On Wed, Dec 14, 2022 at 03:51:44PM +0100, Renaud Allard wrote:
>
>
> On 12/14/22 14:44, Theo de Raadt wrote:
> > sysctl kern.nosuidcoredump=3
> >
> > mkdir /var/crash/acme-client
> >
> > and then try to reproduce, and see if a core file is delivered there.
> > This coredump mechanism was added to capture some hard-to-capture coredumps,
> > you can see more info in core(5) and sysctl(3)
> >
>
> Thanks
>
> I have been able to reproduce it reliably with the staging API, however,
> there is no core dump generated in /var/crash/acme-client.
>
> To reproduce it, you need a certificate with alternative names using
> multiple different domains. Generate a cert, then fully remove one of the
> domains and ask for a forced reissue.
>
> I tried with following Otto patch from today, and it seems it solves the
> issue.
Are you sure you attached the right patch?
-Otto
>
> Index: acctproc.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
> retrieving revision 1.23
> diff -u -p -r1.23 acctproc.c
> --- acctproc.c 14 Jan 2022 09:20:18 -0000 1.23
> +++ acctproc.c 14 Dec 2022 11:06:45 -0000
> @@ -439,6 +439,7 @@ op_sign(int fd, EVP_PKEY *pkey, enum acc
>
> rc = 1;
> out:
> + ECDSA_SIG_free(ec_sig);
> EVP_MD_CTX_free(ctx);
> free(pay);
> free(sign);
