Hello Michal,
I have NMU the package with the fix, even `openssl` has also fixed
their side on the same day.
Find NMU diff attached. And of course, I have just noticed 898963
(another NMU) after I have uploaded my changes. :-/
2018-05-18 16:53 GMT+02:00 Michal Čihař <mic...@cihar.com>:
> Hello
>
> Feel free to do the upload, I'm quite busy with other things right now.
>
> Michal
>
> 18. května 2018 14:38:42 SELČ, Hector Oron <zu...@debian.org> napsal:
>>Hello Michal,
>>
>> Do you mind if I go ahead and upload a fix for
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895035 ?
>>
>> Or do you prefer to take care of it?
>>
>>Regards
--
Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
<free spam>
-- Would you like to make a donation towards the upcoming Debian conference?
Brochure:
https://media.debconf.org/dc18/fundraising/debconf18_sponsorship_brochure_en.pdf
** https://debconf18.debconf.org/sponsors/become-a-sponsor/ **
</free spam>
diff -Nru osc-0.162.1/debian/changelog osc-0.162.1/debian/changelog
--- osc-0.162.1/debian/changelog 2018-01-23 09:47:02.000000000 +0100
+++ osc-0.162.1/debian/changelog 2018-05-23 16:58:00.000000000 +0200
@@ -1,3 +1,11 @@
+osc (0.162.1-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ - Contains fix (from upstream) for crash with memory corruption.
+ (Closes: #895035)
+
+ -- Héctor Orón Martínez <zu...@debian.org> Wed, 23 May 2018 16:58:00 +0200
+
osc (0.162.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru osc-0.162.1/debian/patches/Disable-ssl-session-resumption.patch osc-0.162.1/debian/patches/Disable-ssl-session-resumption.patch
--- osc-0.162.1/debian/patches/Disable-ssl-session-resumption.patch 1970-01-01 01:00:00.000000000 +0100
+++ osc-0.162.1/debian/patches/Disable-ssl-session-resumption.patch 2018-05-23 16:55:21.000000000 +0200
@@ -0,0 +1,105 @@
+From: Marcus Huewe <suse-...@gmx.de>
+Date: Tue, 8 May 2018 14:23:08 +0200
+Subject: Disable ssl session resumption
+
+The old code could potentially yield to a use-after-free situation,
+which results in UB. For this, consider the following scenario, where
+osc performs several HTTPS requests (assumption: the server supports
+ssl session resumption):
+
+- HTTPS Request 1:
+ * a new SSL *s connection is established, which also creates a new
+ SSL_SESSION *ss => ss->references == 1
+ * once the handshake is done, the ss is put into the session cache
+ (see ssl_update_cache) => ss->references == 2
+ - osc saves the session ss in a class variable
+ - s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1
+
+- HTTPS Request 2:
+ * setup a new SSL *s connection that reuses the saved session ss
+ => ss->references == 2
+ * once the handshake is done, ssl_update_cache is called, which is a
+ NOP, because s->hit == 1 (that is, the session was resumed)
+ * osc saves the session ss in a class variable
+ * s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1
+
+...
+
+> 2 hours later (see tls1_default_timeout)
+
+...
+
+- HTTPS Request 256:
+ * setup a new SSL *s connection that reuses the saved session ss
+ => ss->references == 2
+ * once the handshake is done, ssl_update_cache is called, but is
+ _no_ NOP anymore
+ * ssl_update_cache flushes the session cache (this is done every
+ 255/256 (depending on the way we count) connections) => ss is
+ SSL_SESSION_free()d => ss->references == 1
+ * osc saves the session ss in a class variable
+ * s is SSL_free()d, which calls SSL_SESSION_free:
+ since ss->references == 1, ss is eventually free()d
+
+- HTTPS Request 257:
+ * setup a new SSL *s connection that reuses the saved session ss
+
+Since ss does not exist anymore, the remaining program execution is UB.
+
+(Note: SSL_free(...) is _NOT_ called, if M2Crypto 0.29 is used.
+M2Crypto 0.30 calls SSL_free(...) again.)
+
+Due to a bug in OpenSSL_1_1_0h (see openssl commit 8e405776858) the
+scenario from above can be triggered with exactly 2 HTTPS requests (the
+SSL_SESSION is not cached, because we configured SSL_VERIFY_PEER, but
+no sid_ctx was set). This is fixed in openssl commit c4fa1f7fc01.
+
+In order to reliably reuse a session, we probably need to listen to the
+session cache changes. Such callbacks could be registered via
+SSL_CTX_sess_set_new_cb and/or SSL_CTX_sess_set_remove_cb, but both
+functions are not provided by M2Crypto. Another idea is to directly utilize
+the session cache, but this also has to be implemented in M2Crypto first.
+Yet another approach is to retrieve the session via SSL_get1_session, which
+increases the session's refcnt, but this also needs to be implemented in
+M2Crypto first (if we choose to use this approach, we also have to make
+sure that we eventually free the session manually...).
+
+Fixes: #398 ("SIGSEGV on \"osc commit\"")
+Origin: upstream, 0.162.2, commit:https://github.com/openSUSE/osc/commit/b730f880cfe85a8547f569355a21706f27ebfa78
+Bug: https://github.com/openSUSE/osc/issues/398
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895035
+---
+ osc/oscssl.py | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/osc/oscssl.py b/osc/oscssl.py
+index 7aa5a0d..186c98d 100644
+--- a/osc/oscssl.py
++++ b/osc/oscssl.py
+@@ -174,7 +174,6 @@ class mySSLContext(SSL.Context):
+
+ class myHTTPSHandler(M2Crypto.m2urllib2.HTTPSHandler):
+ handler_order = 499
+- saved_session = None
+
+ def __init__(self, *args, **kwargs):
+ self.appname = kwargs.pop('appname', 'generic')
+@@ -204,8 +203,6 @@ class myHTTPSHandler(M2Crypto.m2urllib2.HTTPSHandler):
+ selector = req.get_selector()
+ # End our change
+ h.set_debuglevel(self._debuglevel)
+- if self.saved_session:
+- h.set_session(self.saved_session)
+
+ headers = dict(req.headers)
+ headers.update(req.unredirected_hdrs)
+@@ -218,9 +215,6 @@ class myHTTPSHandler(M2Crypto.m2urllib2.HTTPSHandler):
+ headers["Connection"] = "close"
+ try:
+ h.request(req.get_method(), selector, req.data, headers)
+- s = h.get_session()
+- if s:
+- self.saved_session = s
+ r = h.getresponse()
+ except socket.error as err: # XXX what error?
+ err.filename = full_url
diff -Nru osc-0.162.1/debian/patches/series osc-0.162.1/debian/patches/series
--- osc-0.162.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ osc-0.162.1/debian/patches/series 2018-05-23 16:56:13.000000000 +0200
@@ -0,0 +1 @@
+Disable-ssl-session-resumption.patch
