Bug#895035: marked as done (osc: crashes with memory corruption when using new libssl1.1)

[Debian Bug Tracking System]

Your message dated Thu, 24 May 2018 07:19:46 +0000
with message-id <e1flkxk-0003it...@fasolo.debian.org>
and subject line Bug#895035: fixed in osc 0.162.1-2
has caused the Debian Bug report #895035,
regarding osc: crashes with memory corruption when using new libssl1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
895035: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895035
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: osc
Version: 0.162.1-1
Severity: grave
Justification: osc tool becomes mostly unusable

This is probably a bug in libssl1.1 or in python-m2crypto, but I'm
reporting it against osc for now, because that's the only place I know
how to reproduce it at the moment. X-Debbugs-Cc'd to the lower-level
packages' maintainers.

Steps to reproduce:

* have an account on any OBS instance (I used <https://build.opensuse.org/>:
  anyone can register there, but an account is required to use the API)
* be in a temporary directory
* rm -fr binaries
* osc -A https://api.opensuse.org getbinaries openSUSE:Leap:15.0 \
  hello standard x86_64
  (or some project/package combination that exists on your OBS)

Expected result: osc downloads hello into ./binaries

Actual result: osc usually segfaults in glibc malloc-related functions,
probably due to memory corruption; sometimes glibc detects the memory
corruption itself and aborts instead.

Workaround: Downgrading libssl1.1 to 1.1.0f-3+deb9u2 from stable-security
makes osc work correctly, so presumably this is a behaviour change
between 1.1.0f and 1.1.0h, either a regression or something that triggers
a pre-existing bug in python-m2crypto (or possibly osc).

Other file-downloading operations like `osc co` have a similar crash.
Perhaps notably, `osc ls` does not.

Backtrace for memory corruption detected by glibc (with MALLOC_CHECK_=2):

#0  0x00007fa978092e7b in __GI_raise (sig=sig@entry=6) at 
../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007fa978094231 in __GI_abort () at abort.c:79
#2  0x00007fa9780d57b7 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7fa9781de0f3 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007fa9780dbd5a in malloc_printerr (str=str@entry=0x7fa9781dc2fe 
"free(): invalid pointer")
    at malloc.c:5350
#4  0x00007fa9780dfc0e in free_check (mem=<optimized out>, caller=<optimized 
out>) at hooks.c:274
#5  0x00007fa9774999a9 in SSL_SESSION_free (ss=0x5561d9428070) at 
../ssl/ssl_sess.c:780
#6  0x00007fa977499daf in ssl_get_new_session (s=s@entry=0x5561d9430d60, 
session=session@entry=0)
    at ../ssl/ssl_sess.c:315
#7  0x00007fa97749e05a in tls_construct_client_hello (s=0x5561d9430d60) at 
../ssl/statem/statem_clnt.c:705
#8  0x00007fa97749c556 in write_state_machine (s=0x5561d9430d60) at 
../ssl/statem/statem.c:773
#9  0x00007fa97749c556 in state_machine (s=0x5561d9430d60, server=0) at 
../ssl/statem/statem.c:404
#10 0x00007fa977494c91 in SSL_do_handshake (s=0x5561d9430d60) at 
../ssl/ssl_lib.c:3220
#11 0x00007fa96e0cb0f2 in ssl_connect (ssl=ssl@entry=0x5561d9430d60, 
timeout=-1) at SWIG/_m2crypto_wrap.c:8255
#12 0x00007fa96e0cb20b in _wrap_ssl_connect (self=<optimized out>, 
args=<optimized out>)
    at SWIG/_m2crypto_wrap.c:21441
#13 0x00005561d73e4e5a in call_function (oparg=<optimized out>, 
pp_stack=0x7ffcd796bcd0)
    at ../Python/ceval.c:4372
#14 0x00005561d73e4e5a in PyEval_EvalFrameEx (f=<optimized out>, 
throwflag=<optimized out>)
    at ../Python/ceval.c:3009
#15 0x00005561d73e241a in PyEval_EvalCodeEx (co=<optimized out>, 
globals=<optimized out>, locals=<optimized out>, args=<optimized out>, 
argcount=<optimized out>, kws=<optimized out>, kwcount=0, defs=0x0, defcount=0, 
closure=0x0) at ../Python/ceval.c:3604
#16 0x00005561d73ea661 in fast_function (nk=0, na=<optimized out>, n=<optimized 
out>, pp_stack=0x7ffcd796beb0, func=<optimized out>) at ../Python/ceval.c:4467

