[Pkg-openssl-devel] Bug#1110489: bookworm-pu: package openssl/3.0.17-1~deb12u2
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Wed Aug 6 22:29:44 BST 2025
Package: release.debian.org
Control: affects -1 + src:openssl
User: release.debian.org at packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
The update to 3.0.17 led to a regression, certain packages crash
randomly. This has been reported in https://bugs.debian.org/1110254 and
upstream as https://github.com/openssl/openssl/issues/28171
The upstream bug report has a testcase included. I can verify that the
testcase triggers with 3.0.17-1~deb12u1 and no longer triggers after
reverting the commits
- 7141330fb98ce ("Drop "by store"'s by_store_subject_ex()")
- 340383f5f49f8 ("Rework the "by store" X509_LOOKUP method to open the given URI early")
- a468bdb02531e ("Add test_verify tests")
All three commits are part of the same fix
https://github.com/openssl/openssl/pull/27529
https://github.com/openssl/openssl/issues/27461
This change is also present in 3.5.1 release (unstable + testing) but
the testcase does not trigger there.
The prepared update was also tested by others and verified against
sabnzbdplus which was of the packages that people complained about.
Please find attached a debdiff of the proposed update.
I am sorry for the fallout.
Sebastian
-------------- next part --------------
diff -Nru openssl-3.0.17/debian/changelog openssl-3.0.17/debian/changelog
--- openssl-3.0.17/debian/changelog 2025-07-13 14:39:08.000000000 +0200
+++ openssl-3.0.17/debian/changelog 2025-08-05 09:09:41.000000000 +0200
@@ -1,3 +1,14 @@
+openssl (3.0.17-1~deb12u2) bookworm; urgency=medium
+
+ * Revert the following upstream changes to avoid crashes in downstream
+ software:
+ - 7141330fb98ce ("Drop "by store"'s by_store_subject_ex()")
+ - 340383f5f49f8 ("Rework the "by store" X509_LOOKUP method to open the given URI early")
+ - a468bdb02531e ("Add test_verify tests")
+ Closes: #1110254
+
+ -- Sebastian Andrzej Siewior <sebastian at breakpoint.cc> Tue, 05 Aug 2025 09:09:41 +0200
+
openssl (3.0.17-1~deb12u1) bookworm; urgency=medium
* Import 3.0.17
diff -Nru openssl-3.0.17/debian/patches/Revert-Add-test_verify-tests.patch openssl-3.0.17/debian/patches/Revert-Add-test_verify-tests.patch
--- openssl-3.0.17/debian/patches/Revert-Add-test_verify-tests.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.17/debian/patches/Revert-Add-test_verify-tests.patch 2025-08-04 20:06:36.000000000 +0200
@@ -0,0 +1,82 @@
+From: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+Date: Mon, 4 Aug 2025 20:02:54 +0200
+Subject: Revert "Add test_verify tests"
+
+This reverts commit a468bdb02531e ("Add test_verify tests")
+
+Avoid crashes in users, see https://bugs.debian.org/1110254
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+---
+ test/recipes/25-test_verify.t | 39 +++++----------------------------------
+ 1 file changed, 5 insertions(+), 34 deletions(-)
+
+diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
+index 7bada5186d75..48bd837ec320 100644
+--- a/test/recipes/25-test_verify.t
++++ b/test/recipes/25-test_verify.t
+@@ -10,7 +10,6 @@
+ use strict;
+ use warnings;
+
+-use Cwd qw(abs_path);
+ use File::Spec::Functions qw/canonpath/;
+ use File::Copy;
+ use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_dir ok_nofips with/;
+@@ -18,19 +17,19 @@ use OpenSSL::Test::Utils;
+
+ setup("test_verify");
+
+-my @certspath = qw(test certs);
+ sub verify {
+ my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
++ my @path = qw(test certs);
+ my @args = qw(openssl verify -auth_level 1);
+ push(@args, "-purpose", $purpose) if $purpose ne "";
+ push(@args, @opts);
+- for (@$trusted) { push(@args, "-trusted", srctop_file(@certspath, "$_.pem")) }
+- for (@$untrusted) { push(@args, "-untrusted", srctop_file(@certspath, "$_.pem")) }
+- push(@args, srctop_file(@certspath, "$cert.pem"));
++ for (@$trusted) { push(@args, "-trusted", srctop_file(@path, "$_.pem")) }
++ for (@$untrusted) { push(@args, "-untrusted", srctop_file(@path, "$_.pem")) }
++ push(@args, srctop_file(@path, "$cert.pem"));
+ run(app([@args]));
+ }
+
+-plan tests => 175;
++plan tests => 166;
+
+ # Canonical success
+ ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
+@@ -528,31 +527,3 @@ ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],
+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
+ "-explicit_policy"),
+ "Bad certificate policy");
+-
+-# CAstore option
+-my $rootcertname = "root-cert";
+-my $rootcert = srctop_file(@certspath, "${rootcertname}.pem");
+-sub vfy_root { verify($rootcertname, "", [], [], @_) }
+-ok(vfy_root("-CAfile", $rootcert), "CAfile");
+-ok(vfy_root("-CAstore", $rootcert), "CAstore");
+-ok(vfy_root("-CAstore", $rootcert, "-CAfile", $rootcert), "CAfile and existing CAstore");
+-ok(!vfy_root("-CAstore", "non-existing", "-CAfile", $rootcert), "CAfile and non-existing CAstore");
+-SKIP: {
+- skip "file names with colons aren't supported on Windows and VMS", 2
+- if $^O =~ /^(MsWin32|VMS)$/;
+- my $foo_file = "foo:cert.pem";
+- copy($rootcert, $foo_file);
+- ok(vfy_root("-CAstore", $foo_file), "CAstore foo:file");
+-}
+-my $foo_file = "cert.pem";
+-copy($rootcert, $foo_file);
+-ok(vfy_root("-CAstore", $foo_file), "CAstore file");
+-my $abs_cert = abs_path($rootcert);
+-# Windows file: URIs should have a path part starting with a slash, i.e.
+-# file://authority/C:/what/ever/foo.pem and file:///C:/what/ever/foo.pem
+-# file://C:/what/ever/foo.pem is non-standard and may not be accepted.
+-# See RFC 8089 for details.
+-$abs_cert = "/" . $abs_cert if ($^O eq "MSWin32");
+-ok(vfy_root("-CAstore", "file://".$abs_cert), "CAstore file:///path");
+-ok(vfy_root("-CAstore", "file://localhost".$abs_cert), "CAstore file://localhost/path");
+-ok(!vfy_root("-CAstore", "file://otherhost".$abs_cert), "CAstore file://otherhost/path");
diff -Nru openssl-3.0.17/debian/patches/Revert-Drop-by-store-s-by_store_subject_ex.patch openssl-3.0.17/debian/patches/Revert-Drop-by-store-s-by_store_subject_ex.patch
--- openssl-3.0.17/debian/patches/Revert-Drop-by-store-s-by_store_subject_ex.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.17/debian/patches/Revert-Drop-by-store-s-by_store_subject_ex.patch 2025-08-04 20:06:36.000000000 +0200
@@ -0,0 +1,66 @@
+From: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+Date: Mon, 4 Aug 2025 20:02:29 +0200
+Subject: Revert "Drop "by store"'s by_store_subject_ex()"
+
+This reverts commit 7141330fb98ce ("Drop "by store"'s by_store_subject_ex()").
+
+Avoid crashes in users, see https://bugs.debian.org/1110254
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+---
+ crypto/x509/by_store.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c
+index e486fb0a9d94..fc6942a17855 100644
+--- a/crypto/x509/by_store.c
++++ b/crypto/x509/by_store.c
+@@ -202,7 +202,8 @@ static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
+ }
+
+ static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+- const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
++ const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret,
++ OSSL_LIB_CTX *libctx, const char *propq)
+ {
+ STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
+ int i;
+@@ -218,12 +219,13 @@ static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ return ok;
+ }
+
+-static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+- const X509_NAME *name, X509_OBJECT *ret)
++static int by_store_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
++ const X509_NAME *name, X509_OBJECT *ret,
++ OSSL_LIB_CTX *libctx, const char *propq)
+ {
+ OSSL_STORE_SEARCH *criterion =
+ OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
+- int ok = by_store(ctx, type, criterion, ret);
++ int ok = by_store(ctx, type, criterion, ret, libctx, propq);
+ STACK_OF(X509_OBJECT) *store_objects =
+ X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
+ X509_OBJECT *tmp = NULL;
+@@ -271,6 +273,12 @@ static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ return ok;
+ }
+
++static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
++ const X509_NAME *name, X509_OBJECT *ret)
++{
++ return by_store_subject_ex(ctx, type, name, ret, NULL, NULL);
++}
++
+ /*
+ * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
+ * and get_by_alias. There's simply not enough support in the X509_LOOKUP
+@@ -288,7 +296,7 @@ static X509_LOOKUP_METHOD x509_store_lookup = {
+ NULL, /* get_by_issuer_serial */
+ NULL, /* get_by_fingerprint */
+ NULL, /* get_by_alias */
+- NULL, /* get_by_subject_ex */
++ by_store_subject_ex,
+ by_store_ctrl_ex
+ };
+
diff -Nru openssl-3.0.17/debian/patches/Revert-Rework-the-by-store-X509_LOOKUP-method-to-open-the.patch openssl-3.0.17/debian/patches/Revert-Rework-the-by-store-X509_LOOKUP-method-to-open-the.patch
--- openssl-3.0.17/debian/patches/Revert-Rework-the-by-store-X509_LOOKUP-method-to-open-the.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.17/debian/patches/Revert-Rework-the-by-store-X509_LOOKUP-method-to-open-the.patch 2025-08-04 20:06:36.000000000 +0200
@@ -0,0 +1,200 @@
+From: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+Date: Mon, 4 Aug 2025 20:02:43 +0200
+Subject: Revert "Rework the "by store" X509_LOOKUP method to open the given
+ URI early"
+
+This reverts commit 340383f5f49f8 ("Rework the "by store" X509_LOOKUP method to open the given URI early")
+
+Avoid crashes in users, see https://bugs.debian.org/1110254
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+---
+ crypto/x509/by_store.c | 111 ++++++++++++-------------------------------------
+ 1 file changed, 27 insertions(+), 84 deletions(-)
+
+diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c
+index fc6942a17855..e538e0f6d1b7 100644
+--- a/crypto/x509/by_store.c
++++ b/crypto/x509/by_store.c
+@@ -7,34 +7,23 @@
+ * https://www.openssl.org/source/license.html
+ */
+
+-#include <openssl/safestack.h>
+ #include <openssl/store.h>
+ #include "internal/cryptlib.h"
+ #include "crypto/x509.h"
+ #include "x509_local.h"
+
+-typedef struct cached_store_st {
+- char *uri;
+- OSSL_LIB_CTX *libctx;
+- char *propq;
+- OSSL_STORE_CTX *ctx;
+-} CACHED_STORE;
+-
+-DEFINE_STACK_OF(CACHED_STORE)
+-
+ /* Generic object loader, given expected type and criterion */
+-static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
+- const OSSL_STORE_SEARCH *criterion, int depth)
++static int cache_objects(X509_LOOKUP *lctx, const char *uri,
++ const OSSL_STORE_SEARCH *criterion,
++ int depth, OSSL_LIB_CTX *libctx, const char *propq)
+ {
+ int ok = 0;
+- OSSL_STORE_CTX *ctx = store->ctx;
++ OSSL_STORE_CTX *ctx = NULL;
+ X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
+
+- if (ctx == NULL
+- && (ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq,
+- NULL, NULL, NULL, NULL, NULL)) == NULL)
++ if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL,
++ NULL, NULL)) == NULL)
+ return 0;
+- store->ctx = ctx;
+
+ /*
+ * We try to set the criterion, but don't care if it was valid or not.
+@@ -73,15 +62,9 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
+ * This is an entry in the "directory" represented by the current
+ * uri. if |depth| allows, dive into it.
