[Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1
Simon McVittie
smcv at collabora.com
Wed May 2 17:19:20 BST 2018
On Sat, 28 Apr 2018 at 13:03:14 +0200, Harald Welte wrote:
> Package: osc
> Version: 0.162.1-1
> Followup-For: Bug #895035
>
> I also see "double free or corruption" 100% reproducible when using osc on unstable
> for the past few weeks
I tried rebuilding older openssl versions, and the regression seems to be
between openssl 1.1.0g-2 and 1.1.0h-1.
Perhaps related to one or both of these:
* https://github.com/openSUSE/osc/issues/398
"""
- m2crypto 0.29 does no SSL_free(...) (which is fixed in 0.30)
(that's why this bug is not triggered with m2crypto 0.29)
- there's a "bug" in ssl_update_cache cache in openssl 1.1.0h (in
short: the session is not put in the session cache...)
- osc currently relies on the fact that the session is in the session
cache (or more precisely, that there are at least two references to
the SSL_SESSION), which is, of course, a bug in osc
Fixing...
"""
* https://github.com/openssl/openssl/pull/5967
"""
Commit d316cdc introduced some extra
checks into the session-cache update procedure, intended to prevent
the caching of sessions whose resumption would lead to a handshake
failure, since if the server is authenticating the client, there needs to
be an application-set "session id context" to match up to the authentication
context. While that change is effective for its stated purpose, there
was also some collatoral damage introduced along with the fix -- clients
that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
their usage of session caching was erroneously denied.
Fix the scope of the original commit by limiting it to only acting
when the SSL is a server SSL.
"""
Regards,
smcv
More information about the Pkg-openssl-devel
mailing list