[Pkg-openssl-devel] Bug#506846: openssl: MD5 calculations often segfault

Nach joecool22us at yahoo.com
Tue Nov 25 09:35:19 UTC 2008 

Package: openssl
Version: 0.9.8g-14
Severity: critical
Justification: breaks unrelated software

Here's an example of openssl crashing:
Starting program: /usr/bin/openssl dgst < /usr/bin/firefox
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0x00007fd05c7fc451 in MD5_Final () from /usr/lib/libcrypto.so.0.9.8
(gdb) bt
#0  0x00007fd05c7fc451 in MD5_Final () from /usr/lib/libcrypto.so.0.9.8
#1  0x00007fd05c85a66e in EVP_DigestFinal_ex () from /usr/lib/libcrypto.so.0.9.8
#2  0x00007fd05c85ed1c in ?? () from /usr/lib/libcrypto.so.0.9.8
#3  0x00007fd05c84a211 in BIO_gets () from /usr/lib/libcrypto.so.0.9.8
#4  0x0000000000418d9e in ?? ()
#5  0x00000000004198ca in ?? ()
#6  0x0000000000412d10 in ?? ()
#7  0x0000000000413459 in ?? ()
#8  0x00007fd05c02d1a6 in __libc_start_main () from /lib/libc.so.6
#9  0x0000000000412ba9 in ?? ()
#10 0x00007fff64f837e8 in ?? ()
#11 0x000000000000001c in ?? ()
#12 0x0000000000000002 in ?? ()
#13 0x00007fff64f84ae4 in ?? ()
#14 0x00007fff64f84af5 in ?? ()
#15 0x0000000000000000 in ?? ()

This breaks SSL (HTTPS) in Konqueror, here's the backtrace:
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 0x7f8fb2c476f0 (LWP 7913)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[KCrash handler]
#5  0x00007f8faa386451 in MD5_Final () from /usr/lib/libcrypto.so.0.9.8
#6  0x00007f8faa3e466e in EVP_DigestFinal_ex ()
   from /usr/lib/libcrypto.so.0.9.8
#7  0x00007f8faa3e49cf in EVP_Digest () from /usr/lib/libcrypto.so.0.9.8
#8  0x00007f8faa3f204a in ASN1_item_digest () from /usr/lib/libcrypto.so.0.9.8
#9  0x00007f8fb198cdb3 in KSSLCertificate::getMD5DigestText ()
   from /usr/lib/libkio.so.4
#10 0x00007f8fb19a728b in KSSLInfoDlg::displayCert ()
   from /usr/lib/libkio.so.4
#11 0x00007f8fb19aaf05 in KSSLInfoDlg::setup () from /usr/lib/libkio.so.4
#12 0x00007f8fab710645 in UIServer::showSSLInfoDialog ()
   from /usr/lib/libkdeinit_kio_uiserver.so
#13 0x00007f8fab7122d8 in UIServer::process ()
   from /usr/lib/libkdeinit_kio_uiserver.so
#14 0x00007f8faf994cc7 in DCOPClient::receive () from /usr/lib/libDCOP.so.4
#15 0x00007f8faf999ddf in ?? () from /usr/lib/libDCOP.so.4
#16 0x00007f8faf99a330 in DCOPClient::processPostedMessagesInternal ()
   from /usr/lib/libDCOP.so.4
#17 0x00007f8faf99a438 in DCOPClient::qt_invoke () from /usr/lib/libDCOP.so.4
#18 0x00007f8fb112e36c in QObject::activate_signal ()
   from /usr/lib/libqt-mt.so.3
#19 0x00007f8fb112eb04 in QObject::activate_signal ()
   from /usr/lib/libqt-mt.so.3
#20 0x00007f8fb114cb85 in QTimer::event () from /usr/lib/libqt-mt.so.3
#21 0x00007f8fb10d8953 in QApplication::internalNotify ()
   from /usr/lib/libqt-mt.so.3
#22 0x00007f8fb10d9668 in QApplication::notify () from /usr/lib/libqt-mt.so.3
#23 0x00007f8fb0adac22 in KApplication::notify ()
   from /usr/lib/libkdecore.so.4
#24 0x00007f8fb10cf22b in QEventLoop::activateTimers ()
   from /usr/lib/libqt-mt.so.3
#25 0x00007f8fb108ec4d in QEventLoop::processEvents ()
   from /usr/lib/libqt-mt.so.3
#26 0x00007f8fb10ed001 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#27 0x00007f8fb10eceb2 in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#28 0x00007f8fab70e9c4 in kdemain () from /usr/lib/libkdeinit_kio_uiserver.so
#29 0x00000000004084a8 in ?? ()
#30 0x0000000000408c45 in ?? ()
#31 0x0000000000409322 in ?? ()
#32 0x0000000000409c44 in ?? ()
#33 0x00007f8fb1e491a6 in __libc_start_main () from /lib/libc.so.6
#34 0x0000000000404c59 in ?? ()
#35 0x00007fffbad99778 in ?? ()
#36 0x000000000000001c in ?? ()
#37 0x0000000000000005 in ?? ()
#38 0x00007fffbad9ac2b in ?? ()
#39 0x0000000000000000 in ?? ()

SSH applications are also broken, dmesg says:
[  865.824769] sshd[5071] general protection ip:7fef41d74451 sp:7fff4ab4df30 error:252 in libcrypto.so.0.9.8[7fef41cf5000+171000]
[  912.388460] sshd[5100] general protection ip:7f8eec701451 sp:7ffff54dc8b0 error:252 in libcrypto.so.0.9.8[7f8eec682000+171000]
[  959.652628] sshd[5105] general protection ip:7f49bc7c7451 sp:7fffc55a2980 error:252 in libcrypto.so.0.9.8[7f49bc748000+171000]
[ 1173.094032] ssh[5325] general protection ip:7f305aee1451 sp:7fff6346d120 error:252 in libcrypto.so.0.9.8[7f305ae62000+171000]
[ 1189.367692] ssh[5328] general protection ip:7ff7ec2b4451 sp:7ffff483e4f0 error:252 in libcrypto.so.0.9.8[7ff7ec235000+171000]
[ 1205.735998] ssh[5331] general protection ip:7f76a7d85451 sp:7fffb030f050 error:252 in libcrypto.so.0.9.8[7f76a7d06000+171000]
[ 1331.877289] ssh[5666] general protection ip:7fd5afc7a451 sp:7fffb8203e00 error:252 in libcrypto.so.0.9.8[7fd5afbfb000+171000]
[ 1403.024208] ssh[5939] general protection ip:7f5d9ab4e451 sp:7fffa30d7d80 error:252 in libcrypto.so.0.9.8[7f5d9aacf000+171000]
[ 1416.969779] sshd[5942] general protection ip:7fb1676e6451 sp:7fff704bf7f0 error:252 in libcrypto.so.0.9.8[7fb167667000+171000]
[ 1563.283901] ssh-vulnkey[6354] general protection ip:7f1ba67fd451 sp:7fffaed48f60 error:252 in libcrypto.so.0.9.8[7f1ba677e000+171000]
[ 1563.358776] sshd[6383] general protection ip:7f4afc66e451 sp:7fff05449790 error:252 in libcrypto.so.0.9.8[7f4afc5ef000+171000]
[ 1638.746895] sshd[6507] general protection ip:7fb55134c451 sp:7fff5a125460 error:252 in libcrypto.so.0.9.8[7fb5512cd000+171000]
[ 1642.715031] sshd[6510] general protection ip:7fe4e453e451 sp:7fffed319860 error:252 in libcrypto.so.0.9.8[7fe4e44bf000+171000]
[ 1667.120219] ssh[6513] general protection ip:7f6dd0f07451 sp:7fffd9493140 error:252 in libcrypto.so.0.9.8[7f6dd0e88000+171000]
[ 1780.140507] ssh-vulnkey[7062] general protection ip:7f2b7fe94451 sp:7fff883df600 error:252 in libcrypto.so.0.9.8[7f2b7fe15000+171000]
[ 1823.072360] ssh[7117] general protection ip:7f1e52cfa451 sp:7fff5b285f10 error:252 in libcrypto.so.0.9.8[7f1e52c7b000+171000]
[ 2338.637744] sshd[7388] general protection ip:7fae509df451 sp:7fff597baaf0 error:252 in libcrypto.so.0.9.8[7fae50960000+171000]
[ 5420.566757] openssl[7836] general protection ip:7fccd980a451 sp:7fffe1f92ea0 error:252 in libcrypto.so.0.9.8[7fccd978b000+171000]

Basically all security related things, such as connecting to other computers securly is now completely unusable.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                  2.7-16            GNU C Library: Shared libraries
ii  libssl0.9.8            0.9.8g-14         SSL shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates               20080809   Common CA certificates

-- no debconf information

More information about the Pkg-openssl-devel mailing list