
Another example: a (non-Ubuntu) Node.js v16 (OpenSSL compiled statically) hits an error in its crypto lib:
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
Uncaught:
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
at Sign.sign (node:internal/crypto/sig:131:29) {
opensslErrorStack: [
'error:0E076071:configuration file routines:module_run:unknown module name',
'error:0E07506E:configuration file routines:module_load_dso:error loading dso',
'error:25070067:DSO support routines:DSO_load:could not load the shared library'
],
library: 'DSO support routines',
function: 'dlfcn_load',
reason: 'could not load the shared library',
code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}
Removing the relevant provider section lines (the Debian patch doesn't apply cleanly, hence the use of sed) fixes it:
~ $ sed -i '/_sect\b/s/^/# /' /etc/ssl/openssl.cnf
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
<Buffer c5 e7 ba 01 5a 33 3f 26 43 bb 4e 47 99 49 e4 c7 60 41 be c6 91 63 c6 5d 0a af 78 5c 15 4a 9f 1a e7 24 99 ce 6a f0 05 b5 48 96 4e 59 b8 d5 69 df 3c bc ... 206 more bytes>
I realize there is no libssl1.1 on jammy, but a statically linked OpenSSL is not uncommon (Node.js being a very prominent example).
Would it be possible to get this Debian sid change ported to jammy? |
|
| 2022-09-03 12:02:28 |
Robie Basak |
openssl (Ubuntu Jammy): status |
Incomplete |
Won't Fix |
|
| 2022-09-29 15:43:10 |
Matthieu Clemenceau |
bug |
|
|
added subscriber Ubuntu Foundations Bugs |
| 2023-01-05 19:55:32 |
Christopher Ursich |
bug |
|
|
added subscriber Christopher Ursich |
| 2023-08-10 17:57:54 |
Utkarsh Gupta |
nodejs (Ubuntu Kinetic): status |
Confirmed |
Won't Fix |
|