Backtrace for a segfault:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f34e77351c8 in _int_malloc (av=av@entry=0x7f34e7a68c40 <main_arena>, 
bytes=bytes@entry=32)
    at malloc.c:4028
#1  0x00007f34e773659c in __GI___libc_malloc (bytes=32) at malloc.c:3057
#2  0x00007f34e6795469 in CRYPTO_zalloc (num=32, file=file@entry=0x7f34e6816be0 
"../crypto/asn1/tasn_new.c", line=line@entry=122) at ../crypto/mem.c:107
#3  0x00007f34e66ce817 in asn1_item_embed_new (pval=pval@entry=0x7ffc4a4b75e0, 
it=it@entry=0x7f34e6a9ef40 <DIST_POINT_it>, embed=embed@entry=0) at 
../crypto/asn1/tasn_new.c:122
#4  0x00007f34e66cea97 in ASN1_item_ex_new (pval=pval@entry=0x7ffc4a4b75e0, 
it=it@entry=0x7f34e6a9ef40 <DIST_POINT_it>) at ../crypto/asn1/tasn_new.c:39
#5  0x00007f34e66cc291 in asn1_item_embed_d2i (pval=pval@entry=0x7ffc4a4b75e0, 
in=in@entry=0x7ffc4a4b75d8, len=<optimized out>, it=0x7f34e6a9ef40 
<DIST_POINT_it>, tag=<optimized out>, tag@entry=-1, aclass=<optimized out>,
    aclass@entry=0, opt=0 '\000', ctx=0x7ffc4a4b77e0, depth=2) at 
../crypto/asn1/tasn_dec.c:305
#6  0x00007f34e66cc9a8 in asn1_template_noexp_d2i (val=0x7ffc4a4b77d8, 
in=0x7ffc4a4b7820, len=<optimized out>, tt=tt@entry=0x7f34e6aa71e0 
<CRL_DIST_POINTS_item_tt>, opt=<optimized out>, ctx=0x7ffc4a4b77e0, depth=1)
    at ../crypto/asn1/tasn_dec.c:591
#7  0x00007f34e66cccc9 in asn1_template_ex_d2i (val=val@entry=0x7ffc4a4b77d8, 
in=in@entry=0x7ffc4a4b7820, inlen=<optimized out>, tt=0x7f34e6aa71e0 
<CRL_DIST_POINTS_item_tt>, opt=opt@entry=0 '\000', 
ctx=ctx@entry=0x7ffc4a4b77e0, depth=1) at ../crypto/asn1/tasn_dec.c:498
#8  0x00007f34e66cc251 in asn1_item_embed_d2i (pval=pval@entry=0x7ffc4a4b77d8, 
in=0x7ffc4a4b7820, len=<optimized out>, it=it@entry=0x7f34e6a9ef00 
<CRL_DIST_POINTS_it>, tag=tag@entry=-1, aclass=aclass@entry=0, opt=0 '\000', 
ctx=0x7ffc4a4b77e0, depth=1) at ../crypto/asn1/tasn_dec.c:177
#9  0x00007f34e66cce0d in ASN1_item_ex_d2i (pval=pval@entry=0x7ffc4a4b77d8, 
in=<optimized out>, len=<optimized out>, it=0x7f34e6a9ef00 
<CRL_DIST_POINTS_it>, tag=tag@entry=-1, aclass=aclass@entry=0, opt=0 '\000', 
ctx=0x7ffc4a4b77e0) at ../crypto/asn1/tasn_dec.c:123
#10 0x00007f34e66cce8b in ASN1_item_d2i (pval=0x7ffc4a4b77d8, in=<optimized 
out>, len=<optimized out>, it=<optimized out>) at ../crypto/asn1/tasn_dec.c:113
#11 0x00007f34e680d885 in X509V3_EXT_d2i (ext=<optimized out>) at 
../crypto/x509v3/v3_lib.c:210
#12 0x00007f34e680d94f in X509V3_get_d2i (x=<optimized out>, nid=nid@entry=103, 
crit=0x385372041cc40d00,
    crit@entry=0x0, idx=idx@entry=0x0) at ../crypto/x509v3/v3_lib.c:269
#13 0x00007f34e67f52c9 in X509_get_ext_d2i (x=x@entry=0x55e18e619390, 
