Hello Michal, I have NMU the package with the fix, even `openssl` has also fixed their side on the same day. Find NMU diff attached. And of course, I have just noticed 898963 (another NMU) after I have uploaded my changes. :-/
2018-05-18 16:53 GMT+02:00 Michal Čihař <mic...@cihar.com>: > Hello > > Feel free to do the upload, I'm quite busy with other things right now. > > Michal > > 18. května 2018 14:38:42 SELČ, Hector Oron <zu...@debian.org> napsal: >>Hello Michal, >> >> Do you mind if I go ahead and upload a fix for >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895035 ? >> >> Or do you prefer to take care of it? >> >>Regards -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-. <free spam> -- Would you like to make a donation towards the upcoming Debian conference? Brochure: https://media.debconf.org/dc18/fundraising/debconf18_sponsorship_brochure_en.pdf ** https://debconf18.debconf.org/sponsors/become-a-sponsor/ ** </free spam>
diff -Nru osc-0.162.1/debian/changelog osc-0.162.1/debian/changelog --- osc-0.162.1/debian/changelog 2018-01-23 09:47:02.000000000 +0100 +++ osc-0.162.1/debian/changelog 2018-05-23 16:58:00.000000000 +0200 @@ -1,3 +1,11 @@ +osc (0.162.1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + - Contains fix (from upstream) for crash with memory corruption. + (Closes: #895035) + + -- Héctor Orón Martínez <zu...@debian.org> Wed, 23 May 2018 16:58:00 +0200 + osc (0.162.1-1) unstable; urgency=medium * New upstream release. diff -Nru osc-0.162.1/debian/patches/Disable-ssl-session-resumption.patch osc-0.162.1/debian/patches/Disable-ssl-session-resumption.patch --- osc-0.162.1/debian/patches/Disable-ssl-session-resumption.patch 1970-01-01 01:00:00.000000000 +0100 +++ osc-0.162.1/debian/patches/Disable-ssl-session-resumption.patch 2018-05-23 16:55:21.000000000 +0200 @@ -0,0 +1,105 @@ +From: Marcus Huewe <suse-...@gmx.de> +Date: Tue, 8 May 2018 14:23:08 +0200 +Subject: Disable ssl session resumption + +The old code could potentially yield to a use-after-free situation, +which results in UB. For this, consider the following scenario, where +osc performs several HTTPS requests (assumption: the server supports +ssl session resumption): + +- HTTPS Request 1: + * a new SSL *s connection is established, which also creates a new + SSL_SESSION *ss => ss->references == 1 + * once the handshake is done, the ss is put into the session cache + (see ssl_update_cache) => ss->references == 2 + - osc saves the session ss in a class variable + - s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1 + +- HTTPS Request 2: + * setup a new SSL *s connection that reuses the saved session ss + => ss->references == 2 + * once the handshake is done, ssl_update_cache is called, which is a + NOP, because s->hit == 1 (that is, the session was resumed) + * osc saves the session ss in a class variable + * s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1 + +... + +> 2 hours later (see tls1_default_timeout) + +... + +- HTTPS Request 256: + * setup a new SSL *s connection that reuses the saved session ss + => ss->references == 2 + * once the handshake is done, ssl_update_cache is called, but is + _no_ NOP anymore + * ssl_update_cache flushes the session cache (this is done every + 255/256 (depending on the way we count) connections) => ss is + SSL_SESSION_free()d => ss->references == 1 + * osc saves the session ss in a class variable + * s is SSL_free()d, which calls SSL_SESSION_free: + since ss->references == 1, ss is eventually free()d + +- HTTPS Request 257: + * setup a new SSL *s connection that reuses the saved session ss + +Since ss does not exist anymore, the remaining program execution is UB. + +(Note: SSL_free(...) is _NOT_ called, if M2Crypto 0.29 is used. +M2Crypto 0.30 calls SSL_free(...) again.) + +Due to a bug in OpenSSL_1_1_0h (see openssl commit 8e405776858) the +scenario from above can be triggered with exactly 2 HTTPS requests (the +SSL_SESSION is not cached, because we configured SSL_VERIFY_PEER, but +no sid_ctx was set). This is fixed in openssl commit c4fa1f7fc01. + +In order to reliably reuse a session, we probably need to listen to the +session cache changes. Such callbacks could be registered via +SSL_CTX_sess_set_new_cb and/or SSL_CTX_sess_set_remove_cb, but both +functions are not provided by M2Crypto. Another idea is to directly utilize +the session cache, but this also has to be implemented in M2Crypto first. +Yet another approach is to retrieve the session via SSL_get1_session, which +increases the session's refcnt, but this also needs to be implemented in +M2Crypto first (if we choose to use this approach, we also have to make +sure that we eventually free the session manually...). + +Fixes: #398 ("SIGSEGV on \"osc commit\"") +Origin: upstream, 0.162.2, commit:https://github.com/openSUSE/osc/commit/b730f880cfe85a8547f569355a21706f27ebfa78 +Bug: https://github.com/openSUSE/osc/issues/398 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895035 +--- + osc/oscssl.py | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/osc/oscssl.py b/osc/oscssl.py +index 7aa5a0d..186c98d 100644 +--- a/osc/oscssl.py ++++ b/osc/oscssl.py +@@ -174,7 +174,6 @@ class mySSLContext(SSL.Context): + + class myHTTPSHandler(M2Crypto.m2urllib2.HTTPSHandler): + handler_order = 499 +- saved_session = None + + def __init__(self, *args, **kwargs): + self.appname = kwargs.pop('appname', 'generic') +@@ -204,8 +203,6 @@ class myHTTPSHandler(M2Crypto.m2urllib2.HTTPSHandler): + selector = req.get_selector() + # End our change + h.set_debuglevel(self._debuglevel) +- if self.saved_session: +- h.set_session(self.saved_session) + + headers = dict(req.headers) + headers.update(req.unredirected_hdrs) +@@ -218,9 +215,6 @@ class myHTTPSHandler(M2Crypto.m2urllib2.HTTPSHandler): + headers["Connection"] = "close" + try: + h.request(req.get_method(), selector, req.data, headers) +- s = h.get_session() +- if s: +- self.saved_session = s + r = h.getresponse() + except socket.error as err: # XXX what error? + err.filename = full_url diff -Nru osc-0.162.1/debian/patches/series osc-0.162.1/debian/patches/series --- osc-0.162.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ osc-0.162.1/debian/patches/series 2018-05-23 16:56:13.000000000 +0200 @@ -0,0 +1 @@ +Disable-ssl-session-resumption.patch