+ */
+- if (depth > 0) {
+- CACHED_STORE substore;
+-
+- substore.uri = (char *)OSSL_STORE_INFO_get0_NAME(info);
+- substore.libctx = store->libctx;
+- substore.propq = store->propq;
+- substore.ctx = NULL;
+- ok = cache_objects(lctx, &substore, criterion, depth - 1);
+- }
++ if (depth > 0)
++ ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
++ criterion, depth - 1, libctx, propq);
+ } else {
+ /*
+ * We know that X509_STORE_add_{cert|crl} increments the object's
+@@ -105,38 +88,27 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
+ break;
+ }
+ OSSL_STORE_close(ctx);
+- store->ctx = NULL;
+
+ return ok;
+ }
+
+
+-static void free_store(CACHED_STORE *store)
++/* Because OPENSSL_free is a macro and for C type match */
++static void free_uri(OPENSSL_STRING data)
+ {
+- if (store != NULL) {
+- OSSL_STORE_close(store->ctx);
+- OPENSSL_free(store->uri);
+- OPENSSL_free(store->propq);
+- OPENSSL_free(store);
+- }
++ OPENSSL_free(data);
+ }
+
+ static void by_store_free(X509_LOOKUP *ctx)
+ {
+- STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
+- sk_CACHED_STORE_pop_free(stores, free_store);
++ STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
++ sk_OPENSSL_STRING_pop_free(uris, free_uri);
+ }
+
+ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
+ long argl, char **retp, OSSL_LIB_CTX *libctx,
+ const char *propq)
+ {
+- /*
+- * In some cases below, failing to use the defaults shouldn't result in
+- * an error. |use_default| is used as the return code in those cases.
+- */
+- int use_default = argp == NULL;
+-
+ switch (cmd) {
+ case X509_L_ADD_STORE:
+ /* If no URI is given, use the default cert dir as default URI */
+@@ -146,50 +118,21 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
+ argp = X509_get_default_cert_dir();
+
+ {
+- STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
+- CACHED_STORE *store = OPENSSL_zalloc(sizeof(*store));
++ STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
++ char *data = OPENSSL_strdup(argp);
+
+- if (store == NULL) {
++ if (data == NULL) {
+ return 0;
+ }
+-
+- store->uri = OPENSSL_strdup(argp);
+- store->libctx = libctx;
+- if (propq != NULL)
+- store->propq = OPENSSL_strdup(propq);
+- store->ctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL,
+- NULL, NULL, NULL);
+- if (store->ctx == NULL
+- || (propq != NULL && store->propq == NULL)
+- || store->uri == NULL) {
+- free_store(store);
+- return use_default;
++ if (uris == NULL) {
++ uris = sk_OPENSSL_STRING_new_null();
++ X509_LOOKUP_set_method_data(ctx, uris);
+ }
+-
+- if (stores == NULL) {
+- stores = sk_CACHED_STORE_new_null();
+- if (stores != NULL)
+- X509_LOOKUP_set_method_data(ctx, stores);
+- }
+- if (stores == NULL || sk_CACHED_STORE_push(stores, store) <= 0) {
+- free_store(store);
+- return 0;
+- }
+- return 1;
++ return sk_OPENSSL_STRING_push(uris, data) > 0;
+ }
+- case X509_L_LOAD_STORE: {
++ case X509_L_LOAD_STORE:
+ /* This is a shortcut for quick loading of specific containers */
+- CACHED_STORE store;
+-
+- store.uri = (char *)argp;
+- store.libctx = libctx;
+- store.propq = (char *)propq;
+- store.ctx = NULL;
+- return cache_objects(ctx, &store, NULL, 0);
+- }
+- default:
+- /* Unsupported command */
+- return 0;
++ return cache_objects(ctx, argp, NULL, 0, libctx, propq);
+ }
+
+ return 0;
+@@ -205,13 +148,13 @@ static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret,
+ OSSL_LIB_CTX *libctx, const char *propq)
+ {
+- STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
++ STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
+ int i;
+ int ok = 0;
+
+- for (i = 0; i < sk_CACHED_STORE_num(stores); i++) {
+- ok = cache_objects(ctx, sk_CACHED_STORE_value(stores, i), criterion,
+- 1 /* depth */);
++ for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
++ ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
++ 1 /* depth */, libctx, propq);
+
+ if (ok)
+ break;
diff -Nru openssl-3.0.17/debian/patches/series openssl-3.0.17/debian/patches/series
--- openssl-3.0.17/debian/patches/series 2025-07-13 14:23:43.000000000 +0200
+++ openssl-3.0.17/debian/patches/series 2025-08-04 20:06:36.000000000 +0200
@@ -7,3 +7,6 @@
Remove-the-provider-section.patch
conf-Serialize-allocation-free-of-ssl_names.patch
Fix-tests-for-new-default-security-level.patch
+Revert-Drop-by-store-s-by_store_subject_ex.patch
+Revert-Rework-the-by-store-X509_LOOKUP-method-to-open-the.patch
+Revert-Add-test_verify-tests.patch
More information about the Pkg-openssl-devel
mailing list