[Bug 1940656] Re: Potential use after free bugs in 1.1.1
This bug was fixed in the package openssl - 1.1.1f-1ubuntu2.9 --- openssl (1.1.1f-1ubuntu2.9) focal; urgency=medium * Cherry-pick stable patches to fix potential use-after-free. LP: #1940656 -- Dimitri John Ledkov Wed, 25 Aug 2021 02:13:44 +0100 ** Changed in: openssl (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
** Tags removed: verification-needed verification-needed-focal ** Tags added: verification-done verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
I currently do not have a more regular smartcard setup to test out a hardware pk11 engine with openssl, which is typically the most common one. But I can use software gost engine to test out that algos provided by the engine operate correctly. Installed openssl from proposed, and gost engine. $ dpkg -l | grep -e 1.1.1f -e openssl ii libengine-gost-openssl1.1 1.1.0.3-1amd64 Loadable module for openssl implementing GOST algorithms ii libssl1.1:amd641.1.1f-1ubuntu2.9amd64Secure Sockets Layer toolkit - shared libraries ii openssl1.1.1f-1ubuntu2.9amd64Secure Sockets Layer toolkit - cryptographic utility Without engine configured, connectivity fails to GOST only website: # openssl s_client -connect tlsgost.cryptopro.ru:443 CONNECTED(0003) 140163445085504:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1941: Configured gost engine, and connect to GOST only website: # openssl s_client -connect tlsgost.cryptopro.ru:443 CONNECTED(0003) depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth verify error:num=21:unable to verify the first certificate verify return:1 ... New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912 Server public key is 256 bit ... GET / ... TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred. Connectivity using algos provided by a crypto engine worked. Note that certificate was not verified, as we don't currently ship GOST CA certificates. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
@xnox Could you finish the verification and tag the bug verification- done? " * Configure and use openssl with any engine and ensure that it continues to work" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
There is now only a transient ADT regression in Regression in linux- hwe-5.13 (armhf), which is not a valid ADT because armhf ADT runs in lxd containers and does not boot the requested kernel. Please release this package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
** Changed in: openssl (Ubuntu) Importance: Undecided => Medium ** Changed in: openssl (Ubuntu Focal) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
Hello Dimitri, or anyone else affected, Accepted openssl into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.9 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openssl (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
Thanks Marc and Dimitri! With Marc's confirmation this is unblocked from the SRU queue then. But please don't assign me. Any member of the SRU team can process this. Assigning individual SRU team members not part of the SRU process, implies an implied lock that isn't there, and would only delay things because I am not processing SRUs this week. ** Changed in: openssl (Ubuntu Focal) Assignee: Robie Basak (racb) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
I'd rather these go through the SRU process first, and they will get picked up automatically next time we do an openssl security update. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
** Changed in: openssl (Ubuntu Focal) Status: Incomplete => In Progress ** Changed in: openssl (Ubuntu Focal) Assignee: (unassigned) => Robie Basak (racb) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
I would agree that any hypothetical use-after-free / double-free errors are usually also security vulnerabilities. But these ones were discovered with static analysis and/or affecting engine use, in error conditions only. Thus connectivity must already be failing / denied, before one can trip these ones up. Not sure if one can further stage an attack by staging a connection failure, and try to disclose information from that. Will ping security team about it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
Shouldn't these go into the security pocket? At the least I'd like an explicit nak from the security team please. ** Changed in: openssl (Ubuntu Focal) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
** Patch added: "lp-1940656-3-engine-fix-double-free-on-error-path.patch" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+attachment/5519403/+files/lp-1940656-3-engine-fix-double-free-on-error-path.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
** Patch added: "lp-1940656-1-srp-fix-double-free.patch" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+attachment/5519401/+files/lp-1940656-1-srp-fix-double-free.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
** Patch added: "lp-1940656-4-Prevent-use-after-free-of-global_engine_lock.patch" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+attachment/5519404/+files/lp-1940656-4-Prevent-use-after-free-of-global_engine_lock.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940656] Re: Potential use after free bugs in 1.1.1
** Patch added: "lp-1940656-2-ts-fix-double-free-on-error-path.patch" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+attachment/5519402/+files/lp-1940656-2-ts-fix-double-free-on-error-path.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs