group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Mathew Hodson <mathew.hodson@xxxxxxxxx>
Date: Sat, 24 Sep 2016 23:40:54 -0000
Reply-to: Bug 1626883 <1626883@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** No longer affects: openssl (Ubuntu Yakkety)

** Changed in: openssl (Ubuntu)
       Status: Invalid => Fix Released

** Tags added: regression-update

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Precise:
  Fix Released
Status in openssl source package in Trusty:
  Fix Released
Status in openssl source package in Xenial:
  Fix Released

Bug description:
  Last night unattended-upgrades upgraded the openssl packages
  (libssl1.0.0, libssl-dev, openssl) from version 1.0.2g-1ubuntu4.1 to
  version 1.0.2g-1ubuntu4.4 on a CI build server. Then everything that
  used PHP to connect to a HTTPS site started crashing when verifying
  the server cert.

  Like this:

  ```
  jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$ DATABASE_DATABASE=wordpressmastere2e catchsegv wp plugin install --force --activate wp-cfm
  Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Import has a deprecated constructor in /var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop                    /vagrant/wordpress/wp-content/plugins/wordpress-importer/wordpress-importer.php on line 38
  Notice: Undefined offset: 4 in phar:///usr/local/bin/wp/php/WP_CLI/DocParser.php on line 124
  Segmentation fault (core dumped)
  *** Segmentation fault
  Register dump:

   RAX: 0000000000000000   RBX: 0000000000000001   RCX: 0000000000000000
   RDX: 000000000000000c   RSI: 000055665071af59   RDI: 0000000000000000
   RBP: 0000556650a49e4e   R8 : 0000556652364720   R9 : 0000000000000000
   R10: 0000000000000000   R11: 00007fdb3c081730   R12: 000055665071af59
   R13: 000000000000000c   R14: 0000000000000000   R15: 00007fdb39418cf0
   RSP: 00007ffc4bad7a08

   RIP: 00007fdb3bf77d16   EFLAGS: 00010293

   CS: 0033   FS: 0000   GS: 0000

   Trap: 0000000e   Error: 00000004   OldMask: 00000000   CR2: 00000000

   FPUCW: 0000027f   FPUSW: 00000000   TAG: 00000000
   RIP: 00000000   RDP: 00000000

   ST(0) 0000 0000000000000000   ST(1) 0000 0000000000000000
   ST(2) 0000 0000000000000000   ST(3) 0000 0000000000000000
   ST(4) 0000 0000000000000000   ST(5) 0000 0000000000000000
   ST(6) 0000 0000000000000000   ST(7) 0000 0000000000000000
   mxcsr: 1fa0
   XMM0:  00000000000000000000000000000000 XMM1:  00000000000000000000000000000000
   XMM2:  00000000000000000000000000000000 XMM3:  00000000000000000000000000000000
   XMM4:  00000000000000000000000000000000 XMM5:  00000000000000000000000000000000
   XMM6:  00000000000000000000000000000000 XMM7:  00000000000000000000000000000000
   XMM8:  00000000000000000000000000000000 XMM9:  00000000000000000000000000000000
   XMM10: 00000000000000000000000000000000 XMM11: 00000000000000000000000000000000
   XMM12: 00000000000000000000000000000000 XMM13: 00000000000000000000000000000000
   XMM14: 00000000000000000000000000000000 XMM15: 00000000000000000000000000000000

  Backtrace:
  /lib/x86_64-linux-gnu/libc.so.6(strlen+0x26)[0x7fdb3bf77d16]
  php(add_assoc_string_ex+0x32)[0x556650677b12]
  php(zif_openssl_x509_parse+0x17c)[0x5566505312ec]
  php(dtrace_execute_internal+0x2a)[0x556650664b3a]
  php(+0x2e37e0)[0x5566506f97e0]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(zend_call_function+0x749)[0x556650666639]
  php(zif_call_user_func+0xb5)[0x5566505b39d5]
  php(dtrace_execute_internal+0x2a)[0x556650664b3a]
  php(+0x2e37e0)[0x5566506f97e0]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(zend_call_function+0x749)[0x556650666639]
  php(zif_call_user_func+0xb5)[0x5566505b39d5]
  php(dtrace_execute_internal+0x2a)[0x556650664b3a]
  php(+0x2e37e0)[0x5566506f97e0]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2ef65c)[0x55665070565c]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2efc7c)[0x556650705c7c]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(zend_execute+0x1a7)[0x556650708bf7]
  php(zend_execute_scripts+0xc3)[0x556650674bd3]
  php(php_execute_script+0x2d0)[0x556650615470]
  php(+0x2f48b7)[0x55665070a8b7]
  php(main+0x474)[0x5566504fa084]
  /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fdb3bf0d830]
  php(_start+0x29)[0x5566504fa1c9]
  ```

  Apparently something in libssl now returns a NULL or not-NUL-
  terminated C string which the PHP function openssl_x509_parse then
  passes to strlen, which crashes.

