[Pkg-openssl-devel] Bug#1074764: signing with osslsigncode fails with a segmentation fault since latest stable update

Sébastien Villemot sebastien at debian.org
Tue Jul 2 15:23:58 BST 2024 

Package: libssl3
Version: 3.0.13-1~deb12u1
Severity: important
Control: affects -1 osslsigncode

Dear Maintainers,

Since the last upgrade of openssl on bookworm (version 3.0.13-1~deb12u1), code
signing using osslsigncode (and my Yubikey) now fails with a segmentation
fault. It was working properly with version 3.0.11-1~deb12u2 (and note that
downgrading solves the problem).

Here is the command:

$ osslsigncode sign -pkcs11module /usr/lib/x86_64-linux-gnu/libykcs11.so.2 -key "pkcs11:id=%01;type=private;pin-value=<EDITED>" -certs ~/code-signing-certificate.pem -n Foo -i https://www.foo.org -t http://timestamp.comodoca.com -in installer.exe -out installer-signed.exe

Here is a backtrace obtained through gdb (slightly edited to avoid leaking sensitive information):

Program received signal SIGSEGV, Segmentation fault.                                                                                               
pkcs11_ecdsa_sign (key=0x5555565c1d10, siglen=<synthetic pointer>, sigret=0x7fffffffc0b0 ".>D ", msg_len=32,                        
    msg=0x7fffffffc3c0 "<EDITED>") at ./src/p11_ec.c:409                    
409     ./src/p11_ec.c: No such file or directory.                                                                                                 
(gdb) bt                                                          
#0  pkcs11_ecdsa_sign (key=0x5555565c1d10, siglen=<synthetic pointer>, sigret=0x7fffffffc0b0 ".>D ", msg_len=32,                                   
    msg=0x7fffffffc3c0 "<EDITED>") at ./src/p11_ec.c:409
#1  pkcs11_ecdsa_sign_sig (dgst=0x7fffffffc3c0 "<EDITED>", dlen=32, 
    kinv=<optimized out>, rp=<optimized out>, ec=<optimized out>) at ./src/p11_ec.c:489
#2  0x00007ffff7b95385 in ossl_ecdsa_sign (type=<optimized out>, dgst=<optimized out>, dlen=<optimized out>, sig=<optimized out>, 
    siglen=0x7fffffffc354, kinv=<optimized out>, r=0x0, eckey=0x5555565c0590) at ../crypto/ec/ecdsa_ossl.c:73
#3  0x00007ffff7b96280 in ECDSA_sign (type=<optimized out>, 
    dgst=dgst at entry=0x7fffffffc3c0 "<EDITED>", dlen=dlen at entry=32, 
    sig=sig at entry=0x5555565c5af0 "<EDITED>", siglen=siglen at entry=0x7fffffffc354, eckey=eckey at entry=0x5555565c0590)
    at ../crypto/ec/ecdsa_sign.c:38
#4  0x00007ffff7b940ba in pkey_ec_sign (ctx=<optimized out>, sig=0x5555565c5af0 "<EDITED>", siglen=0x7fffffffc460, 
    tbs=0x7fffffffc3c0 "<EDITED>", tbslen=32)
    at ../crypto/ec/ec_pmeth.c:136
#5  0x00007ffff7c1648e in EVP_DigestSignFinal (ctx=ctx at entry=0x5555565cc2a0, sigret=0x5555565c5af0 "\005M\017\003PU", 
    siglen=siglen at entry=0x7fffffffc460) at ../crypto/evp/m_sigver.c:560
#6  0x00007ffff7c60468 in PKCS7_SIGNER_INFO_sign (si=si at entry=0x5555565cbc40) at ../crypto/pkcs7/pk7_doit.c:945
#7  0x00007ffff7c60702 in do_pkcs7_signed_attrib (mctx=0x5555565cc5c0, si=0x5555565cbc40) at ../crypto/pkcs7/pk7_doit.c:721
#8  PKCS7_dataFinal (p7=p7 at entry=0x5555565cbab0, bio=bio at entry=0x5555565cbc90) at ../crypto/pkcs7/pk7_doit.c:843
#9  0x0000555555567561 in set_signing_blob (len=74, buf=0x5555565dcad0 "<EDITED>", 
    hash=0x5555565bce50, sig=0x5555565cbab0) at ./osslsigncode.c:1758
#10 set_indirect_data_blob (header=0x7fffffffc740, options=0x4a, indata=<optimized out>, type=FILE_TYPE_PE, hash=0x5555565bce50, 
    sig=0x5555565cbab0) at ./osslsigncode.c:1823
#11 get_pkcs7 (cmd=cmd at entry=CMD_SIGN, hash=hash at entry=0x5555565bce50, type=<optimized out>, type at entry=FILE_TYPE_PE, 
    indata=indata at entry=0x7ffff0e00000 "MZ\220", options=options at entry=0x7fffffffc850, header=header at entry=0x7fffffffc740, 
    cparams=0x7fffffffc7a0, cursig=0x0) at ./osslsigncode.c:5431
#12 0x000055555555d5e2 in pe_presign_file (type=<optimized out>, cursig=<optimized out>, outdata=<optimized out>, hash=<optimized out>, 
    indata=<optimized out>, cparams=<optimized out>, options=<optimized out>, header=<optimized out>, cmd=<optimized out>)
    at ./osslsigncode.c:5543
#13 main (argc=<optimized out>, argv=<optimized out>) at ./osslsigncode.c:6173

Note that the segfault occurs in /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
(from libengine-pkcs11-openssl), which is itself called by libcrypto.so.3 (from
libssl3).

Cheers,

--
⢀⣴⠾⠻⢶⣦⠀  Sébastien Villemot
⣾⠁⢠⠒⠀⣿⡁  Debian Developer
⢿⡄⠘⠷⠚⠋⠀  https://sebastien.villemot.name
⠈⠳⣄⠀⠀⠀⠀  https://www.debian.org

More information about the Pkg-openssl-devel mailing list