Bug#499945: Segfault in asn1_get_tag_der().

Kurt Roeckx kurt at roeckx.be
Thu Sep 25 18:20:35 UTC 2008 

On Thu, Sep 25, 2008 at 09:56:58AM +0200, Simon Josefsson wrote:
> Kurt Roeckx <kurt at roeckx.be> writes:
> 
> > On Wed, Sep 24, 2008 at 08:05:24PM +0200, Andreas Metzler wrote:
> >> On 2008-09-23 Kurt Roeckx <kurt at roeckx.be> wrote:
> >> > Package: libtasn1-3
> >> > Version: 1.4-1
> >> > Severity: grave
> >> 
> >> > When I run "lynx https://acrobat.com", I end up with a segfault.  The
> >> > backtrace looks like:
> >> [...]
> >> > I'm running libgnutls26 2.4.1-1 and lynx-cur 2.8.7dev9-2.
> >> 
> >> FWIW I get the same behavior Simon describes ("SSL error:no issuer was
> >> found-Continue? (y)" followed by "Alert!: Unexpected network read
> >> error; connection aborted.") *both* on ix86 and amd64 (the latter on
> >> pergolesi.d.o's  unstable_amd64 chroot), using the same versions of
> >> libgnutls26 and lynx-cur.
> >> 
> >> Have you got any special settings in ~/lynxrc?
> >
> > No, it's the default setting.
> >
> > But it seems to be related to me using MALLOC_CHECK_=2 in the
> > enviroment.  I thought I've set it to 0 to make sure it wasn't
> > related.  But trying to unset or set it to 0 now stops the segfault.
> >
> > Also not that the check even with set to 3 it doesn't print any error
> > message.
> 
> I can't reproduce this on an x86 with MALLOC_CHECK_=2, but maybe it
> requires an amd64 platform.  Btw, which libc6 verison do you use?  I use
> 2.7-13.

I'm also using 2.7-13.

I can also perfectly reproduce this on i386 chroot:
Program received signal SIGSEGV, Segmentation fault.
asn1_get_tag_der (der=0x3000075 <Address 0x3000075 out of bounds>, der_len=17,
    cls=0xfff5bedf "÷8U.\ba6Å÷8U.\b\210xÅ÷\002", len=0xfff5bed8,
    tag=0xfff5bed4) at decoding.c:127
127     decoding.c: No such file or directory.
        in decoding.c
(gdb) bt
asn1_get_tag_der (der=0x3000075 <Address 0x3000075 out of bounds>, der_len=17,
    cls=0xfff5bedf "÷8U.\ba6Å÷8U.\b\210xÅ÷\002", len=0xfff5bed8,
    tag=0xfff5bed4) at decoding.c:127
#1  0xf7c4f5fc in _asn1_extract_tag_der (node=0x82ed6d8,
    der=0x3000075 <Address 0x3000075 out of bounds>, der_len=17,
    ret_len=0xfff5bfdc) at decoding.c:424
#2  0xf7c51c31 in asn1_der_decoding (element=0x82cc540, ider=0x3000075,
    len=17, errorDescription=0x0) at decoding.c:920
#3  0xf7e90b7c in gnutls_x509_crt_import () from /usr/lib/libgnutls.so.26
#4  0x080e0b5f in ?? ()
#5  0x082cc540 in ?? ()
#6  0x081e5608 in ?? ()
#7  0x00000000 in ?? ()


Kurt

More information about the Pkg-gnutls-maint mailing list