** Description changed: [ Impact ] When the user sends a message to someone, if the server responsible for receiving this message defers it, and if there are other possible servers (i.e., other servers listed as secondary MX) to try, exim4 will segfault while trying to connect to the second server. [ Test Plan ] The test case for this bug is a bit involved. It makes use of the upstream reporter's mail server, which has been configured to defer emails when they come through the primary MX, but accept when they come through the secondary MX. This means that you will need access to port 25 (unfortunately canonistack seems to block it). $ lxc launch ubuntu-daily:jammy exim4-bug1974214 $ lxc shell exim4-bug1974214 # apt update && apt full-upgrade # apt install -y exim4 # dpkg-reconfigure exim4-config ... In the "Mail Server configuration" screen, select "internet site; mail is sent and received directly using SMTP". Leave everything else untouched. # cat > /etc/netplan/99-disable-ipv6.yaml << _EOF_ network: ethernets: eth0: link-local: [ ipv4 ] _EOF_ # netplan apply # reboot $ lxc shell exim4-bug1974214 # cat > 1.msg << _EOF_ Subject: test this is a test _EOF_ # exim4 -odq -f defe...@example.com geda...@gedalya.net < 1.msg # exim4 -bp 0m 321 1nxC3o-0000Ax-AS <defe...@example.com> geda...@gedalya.net ... You will have to grab the message ID, which is 1nxC3o-0000Ax-AS in this case. You have to use this ID in the following command. # exim4 -d+all -q 1nxC3o-0000Ax-AS 2>&1 | tee /tmp/exim.debug ... # grep SEGV /tmp/exim.debug You should be able to see exim4 signalling the segmentation fault that occurred while attempting to connect to the second server. [ Where problems could occur ] The patches, albeit well contained and relatively simple, touch code that deals with TLS and security. There is always the risk of introducing an unwanted vulnerability or normal regression here. If that happens, the very first thing we need to do is revert the patches and work with upstream to develop a fix. + + In the unlikely case that we encounter regressions, they are probably + going to affect TLS connections when sending/receiving messages. Email + servers nowadays generally offer encrypted connections (via TLS or + STARTTLS), and some still offer plaintext as well. If there is a + problem with TLS and exim4 is configured to fallback to plaintext, + things will still work assuming that the other end also talks plaintext. + Otherwise, we might see reports of undelivered emails. + + Finally, the fix is composed of two patches. The first one prevents + exim4 from discarding the cached credentials when the transport + connection with the primary MX closes, and the second resets headers + before trying to connect to the secondary MX. [ Original Description ] We are experiencing segfaults in exim since upgrading from impish (4.94.2-7ubuntu2 with libgnutls30 3.7.1-5ubuntu1) to jammy (4.95-4ubuntu2 with libgnutls30 3.7.3-4ubuntu1), in _gnutls_trust_list_get_issuer, seemingly in the sender/recipient verify callout during message submission. Typically the initial attempt to submit a message crashes an exim child thread, but the same message is accepted when the sender retries. gdb backtrace: Thread 2.1 "exim4" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fe2f844d080 (LWP 29278)] 0x00007fe2f8f3eb2b in _gnutls_trust_list_get_issuer (flags=<optimised out>, issuer=<optimised out>, cert=<optimised out>, list=<optimised out>) at x509/../../../lib/x509/verify-high.c:1026 1026 x509/../../../lib/x509/verify-high.c: No such file or directory. (gdb) bt #0 0x00007fe2f8f3eb2b in _gnutls_trust_list_get_issuer (flags=<optimised out>, issuer=<optimised out>, cert=<optimised out>, list=<optimised out>) at x509/../../../lib/x509/verify-high.c:1026 #1 gnutls_x509_trust_list_get_issuer (list=list@entry=0x55ef6bd9c260, cert=0x55ef6bd9be20, issuer=issuer@entry=0x7ffc82dba510, flags=flags@entry=16) at