[Bug 1066032] Re: Deadlock when reading a public key

Launchpad Bug Tracker 1066032 at bugs.launchpad.net
Mon May 6 19:34:13 UTC 2013 

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.9

---------------
openssl (1.0.1-4ubuntu5.9) precise; urgency=low

  [ Dmitrijs Ledkovs ]
  * Enable arm assembly code. (LP: #1083498) (Closes: #676533)
  * Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)

  [ Marc Deslauriers ]
  * debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock
    when decoding public keys. (LP: #1066032)
 -- Dmitrijs Ledkovs <dmitrij.ledkov at ubuntu.com>   Mon, 15 Apr 2013 13:44:50 +0100

** Changed in: openssl (Ubuntu Precise)
       Status: Fix Committed => Fix Released

** Changed in: openssl (Ubuntu Quantal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1066032

Title:
  Deadlock when reading a public key

Status in OpenSSL cryptography and SSL/TLS toolkit:
  Fix Released
Status in “openssl” package in Ubuntu:
  Fix Released
Status in “openssl” source package in Precise:
  Fix Released
Status in “openssl” source package in Quantal:
  Fix Released
Status in “openssl” source package in Raring:
  Fix Released

Bug description:
  [SRU request]

  [Impact]
  A deadlock exists in the public key decoding code of openssl in Precise and Quantal. Users of openssl is environments where a large number of keys are being processed may hit it, causing the application to hang. This has been fixed in the development release by backporting a trivial patch from upstream.

  [Test Case]
  There is currently no known reliable way of reproducing the deadlock.
  The openssl test suite passes with the patch, and the QRT scripts have been run successfully.

  [Regression Potential]
  The patch is trivial, and shouldn't cause any regressions. It has been used in a couple of upstream releases so far. If the patch does introduce a regression, it would affect public key decoding and would be apparent.

  
  Original report:
  We're experiencing deadlocks in Ubuntu 12.04 at our customers.  After some investigation, a known bug in OpenSSL 1.0.1c (and other versions) is causing this.  The bug itself was known since one day after this release (11th of May this year).

  OpenSSL bug report:
  http://rt.openssl.org/Ticket/Display.html?id=2813&user=guest&pass=guest

  Commit that fixes the issue in OpenSSL 1.0.1:
  http://cvs.openssl.org/chngview?cn=22570

  For now, we're distributing a modified version of the OpenSSL packages
  for Ubuntu, but of course we're not the only ones with this bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1066032/+subscriptions

More information about the foundations-bugs mailing list