nid=nid@entry=103, crit=crit@entry=0x0, idx=idx@entry=0x0) at 
../crypto/x509/x509_ext.c:105
#14 0x00007f34e6810c12 in setup_crldp (x=0x55e18e619390) at 
../crypto/x509v3/v3_purp.c:334
#15 0x00007f34e6810c12 in x509v3_cache_extensions (x=x@entry=0x55e18e619390) at 
../crypto/x509v3/v3_purp.c:472
#16 0x00007f34e6811188 in x509v3_cache_extensions (x=0x55e18e619390) at 
../crypto/x509v3/v3_purp.c:765
#17 0x00007f34e6811188 in X509_check_issued 
(issuer=issuer@entry=0x55e18e619390, subject=subject@entry=0x55e18de7c030) at 
../crypto/x509v3/v3_purp.c:762
#18 0x00007f34e67f89a4 in check_issued (ctx=0x55e18dc82960, x=0x55e18de7c030, 
issuer=0x55e18e619390)
    at ../crypto/x509/x509_vfy.c:333
#19 0x00007f34e67f994a in find_issuer (ctx=ctx@entry=0x55e18dc82960, 
sk=sk@entry=0x55e18e6282b0, x=0x55e18de7c030) at ../crypto/x509/x509_vfy.c:317
#20 0x00007f34e67fac6e in build_chain (ctx=0x55e18dc82960) at 
../crypto/x509/x509_vfy.c:3145
#21 0x00007f34e67fac6e in verify_chain (ctx=0x55e18dc82960) at 
../crypto/x509/x509_vfy.c:218
#22 0x00007f34e67fbe56 in X509_verify_cert (ctx=ctx@entry=0x55e18dc82960) at 
../crypto/x509/x509_vfy.c:295
#23 0x00007f34e6ae2297 in ssl_verify_cert_chain (s=s@entry=0x55e18e636360, 
sk=sk@entry=0x55e18e62fa90)
    at ../ssl/ssl_cert.c:436
#24 0x00007f34e6af4d13 in tls_process_server_certificate (s=0x55e18e636360, 
pkt=0x7ffc4a4b7aa0)
    at ../ssl/statem/statem_clnt.c:1212
#25 0x00007f34e6af28ed in read_state_machine (s=0x55e18e636360) at 
../ssl/statem/statem.c:599
#26 0x00007f34e6af28ed in state_machine (s=0x55e18e636360, server=0) at 
../ssl/statem/statem.c:395
#27 0x00007f34e6aeac91 in SSL_do_handshake (s=0x55e18e636360) at 
../ssl/ssl_lib.c:3220
#28 0x00007f34dd7210f2 in ssl_connect (ssl=ssl@entry=0x55e18e636360, 
timeout=-1) at SWIG/_m2crypto_wrap.c:8255
#29 0x00007f34dd72120b in _wrap_ssl_connect (self=<optimized out>, 
args=<optimized out>)
    at SWIG/_m2crypto_wrap.c:21441
#30 0x000055e18c298e5a in call_function (oparg=<optimized out>, 
pp_stack=0x7ffc4a4b7c70)
    at ../Python/ceval.c:4372
#31 0x000055e18c298e5a in PyEval_EvalFrameEx (f=<optimized out>, 
throwflag=<optimized out>)
    at ../Python/ceval.c:3009
#32 0x000055e18c29641a in PyEval_EvalCodeEx (co=<optimized out>, 
globals=<optimized out>, locals=<optimized out>, args=<optimized out>, 
argcount=<optimized out>, kws=<optimized out>, kwcount=0, defs=0x0, defcount=0, 
closure=0x0) at ../Python/ceval.c:3604
#33 0x000055e18c29e661 in fast_function (nk=0, na=<optimized out>, n=<optimized 
out>, pp_stack=0x7ffc4a4b7e50, func=<optimized out>) at ../Python/ceval.c:4467

(In both cases I've omitted a large number of probably-uninteresting
Python stack frames below the end of the backtrace I quoted, since this
is a C-level crash.)

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'proposed-updates'), (500, 'experimental-debug'), (500, 'buildd-unstable'), 
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), 
LANGUAGE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages osc depends on:
ii  ca-certificates    20170717
ii  python             2.7.14-4
ii  python-m2crypto    0.27.0-5
ii  python-urlgrabber  3.10.2-1

Versions of packages osc recommends:
ii  bash-completion  1:2.8-1
ii  cpio             2.12+dfsg-6
ii  obs-build        20180302-2
ii  python-keyring   10.6.0-1
ii  python-rpm       4.14.1+dfsg1-2
ii  rpm2cpio         4.14.1+dfsg1-2
ii  sensible-utils   0.0.12

osc suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: osc
Source-Version: 0.162.1-2

We believe that the bug you reported is fixed in the latest version of
osc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 895...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michal Čihař <ni...@debian.org> (supplier of updated osc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 24 May 2018 08:44:29 +0200
Source: osc
Binary: osc
Architecture: source
Version: 0.162.1-2
Distribution: unstable
Urgency: medium
Maintainer: RPM packaging team <pkg-rpm-de...@lists.alioth.debian.org>
Changed-By: Michal Čihař <ni...@debian.org>
Description:
 osc        - Open Build Service commander
Closes: 895035 898775 898963
Changes:
 osc (0.162.1-2) unstable; urgency=medium
 .
   * Incorporate NMU changes (Closes: #898963).
   * Remove constraint on historical Python version.
 .
 osc (0.162.1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Merge Build-Depends-Indep into Build-Depends. The python2 and
     bash-completion debhelper sequences are needed for the clean target
     when building a source package, but that target is only guaranteed to
     have the Build-Depends available; and python-urlgrabber turns out to
     also be needed during clean, because it's indirectly imported
     by setup.py. (Closes: #898775)
   * d/p/Disable-ssl-session-resumption.patch:
     Add patch from upstream fixing a segfault when used with
     libssl1.1 (>= 1.1.0h) (Closes: #895035)
Checksums-Sha1:
 49cd1576c7b212cd6a8e3dcb96f9bb5fc89db932 1927 osc_0.162.1-2.dsc
 374d713347753e1ad88f939579c54dfe41178c83 7544 osc_0.162.1-2.debian.tar.xz
 4a5e8b3283ded545865020b87735eab09f32fe28 6935 osc_0.162.1-2_amd64.buildinfo
Checksums-Sha256:
 4124a01e8c9ba15fe2bf92d2bf71abf01062b68996da8245eb57aad1e9804c1a 1927 
osc_0.162.1-2.dsc
 451edde73a357f33575cef61da75ccdd2a236d66061367b753635d924800d8fe 7544 
osc_0.162.1-2.debian.tar.xz
 72a1456ebbc46eaae008767a97fd36448ffaaf3ae98cabfdfaa7296b36a8c148 6935 
osc_0.162.1-2_amd64.buildinfo
Files:
 c0a69904ba76ea0315d91c8b4061b173 1927 devel optional osc_0.162.1-2.dsc
 49879216e556c8d0d53f133cbca8631b 7544 devel optional 
osc_0.162.1-2.debian.tar.xz
 269ecc71a87d63d13c6793f5ed04aa72 6935 devel optional 
osc_0.162.1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEh+Zzr4P2w6DDRMjD9KoinU1YwkUFAlsGYKoACgkQ9KoinU1Y
wkWrgw/+MrAbvY14koAP9RLUfeYTrN7uJa+yh7kFrQVyNbNZNLizu+q+FPEWqRJK
vr5KhSLOKlNWV/U/SA0kKt80JW25ZLCkyaWikMQAPCsUoRI30eP7vqnYxOp+369A
+yP0FD/aW+O/C+WEv31lr/Dnufuetg+C+6OLMBajEtQA33x83J0P9t+G4KtWPNVc
VjJ29fQ7faGkQfb4lNE4i/gtPikoXo+f5DvX649IcUC+1apPFlvRb8la6ENdDBnA
IvLF324Z8h506G77DJAQejVScN7gQjmHZ3CR7ny04TaV6nnpuLwSw2xwkgWyA1iN
Xua/gJcSAX+2MKyXhc0XxoN/BvLbESqgw9rQJr/jlpsNQePTzn43GXuYHrHY8t2Y
p6xB8o1N60nAn/FamJRsM857gmDOrH6GQ9KCM6+/NMQDlQet7yB0g3RmiEWwFLlr
Ky2ekdl/c/9hwmDljqNg6rmZtjf3c2rAoDGcKkVVlNtwZqlYBG0/6EPMsKjaoOp/
xhyQb8CFwvM5PMTba0eHuQjucXGNkg6c4FO5rML+pn83yDFJkWyqWOHy3SfOAVv/
zPRmgzrwIVL94F+g11piW5U17maOUGpNQohu55A3qR0GBkg8KbJurkgw8AbS6lSH
0GcvoB1+8xUXris2nFMeCAhBpgB+22/ET1yl9szDlZE3qwPcH7s=
=3umn
-----END PGP SIGNATURE-----

--- End Message ---