Hello Dimitri, or anyone else affected, Accepted curl into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.8 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: curl (Ubuntu Focal) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly Status in curl package in Ubuntu: Fix Released Status in curl source package in Bionic: New Status in curl source package in Focal: Fix Committed Bug description: [Impact] * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 338 0 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 338 0 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
