Bug#768841: libgnutls-deb0-28: SIGABRT when loading certificates

2014-11-10 Thread Andreas Metzler 
Control: severity -1 serious

On 2014-11-09 Marc Dequènes (Duck) d...@duckcorp.org wrote:
 Package: libgnutls-deb0-28
 Version: 3.3.8-3
 Severity: grave
 Justification: breaks related softwares (minbif, ircd-ratbox)
 Control: affects -1 = minbif ircd-ratbox

[...]
 Reverting the certificates (which are still valid until the end of the
 month) did not help. Downgrading gnutls to 3.3.8-2 (before the rusage patch)
 did not help either.

 I find two things disturbing. First, fd 3 is used to read the public key,
 closed, but then read again which fails and the abort is done shortly
 afterwards. Second, rnd_func() fails like if there was no entropy available,
 but /proc/sys/kernel/random/entropy_avail proves it wrong (the machine has a
 hardware generator with rngd).
[...]

Hello,
This sounds somehow similar to https://cups.org/str.php?L4484 which
this change in GnuTLS 3.3.10 should work around:

** libgnutls: When gnutls_global_init() is called for a second time, it
will check whether the /dev/urandom fd kept is still open and matches
the original one. That behavior works around issues with servers that
close all file descriptors.

Could you check whether upgrading to 3.3.10 (just uploaded to
experimental) fixes the issues you reported, too?

cu Andreas
PS: Looking at
https://www.debian.org/Bugs/Developer.en.html#severities this seems
to match a bug which has a major effect on the usability of a
package, without rendering it completely unusable to everyone which
would be important, not grave.
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#768841: libgnutls-deb0-28: SIGABRT when loading certificates

2014-11-10 Thread Marc Dequènes (Duck) 

Coin,

Quoting Andreas Metzler ametz...@bebt.de:


Could you check whether upgrading to 3.3.10 (just uploaded to
experimental) fixes the issues you reported, too?


You're right, this fixed the problem for both minbif and ircd-ratbox.


PS: Looking at
https://www.debian.org/Bugs/Developer.en.html#severities this seems
to match a bug which has a major effect on the usability of a
package, without rendering it completely unusable to everyone which
would be important, not grave.


I disagree. When a bug breaks other packages, this is clearly  
unsuitable for release and ought to be RC. It can't be critical as it  
does not break unrelated softwares […]. It can't be serious as it is  
not a matter of policy. For a library, which only use is to provide  
functions to other programs, to cause crashes to many rdeps is in my  
opinion being unusable or mostly so.



Well, thanks for your help. I think the next step is ensuring this fix  
enters Jessie. 3.3.10 does not seem to add more than a few fixes  
(which at first glance seem important). It could be reasonable to  
discuss an unblock with the RT.


Regards.

--
Marc Dequènes (Duck)



pgpEl1cgNZe95.pgp
Description: PGP Digital Signature

Bug#768841: libgnutls-deb0-28: SIGABRT when loading certificates

2014-11-09 Thread Marc Dequènes (Duck) 

Package: libgnutls-deb0-28
Version: 3.3.8-3
Severity: grave
Justification: breaks related softwares (minbif, ircd-ratbox)
Control: affects -1 = minbif ircd-ratbox


Coin,

I had to update all my certificates because our CA is going to expire  
soon. I then restarted all services with the new CA and server  
certificates and it worked for all services but minbif and ircd-ratbox  
(probably the only ones using gnutls). minbif fork for each connecting  
user and the new process crash ; see the strace and gdb trace  
attached. I was not able yet to get a core for ircd-ratbox but the  
strace is similar.


Reverting the certificates (which are still valid until the end of the  
month) did not help. Downgrading gnutls to 3.3.8-2 (before the rusage  
patch) did not help either.


I find two things disturbing. First, fd 3 is used to read the public  
key, closed, but then read again which fails and the abort is done  
shortly afterwards. Second, rnd_func() fails like if there was no  
entropy available, but /proc/sys/kernel/random/entropy_avail proves it  
wrong (the machine has a hardware generator with rngd).


As for the timing, i uploaded ircd-ratbox on 2014-07-29 which worked  
perfectly on the testing suite at that time (after a gnutls 3 patch).


Tell me if you need anything tested and thanks for your help.

Regards.


