[Bug 1635303] Re: GnuTLS bug in https method from apt-1.0.1ubuntu2.15 package
Launchpad Bug Tracker
1635303 at bugs.launchpad.net
Tue Jan 21 11:48:02 UTC 2020
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: gnutls28 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1635303
Title:
GnuTLS bug in https method from apt-1.0.1ubuntu2.15 package
Status in gnutls28 package in Ubuntu:
Confirmed
Bug description:
** NOTE **
Marking this as security vulnerability as it has the potential to exclude security updates from repositories using HTTPS protocol on Ubuntu 14.04 (perhaps when only going through a proxy).
I have four Ubuntu 14.04 boxes which have either Phusion Passenger, or Jenkins software installed. The repositories for these software packages are served over HTTPS protocl, rather than the customary HTTP:
:: # cat /etc/apt/sources.list.d/passenger.list
:: deb https://oss-binaries.phusionpassenger.com/apt/passenger trusty main
::
:: # cat /etc/apt/sources.list.d/jenkins.list
:: deb https://pkg.jenkins.io/debian-stable binary/
When going through a Blue Coat proxy system (https://www.bluecoat.com/products-and-solutions/on-premise-secure-web-gateway), running `apt-get update` results in the following error message snippets:
:: Hit http://security.ubuntu.com trusty-security/main Translation-en
:: Err https://oss-binaries.phusionpassenger.com trusty/main amd64 Packages
:: gnutls_handshake() failed: A TLS packet with unexpected length was received.
::
:: W: Failed to fetch https://oss-binaries.phusionpassenger.com/apt/passenger/dists/trusty
:: /main/binary-amd64/Packages gnutls_handshake() failed: A TLS packet with unexpected length was :: received.
I've noticed the Ubuntu 14.04 https method
(/usr/lib/apt/methods/https) is compiled against libcurl-gnutls.so.4
(libcurl4-gnutls-dev). This package is also reported as being
problematic in Python (https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=515200) as well as git
(http://askubuntu.com/questions/186847/error-gnutls-handshake-failed-
when-connecting-to-https-servers).
To test, I've checked the original /usr/lib/apt/methods/https is
indeed linked to libcurl4-gnutls:
:: # ldd /usr/lib/apt/methods/https
:: linux-vdso.so.1 => (0x00007ffe2ff43000)
:: libapt-pkg.so.4.12 => /usr/lib/x86_64-linux-gnu/libapt-pkg.so.4.12 (0x00007f2399cc6000)
:: libcurl-gnutls.so.4 => /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 (0x00007f2399a64000)
:: ...
I installed apt-1.0.1ubuntu2.15 source package using `apt-get source`
and proceeded to build using the configure options shown here:
https://launchpad.net/ubuntu/+source/apt/1.0.1ubuntu2.15/+build/10959579
This indeed produced a binary linked against libcurl-gnutls.so.4. I
copied the new https binary over to /usr/lib/apt/methods/ and ran
`apt-get update` with the same failure message above. I then ran
`apt-get purge libcurl4-gnutls-dev` and then `apt-get install libcurl4
-openssl-dev`. I the removed my build directory and installed the
apt-1.0.1ubuntu2.15 source package again. Building with the same
configure options as before resulted in a https binary linked against
openssl. I copied the resulting binary over to
/usr/lib/apt/methods/https.openssl and verified:
:: # ldd /usr/lib/apt/methods/https.openssl
:: ...
:: libcurl.so.4 => /usr/lib/x86_64-linux-gnu/libcurl.so.4 (0x00007f28c1d3f000)
:: ...
:: libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f28c0362000)
::
:: # cp /usr/lib/apt/methods/https.openssl /usr/lib/apt/methods/https
::
:: # apt-get update
:: Get:1 http://us.archive.ubuntu.com trusty-backports InRelease [65.9 kB]
:: Hit http://ppa.launchpad.net trusty InRelease
:: Hit http://security.ubuntu.com trusty-security InRelease
:: Hit http://us.archive.ubuntu.com trusty Release.gpg
:: Hit http://us.archive.ubuntu.com trusty-updates/main Sources
:: Hit http://us.archive.ubuntu.com trusty-updates/restricted Sources
:: Hit http://ppa.launchpad.net trusty/main amd64 Packages
:: Hit http://security.ubuntu.com trusty-security/main Sources
:: Hit http://ppa.launchpad.net trusty/main i386 Packages
:: Hit http://security.ubuntu.com trusty-security/restricted Sources
:: Hit http://ppa.launchpad.net trusty/main Translation-en
:: Hit http://security.ubuntu.com trusty-security/universe Sources
:: Hit http://security.ubuntu.com trusty-security/multiverse Sources
:: Get:2 https://oss-binaries.phusionpassenger.com trusty InRelease
:: Ign https://oss-binaries.phusionpassenger.com trusty InRelease
:: Hit https://oss-binaries.phusionpassenger.com trusty Release.gpg
:: Hit https://oss-binaries.phusionpassenger.com trusty Release
:: Hit https://oss-binaries.phusionpassenger.com trusty/main amd64 Packages
:: Hit https://oss-binaries.phusionpassenger.com trusty/main i386 Packages
:: Get:3 https://oss-binaries.phusionpassenger.com trusty/main Translation-en
:: Ign https://oss-binaries.phusionpassenger.com trusty/main Translation-en
:: ...
This appears to resolve the issue of trying to contact HTTPS repositories while going through a Blue Coat proxy (perhaps any proxy?). Would it be possible to have a package made available in Ubuntu 14.04 repos which is compiled against openssl instead of libcurl4-gnutls?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1635303/+subscriptions
More information about the foundations-bugs
mailing list