x509/../../../lib/x509/verify-high.c:1129 #2 0x00007fe2f8f3f679 in gnutls_x509_trust_list_verify_crt2 (list=0x55ef6bd9c260, cert_list=0x7ffc82dba5c0, cert_list_size=<optimised out>, data=<optimised out>, elements=<optimised out>, flags=33554432, voutput=0x7ffc82dba888, func=0x0) at x509/../../../lib/x509/verify-high.c:1522 #3 0x00007fe2f8ed7516 in _gnutls_x509_cert_verify_peers (status=0x7ffc82dba888, elements=0, data=0x0, session=0x55ef6c0c1150) at ../../lib/cert-session.c:597 #4 gnutls_certificate_verify_peers (session=0x55ef6c0c1150, data=data@entry=0x0, elements=elements@entry=0, status=status@entry=0x7ffc82dba888) at ../../lib/cert-session.c:776 #5 0x00007fe2f8ed8000 in gnutls_certificate_verify_peers2 (session=<optimised out>, status=status@entry=0x7ffc82dba888) at ../../lib/cert-session.c:653 #6 0x000055ef6b7698ef in verify_certificate (state=<optimised out>, errstr=0x7ffc82dbaa20) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/tls-gnu.c:2519 #7 0x000055ef6b7a5d7b in tls_client_start.constprop.0 (cctx=cctx@entry=0x55ef6be0e688, conn_args=conn_args@entry=0x55ef6bdfe5f8, tlsp=0x55ef6b7f59c0 <tls_out>, errstr=errstr@entry=0x7ffc82dbaa20, cookie=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/tls-gnu.c:3593 #8 0x000055ef6b78b0ef in smtp_setup_conn (sx=0x55ef6bdfe5e8, suppress_tls=<optimised out>) at transports/smtp.c:2673 #9 0x000055ef6b776350 in do_callout (pm_mailfrom=<optimised out>, se_mailfrom=<optimised out>, options=<optimised out>, callout_connect=<optimised out>, callout_overall=<optimised out>, callout=<optimised out>, tf=0x7ffc82dbbc10, host_list=<optimised out>, addr=0x7ffc82dbbdd0) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/verify.c:677 #10 verify_address (vaddr=<optimised out>, fp=<optimised out>, options=<optimised out>, callout=<optimised out>, callout_overall=<optimised out>, callout_connect=<optimised out>, se_mailfrom=<optimised out>, pm_mailfrom=<optimised out>, routed=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/verify.c:1947 #11 0x000055ef6b6f1660 in acl_verify (where=where@entry=0, addr=addr@entry=0x7ffc82dbc5e0, arg=0x55ef6babc2b8 "recipient/defer_ok/callout=30s,defer_ok,use_postmaster", user_msgptr=user_msgptr@entry=0x7ffc82dbca50, log_msgptr=log_msgptr@entry=0x7ffc82dbca58, basic_errno=basic_errno@entry=0x7ffc82dbc38c) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:2168 #12 0x000055ef6b6f479e in acl_check_condition (level=<optimised out>, basic_errno=0x7ffc82dbc38c, log_msgptr=<optimised out>, user_msgptr=<optimised out>, epp=<synthetic pointer>, addr=<optimised out>, where=<optimised out>, cb=0x55ef6babc298, verb=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:3838 #13 acl_check_internal (where=where@entry=0, addr=addr@entry=0x7ffc82dbc5e0, s=s@entry=0x55ef6bab9990 "acl_check_rcpt", user_msgptr=user_msgptr@entry=0x7ffc82dbca50, log_msgptr=log_msgptr@entry=0x7ffc82dbca58) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:4225 #14 0x000055ef6b6f7b9e in acl_check (where=0, recipient=<optimised out>, s=0x55ef6bab9990 "acl_check_rcpt", user_msgptr=0x7ffc82dbca50, log_msgptr=0x7ffc82dbca58) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:4539 #15 0x000055ef6b75c2fd in smtp_setup_msg () at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/smtp_in.c:5283 #16 0x000055ef6b6e5cda in handle_smtp_call (accepted=0x7ffc82dbceb0, accept_socket=<optimised out>, listen_socket_count=<optimised out>, listen_sockets=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/daemon.c:551 #17 daemon_go () at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/daemon.c:2594 #18 main (argc=<optimised out>, cargv=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/exim.c:4947
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1974214 Title: Segfaults on verify callout, in _gnutls_trust_list_get_issuer To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1974214/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
