[Pkg-openssl-devel] Bug#844366: libssl1.1: 1.1.0c broke Python

Antonin Kral A.Kral at sh.cvut.cz
Mon Nov 14 20:32:58 UTC 2016 

Package: libssl1.1
Version: 1.1.0c-1
Severity: critical
Tags: upstream
Justification: breaks unrelated software

Hi,

update to 1.1.0c broke Python ssl wrapper. I have first faced the issue
with offlineimap, which would crash with the [Errno 0] Error and the
following stack-trace when trying to refresh OAuth2 token from google:

Traceback:
  File "/usr/share/offlineimap/offlineimap/accounts.py", line 271, in syncrunner
    self.__sync()
  File "/usr/share/offlineimap/offlineimap/accounts.py", line 334, in __sync
    remoterepos.getfolders()
  File "/usr/share/offlineimap/offlineimap/repository/IMAP.py", line 452, in getfolders
    imapobj = self.imapserver.acquireconnection()
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 540, in acquireconnection
    self.__authn_helper(imapobj)
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 406, in __authn_helper
    if func(imapobj):
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 340, in __authn_xoauth2
    imapobj.authenticate('XOAUTH2', self.__xoauth2handler)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 705, in authenticate
    typ, dat = self._simple_command('AUTHENTICATE', mechanism.upper())
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1692, in _simple_command
    return self._command_complete(self._command(name, *args), kw)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1418, in _command
    literal = literator(data, rqb)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 2283, in process
    ret = self.mech(self.decode(data))
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 239, in __xoauth2handler
    six.reraise(type(e), type(e)(msg), exc_info()[2])
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 233, in __xoauth2handler
    self.oauth2_request_url, urllib.urlencode(params)).read()
  File "/usr/lib/python2.7/socket.py", line 355, in read
    data = self._sock.recv(rbufsize)
  File "/usr/lib/python2.7/ssl.py", line 766, in recv
    return self.read(buflen)
  File "/usr/lib/python2.7/ssl.py", line 653, in read
    v = self._sslobj.read(len)

These seem to be relevant upstream bugs:

  * https://github.com/openssl/openssl/issues/1919 (which was merged to 1903)
  * https://github.com/openssl/openssl/issues/1903

Downgrading to 1.1.0b (by installing libssl1.1_1.1.0b-2_amd64.deb from
snapshots) resolves the issue (and introduces back the vulnerability).

Best,

  Antonin

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libssl1.1 depends on:
ii  debconf [debconf-2.0]  1.5.59
ii  libc6                  2.24-5

libssl1.1 recommends no packages.

libssl1.1 suggests no packages.

-- debconf information excluded

More information about the Pkg-openssl-devel mailing list