Bug#505279: libgnutls26: segfault in _gnutls_x509_crt_get_raw_dn2

Simon Josefsson simon at josefsson.org
Tue Nov 11 13:41:39 UTC 2008 

Michael Meskes <meskes at debian.org> writes:

> Package: libgnutls26
> Version: 2.4.2-2
> Severity: critical
> Justification: breaks unrelated software
>
> Since updating libgnutls26 today I cannot use mutt anymore because it gets a
> segfault. Here's what gdb says:
>
> #0  0xf7e13ff4 in _gnutls_x509_crt_get_raw_dn2 (cert=0x11, whom=0xf7e4e367 "issuer", start=0xff9b6a04) at x509.c:1718
> #1  0xf7e18c9a in is_issuer (cert=0xf7e4cdce, issuer_cert=0x89c4d90) at verify.c:164
> #2  0xf7e19b12 in _gnutls_verify_certificate2 (cert=0x11, trusted_cas=<value optimized out>, tcas_size=145, flags=0, output=0xff9b6ac8)
>     at verify.c:199
> #3  0xf7e1a381 in gnutls_x509_crt_list_verify (cert_list=0x8b27a68, cert_list_length=0, CA_list=0x8b1e250, CA_list_length=145, CRL_list=0x0,
>     CRL_list_length=0, flags=0, verify=0xff9b6b8c) at verify.c:396
> #4  0xf7dfc64c in _gnutls_x509_cert_verify_peers (session=0x8b26540, status=0xff9b6b8c) at gnutls_x509.c:176
> #5  0xf7dee921 in gnutls_certificate_verify_peers2 (session=0x8b26540, status=0xff9b6b8c) at gnutls_cert.c:606
> #6  0xf7dee959 in gnutls_certificate_verify_peers (session=0x8b26540) at gnutls_cert.c:639
> #7  0x080d46d8 in tls_check_certificate (conn=0x89c38b8) at ../mutt_ssl_gnutls.c:509
> #8  0x080d5ad8 in tls_negotiate (conn=0x89c38b8) at ../mutt_ssl_gnutls.c:269
> #9  0x080d5c85 in mutt_ssl_starttls (conn=0x89c38b8) at ../mutt_ssl_gnutls.c:162
> #10 0x080de14d in imap_open_connection (idata=0x89c3e30) at ../../imap/imap.c:436
> #11 0x080de3fd in imap_conn_find (account=0xff9b83c4, flags=<value optimized out>) at ../../imap/imap.c:367
> #12 0x080df1d1 in imap_open_mailbox (ctx=0x89b8400) at ../../imap/imap.c:567
> ...
>
> Downgrading to 2.4.2-1 immediately fixes the problem.

Can you run

gnutls-cli -p 143 your.imap.server -s

then type:

. STARTTLS

and then press Ctrl-D, and cut'n'paste the output?  I'm interested to
see the certificate chain of the server.

Are you using X.509 client certificate authentication?  Then your client
certificate chain would be interesting too.

/Simon

More information about the Pkg-gnutls-maint mailing list