I have the same problem as Kurt with libcrypto1.0.0 from
libssl1.0.0 version 1.0.1-2. The same happens on two
different i386 hosts.
Among other ways, here are two ways to reproducibly cause
libcrypto to segfault:
- Sshing to a host with libssl1.0.0 1.0.1-2 and running
'ssh-add -l' there causes the sshd process to segfault
- Sshing from a host with libssl1.0.0 1.0.1-2 to another
host causes the ssh client to segfault after
authentication
In both cases the segfault happens in
/usr/lib/i386-Linux-gnu/i686/cmov/libcrypto.so.1.0.0 in
vpaes-x86.s, somewhere in vpaes_cbc_encrypt().
The ssh-add segfault happens with an RSA key. If I don't
forward the ssh agent connection (or don't use one at all),
'ssh-add -l' doesn't cause a segfault.
Kernel log:
Mar 30 08:44:43 kernel: sshd[19995]: segfault at b8911000 ip b756c678 sp
bfe85f00 error 6 in libcrypto.so.1.0.0[b7503000+1a3000]
Mar 30 08:44:43 kernel: ssh[20661]: segfault at b7ba8000 ip b756e0cd sp
bfd4d44c error 4 in libcrypto.so.1.0.0[b7505000+1a3000]
Strace and ltrace don't show anything useful.
strace:
read(3, "...", 16384) = 72
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
ltrace:
23942 --- SIGSEGV (Segmentation fault) ---
23942 +++ killed by SIGSEGV +++
Gdb backtrace (with libssl1.0.0-dbg version 1.0.1-2
installed):
(gdb) bt
#0 vpaes_cbc_encrypt () at vpaes-x86.s:646 1 0xc585e35b
#in ?? ()
The outbound openssh-client segfaults trying to connect to
target hosts of various older openssh versions, even with
ssh agent and X forwarding disabled.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: ...
debug1: Trying private key: ...
debug1: Trying private key: ...
debug1: Next authentication method: password
xxx@xxx's password:
zsh: segmentation fault command ssh -a -x -v xxx
Strace/ltrace don't show anything useful.
Gdb backtrace:
(gdb) bt
#0 _vpaes_decrypt_core () at vpaes-x86.s:221
#1 0xb7e4c665 in vpaes_cbc_encrypt () at vpaes-x86.s:641
#2 0x34e2e746 in ?? ()
I've downgraded to libssl1.0.0 version 1.0.0h-1 which works.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
