** Description changed: + [ Impact ] + + When the user sends a message to someone, if the server responsible for + receiving this message defers it, and if there are other possible + servers (i.e., other servers listed as secondary MX) to try, exim4 will + segfault while trying to connect to the second server. + + [ Test Case ] + + The test case for this bug is a bit involved. It makes use of the + upstream reporter's mail server, which has been configured to defer + emails when they come through the primary MX, but accept when they come + through the secondary MX. This means that you will need access to port + 25 (unfortunately canonistack seems to block it). + + $ lxc launch ubuntu-daily:jammy exim4-bug1974214 + $ lxc shell exim4-bug1974214 + # apt update && apt full-upgrade + # apt install -y exim4 + # dpkg-reconfigure exim4-config + ... In the "Mail Server configuration" screen, select "internet site; mail is sent and received directly using SMTP". Leave everything else untouched. + # cat > /etc/netplan/99-disable-ipv6.yaml << _EOF_ + network: + ethernets: + eth0: + link-local: [ ipv4 ] + _EOF_ + # netplan apply + # reboot + $ lxc shell exim4-bug1974214 + # cat > 1.msg << _EOF_ + Subject: test + + this is a test + _EOF_ + # exim4 -odq -f defe...@example.com geda...@gedalya.net < 1.msg + # exim4 -bp + 0m 321 1nxC3o-0000Ax-AS <defe...@example.com> + geda...@gedalya.net + + ... You will have to grab the message ID, which is 1nxC3o-0000Ax-AS in + this case. You have to use this ID in the following command. + + # exim4 -d+all -q 1nxC3o-0000Ax-AS 2>&1 | tee /tmp/exim.debug + ... + # grep SEGV /tmp/exim.debug + + You should be able to see exim4 signalling the segmentation fault that + occurred while attempting to connect to the second server. + + [ Where problems could occur ] + + The patches, albeit well contained and relatively simple, touch code + that deals with TLS and security. There is always the risk of + introducing an unwanted vulnerability or normal regression here. If + that happens, the very first thing we need to do is revert the patches + and work with upstream to develop a fix. + + [ Original Description ] + We are experiencing segfaults in exim since upgrading from impish (4.94.2-7ubuntu2 with libgnutls30 3.7.1-5ubuntu1) to jammy (4.95-4ubuntu2 with libgnutls30 3.7.3-4ubuntu1), in _gnutls_trust_list_get_issuer, seemingly in the sender/recipient verify callout during message submission. Typically the initial attempt to submit a message crashes an exim child thread, but the same message is accepted when the sender retries. gdb backtrace: Thread 2.1 "exim4" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fe2f844d080 (LWP 29278)] 0x00007fe2f8f3eb2b in _gnutls_trust_list_get_issuer (flags=<optimised out>, issuer=<optimised out>, cert=<optimised out>, list=<optimised out>) at x509/../../../lib/x509/verify-high.c:1026 1026 x509/../../../lib/x509/verify-high.c: No such file or directory. (gdb) bt #0 0x00007fe2f8f3eb2b in _gnutls_trust_list_get_issuer (flags=<optimised out>, issuer=<optimised out>, cert=<optimised out>, list=<optimised out>) at x509/../../../lib/x509/verify-high.c:1026 #1 gnutls_x509_trust_list_get_issuer (list=list@entry=0x55ef6bd9c260, cert=0x55ef6bd9be20, issuer=issuer@entry=0x7ffc82dba510, flags=flags@entry=16) at x509/../../../lib/x509/verify-high.c:1129 #2 0x00007fe2f8f3f679 in gnutls_x509_trust_list_verify_crt2 (list=0x55ef6bd9c260, cert_list=0x7ffc82dba5c0, cert_list_size=<optimised out>, data=<optimised out>, elements=<optimised out>, flags=33554432, voutput=0x7ffc82dba888, func=0x0) at x509/../../../lib/x509/verify-high.c:1522 #3 0x00007fe2f8ed7516 in _gnutls_x509_cert_verify_peers (status=0x7ffc82dba888, elements=0, data=0x0, session=0x55ef6c0c1150) at ../../lib/cert-session.c:597 #4 gnutls_certificate_verify_peers (session=0x55ef6c0c1150, data=data@entry=0x0, elements=elements@entry=0, status=status@entry=0x7ffc82dba888) at ../../lib/cert-session.c:776 #5 0x00007fe2f8ed8000 in gnutls_certificate_verify_peers2 (session=<optimised out>, status=status@entry=0x7ffc82dba888) at ../../lib/cert-session.c:653 #6 0x000055ef6b7698ef in verify_certificate (state=<optimised out>, errstr=0x7ffc82dbaa20) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/tls-gnu.c:2519 #7 0x000055ef6b7a5d7b in tls_client_start.constprop.0 (cctx=cctx@entry=0x55ef6be0e688, conn_args=conn_args@entry=0x55ef6bdfe5f8, tlsp=0x55ef6b7f59c0 <tls_out>, errstr=errstr@entry=0x7ffc82dbaa20, cookie=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/tls-gnu.c:3593 #8 0x000055ef6b78b0ef in smtp_setup_conn (sx=0x55ef6bdfe5e8, suppress_tls=<optimised out>) at transports/smtp.c:2673 #9 0x000055ef6b776350 in do_callout (pm_mailfrom=<optimised out>, se_mailfrom=<optimised out>, options=<optimised out>, callout_connect=<optimised out>, callout_overall=<optimised out>, callout=<optimised out>, tf=0x7ffc82dbbc10, host_list=<optimised out>, addr=0x7ffc82dbbdd0) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/verify.c:677 #10 verify_address (vaddr=<optimised out>, fp=<optimised out>, options=<optimised out>, callout=<optimised out>, callout_overall=<optimised out>, callout_connect=<optimised out>, se_mailfrom=<optimised out>, pm_mailfrom=<optimised out>, routed=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/verify.c:1947 #11 0x000055ef6b6f1660 in acl_verify (where=where@entry=0, addr=addr@entry=0x7ffc82dbc5e0, arg=0x55ef6babc2b8 "recipient/defer_ok/callout=30s,defer_ok,use_postmaster", user_msgptr=user_msgptr@entry=0x7ffc82dbca50, log_msgptr=log_msgptr@entry=0x7ffc82dbca58, basic_errno=basic_errno@entry=0x7ffc82dbc38c) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:2168 #12 0x000055ef6b6f479e in acl_check_condition (level=<optimised out>, basic_errno=0x7ffc82dbc38c, log_msgptr=<optimised out>, user_msgptr=<optimised out>, epp=<synthetic pointer>, addr=<optimised out>, where=<optimised out>, cb=0x55ef6babc298, verb=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:3838 #13 acl_check_internal (where=where@entry=0, addr=addr@entry=0x7ffc82dbc5e0, s=s@entry=0x55ef6bab9990 "acl_check_rcpt", user_msgptr=user_msgptr@entry=0x7ffc82dbca50, log_msgptr=log_msgptr@entry=0x7ffc82dbca58) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:4225 #14 0x000055ef6b6f7b9e in acl_check (where=0, recipient=<optimised out>, s=0x55ef6bab9990 "acl_check_rcpt", user_msgptr=0x7ffc82dbca50, log_msgptr=0x7ffc82dbca58) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:4539 #15 0x000055ef6b75c2fd in smtp_setup_msg () at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/smtp_in.c:5283 #16 0x000055ef6b6e5cda in handle_smtp_call (accepted=0x7ffc82dbceb0, accept_socket=<optimised out>, listen_socket_count=<optimised out>, listen_sockets=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/daemon.c:551 #17 daemon_go () at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/daemon.c:2594 #18 main (argc=<optimised out>, cargv=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/exim.c:4947
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1974214 Title: Segfaults on verify callout, in _gnutls_trust_list_get_issuer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1974214/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs