[Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

Simon McVittie smcv at collabora.com
Tue May 15 21:19:03 BST 2018 

Control: tags -1 + patch fixed-upstream

On Wed, 02 May 2018 at 17:19:20 +0100, Simon McVittie wrote:
> * https://github.com/openSUSE/osc/issues/398
> 
>   """
>   - m2crypto 0.29 does no SSL_free(...) (which is fixed in 0.30)
>     (that's why this bug is not triggered with m2crypto 0.29)
>   - there's a "bug" in ssl_update_cache cache in openssl 1.1.0h (in
>     short: the session is not put in the session cache...)
>   - osc currently relies on the fact that the session is in the session
>     cache (or more precisely, that there are at least two references to
>     the SSL_SESSION), which is, of course, a bug in osc
>   """

The osc crash appears to be fixable by the patch that was applied
upstream (see attached Disable-ssl-session-resumption.patch). If I'm
understanding the commit message correctly, strictly speaking this was
already an osc bug (it made bad assumptions about session caching),
but the regression in openssl changed its impact from "might crash in
rare cases" to "crashes every time".

> * https://github.com/openssl/openssl/pull/5967
> 
>   """
>   Commit d316cdc introduced some extra
>   checks into the session-cache update procedure, intended to prevent
>   the caching of sessions whose resumption would lead to a handshake
>   failure, since if the server is authenticating the client, there needs to
>   be an application-set "session id context" to match up to the authentication
>   context. While that change is effective for its stated purpose, there
>   was also some collatoral damage introduced along with the fix -- clients
>   that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
>   their usage of session caching was erroneously denied.
> 
>   Fix the scope of the original commit by limiting it to only acting
>   when the SSL is a server SSL.
>   """

Sorry for the delay in testing this.

Applying openssl commit c84f7d9251446bf76c179bf5da31f25944f4b975
(and reverting osc to the version that crashes) seems
to be another way to address this. See attached
c84f7d9251446bf76c179bf5da31f25944f4b975.patch.

Regards,
    smcv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Disable-ssl-session-resumption.patch
Type: text/x-diff
Size: 4346 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20180515/5b23981e/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: c84f7d9251446bf76c179bf5da31f25944f4b975.patch
Type: text/x-diff
Size: 2194 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20180515/5b23981e/attachment-0001.patch>

More information about the Pkg-openssl-devel mailing list