  After downgrading to 1.0.2g-1ubuntu4.2 which luckily is still in the
  repos, everything works:

  ```
  jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$ apt-cache policy libssl1.0.0
  libssl1.0.0:
    Installed: 1.0.2g-1ubuntu4.2
    Candidate: 1.0.2g-1ubuntu4.4
    Version table:
       1.0.2g-1ubuntu4.4 500
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
   *** 1.0.2g-1ubuntu4.2 500
          500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.0.2g-1ubuntu4 500
          500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$ DATABASE_DATABASE=wordpressmastere2e catchsegv wp plugin install --force --activate wp-cfm
  Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Import has a deprecated constructor in /var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress/wp-content/plugins/wordpress-importer/wordpress-importer.php on line 38
  Notice: Undefined offset: 4 in phar:///usr/local/bin/wp/php/WP_CLI/DocParser.php on line 124
  Installing WP-CFM (1.4.5)
  Ladataan pakettia lähteestä https://downloads.wordpress.org/plugin/wp-cfm.zip...
  Using cached file '/home/jenkins/.wp-cli/cache/plugin/wp-cfm-1.4.5.zip'...
  Puretaan pakettia...
  Asennetaan lisäosaa...
  Poistetaan lisäosan vanhaa versiota...
  Lisäosa päivitetty onnistuneesti.
  Activating 'wp-cfm'...
  Warning: Plugin 'wp-cfm' is already active.
  jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$
  ```

  So the issue was introduced between 1.0.2g-1ubuntu4.2 and 1.0.2g-
  1ubuntu4.4.

  The only patch between them that seems relevant is this:

  ```
  diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch
  --- openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch	1970-01-01 00:00:00.000000000 +0000
  +++ openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch	2016-09-22 12:17:31.000000000 +0000
  @@ -0,0 +1,66 @@
  +From ff553f837172ecb2b5c8eca257ec3c5619a4b299 Mon Sep 17 00:00:00 2001
  +From: "Dr. Stephen Henson" <steve@xxxxxxxxxxx>
  +Date: Sat, 17 Sep 2016 12:36:58 +0100
  +Subject: [PATCH] Fix small OOB reads.
  +
  +In ssl3_get_client_certificate, ssl3_get_server_certificate and
  +ssl3_get_certificate_request check we have enough room
  +before reading a length.
  +
  +Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
  +
  +CVE-2016-6306
  +
  +Reviewed-by: Richard Levitte <levitte@xxxxxxxxxxx>
  +Reviewed-by: Matt Caswell <matt@xxxxxxxxxxx>
  +---
  + ssl/s3_clnt.c | 11 +++++++++++
  + ssl/s3_srvr.c |  6 ++++++
  + 2 files changed, 17 insertions(+)
  ```

  I didn't try building a binary with that patch reverted though, as I'm
  happy using the 1.0.2g-1ubuntu4.2 version without the security updates
  for the time being, given that this build server is not accessible
  from untrusted networks.

  Of course, this might just as well be due to some insufficient error
  handling or otherwise improper libssl usage in php7.0, but the net
  effect is that the latest libssl makes the latest php7.0 in the stable
  Ubuntu 16.04 LTS version crash.

  ProblemType: Crash
  DistroRelease: Ubuntu 16.04
  Package: php7.0-cli 7.0.8-0ubuntu0.16.04.2
  ProcVersionSignature: Ubuntu 4.4.0-36.55-generic 4.4.16
  Uname: Linux 4.4.0-36-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.1
  Architecture: amd64
  CrashCounter: 1
  Date: Fri Sep 23 10:30:31 2016
  ExecutablePath: /usr/bin/php7.0
  ExecutableTimestamp: 1469647957
  InstallationDate: Installed on 2016-05-18 (127 days ago)
  InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
  ProcCmdline: php /usr/local/bin/wp plugin install --force --activate wp-cfm
  ProcCwd: /var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress
  SegvAnalysis: Skipped: missing required field "Disassembly"
  Signal: 11
  SourcePackage: php7.0
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions