On 12/14/22 15:56, Otto Moerbeek wrote:
On Wed, Dec 14, 2022 at 03:51:44PM +0100, Renaud Allard wrote:On 12/14/22 14:44, Theo de Raadt wrote:sysctl kern.nosuidcoredump=3 mkdir /var/crash/acme-client and then try to reproduce, and see if a core file is delivered there. This coredump mechanism was added to capture some hard-to-capture coredumps, you can see more info in core(5) and sysctl(3)Thanks I have been able to reproduce it reliably with the staging API, however, there is no core dump generated in /var/crash/acme-client. To reproduce it, you need a certificate with alternative names using multiple different domains. Generate a cert, then fully remove one of the domains and ask for a forced reissue. I tried with following Otto patch from today, and it seems it solves the issue.Are you sure you attached the right patch? -OttoIndex: acctproc.c =================================================================== RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v retrieving revision 1.23 diff -u -p -r1.23 acctproc.c --- acctproc.c 14 Jan 2022 09:20:18 -0000 1.23 +++ acctproc.c 14 Dec 2022 11:06:45 -0000 @@ -439,6 +439,7 @@ op_sign(int fd, EVP_PKEY *pkey, enum acc rc = 1; out: + ECDSA_SIG_free(ec_sig); EVP_MD_CTX_free(ctx); free(pay); free(sign);
OK, with both patches (one from Otto and the other from Theo B (sorry I mistaken the first patch author)) and 4 tries, I have not got the crash anymore.
Index: revokeproc.c =================================================================== RCS file: /home/cvs/src/usr.sbin/acme-client/revokeproc.c,v retrieving revision 1.19 diff -u -p -r1.19 revokeproc.c --- revokeproc.c 22 Nov 2021 08:26:08 -0000 1.19 +++ revokeproc.c 14 Dec 2022 14:16:46 -0000 @@ -239,6 +239,7 @@ revokeproc(int fd, const char *certfile, goto out; } force = 2; + continue; } if (found[j]++) { if (revocate) {
smime.p7s
Description: S/MIME Cryptographic Signature