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls-deb0-28 depends on:
ii  libc6  2.19-12
ii  libgmp10   2:6.0.0+dfsg-4
ii  libhogweed22.7.1-3
ii  libnettle4 2.7.1-3
ii  libp11-kit00.20.7-1
ii  libtasn1-6 4.1-1
ii  multiarch-support  2.19-12
ii  zlib1g 1:1.2.8.dfsg-1

--
Marc Dequènes (Duck)

#0  0x7f9727650107 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
resultvar = 0
pid = 28099
selftid = 28099
#1  0x7f97276514e8 in __GI_abort () at abort.c:89
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x1631eb0, sa_sigaction = 
0x1631eb0}, sa_mask = {__val = {140733327892112, 140733327890224, 
140287214206471, 1, 0, 0, 140287177530664, 23280608, 140733327890224, 23290456, 
140287214232357, 4294966954, 0, 23264720, 0, 0}}, sa_flags = 0, sa_restorer = 
0x161a220}
sigs = {__val = {32, 0 repeats 15 times}}
#2  0x7f9728009199 in rnd_func (_ctx=0x0, length=264, data=0x7fff08045740 
) at pk.c:62
No locals.
#3  0x7f97238cd346 in nettle_mpz_random_size (x=0x7fff08045910, ctx=0x0, 
random=0x7f9728009169 rnd_func, bits=2112) at bignum-random.c:44
length = 264
data = 0x7fff08045740 
#4  0x7f97238cd3d1 in nettle_mpz_random (x=0x7fff08045910, ctx=0x0, 
random=0x7f9728009169 rnd_func, n=0x7fff08045a48) at bignum-random.c:81
No locals.
#5  0x7f97238d024a in _nettle_rsa_blind (pub=0x7fff08045a40, 
random_ctx=0x0, random=0x7f9728009169 rnd_func, c=0x7fff08045a30, 
ri=0x7fff08045980) at rsa-blind.c:50
r = {{_mp_alloc = 1, _mp_size = 0, _mp_d = 0x161a400}}
#6  0x7f97238cedbd in nettle_rsa_pkcs1_sign_tr (pub=0x7fff08045a40, 
key=0x7fff08045a70, random_ctx=0x0, random=0x7f9728009169 rnd_func, 
length=51, digest_info=0x1638500 010\r\006\t`\206H\001e\003\004\002\001\005, 
s=0x7fff08045a30) at rsa-pkcs1-sign-tr.c:47
ri = {{_mp_alloc = 1, _mp_size = 0, _mp_d = 0x161a310}}
#7  0x7f972800a997 in _wrap_nettle_pk_sign (algo=GNUTLS_PK_RSA, 
signature=0x7fff08045bf0, vdata=0x7fff08045b80, pk_params=0x1644680) at pk.c:566
priv = {size = 256, d = {{_mp_alloc = 33, _mp_size = 32, _mp_d = 
0x1639180}}, p = {{_mp_alloc = 17, _mp_size = 16, _mp_d = 0x1639320}}, q = 
{{_mp_alloc = 17, _mp_size = 16, _mp_d = 0x1638a10}}, a = {{_mp_alloc = 16, 
_mp_size = 16, _mp_d = 0x16398d0}}, b = {{_mp_alloc = 16, _mp_size = 16, _mp_d 
= 0x1639960}}, c = {{_mp_alloc = 17, _mp_size = 16, _mp_d = 0x1638aa0}}}
pub = {size = 256, n = {{_mp_alloc = 33, _mp_size = 32, _mp_d = 
0x1639070}}, e = {{_mp_alloc = 1, _mp_size = 1, _mp_d = 0x1616800}}}
s = {{_mp_alloc = 32, _mp_size = 32, _mp_d = 0x1639e40}}
ret = 134502912
hash_len = 32767
me = 0x7f9723d44e5a
#8  0x7f9727f4176c in gnutls_privkey_sign_raw_data (key=0x1645860, flags=0, 
data=0x7fff08045b80, signature=0x7fff08045bf0) at gnutls_privkey.c:909
No locals.
#9  0x7f9727f4147c in gnutls_privkey_sign_data (signer=0x1645860, 
hash=GNUTLS_DIG_SHA256, flags=0, data=0x7fff08045be0, signature=0x7fff08045bf0) 
at gnutls_privkey.c:788
ret = 0
digest = {data = 0x1638500 
010\r\006\t`\206H\001e\003\004\002\001\005, size = 51}
me = 0x7f972824b360 hash_algorithms+96
#10 0x7f9727f2d4ad in _gnutls_check_key_cert_match (res=0x16350e0) at 
gnutls_cert.c:936
test = {data =