[Bug 1974037] Update Released

Mon Jun 20 14:32:47 UTC 2022

The verification of the Stable Release Update for openssl has completed
successfully and the package is now being released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1974037

Title:
  openssl: EVP_EC_gen() segfault without init

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Jammy:
  Fix Released
Status in openssl source package in Kinetic:
  Fix Released
Status in openssl package in Debian:
  Fix Released

Bug description:
  [Impact]

  The fix for
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1968997 has
  broken some code paths as the new string comparison functions now need
  initialization, triggering segafults.

  The provided debdiff fixes the immediate issue and also settles on a
  new implementation not requiring the initialization in the first
  place.

  [Test Plan]

  Since this is a regression fix, we first need to check that the
  original bug hasn't cropped up again:

  sudo locale-gen tr_TR.UTF-8
  LANG=C curl https://ubuntu.com/ > /dev/null # This work
  LANG=tr_TF.UTF-8 curl https://ubuntu.com/ > /dev/null # This should work as well

  For the regression itself:

  sudo apt install libssl-dev
  cat <<EOF > openssl_test.c
  #include <openssl/evp.h>
  int main()
  {
      EVP_PKEY_Q_keygen(NULL, NULL, "EC", "P-256");
  }
  EOF
  gcc openssl_test.c -lcrypto -lssl -o openssl_test
  ./openssl_test

  [Where problems could occur]

  This new patch set is relatively massive, on top of another massive one.
  Some new regressions could crop up of a similar kind. Furthermore, the
  homegrown string comparison function could be buggy, leading to algorithm name mismatches.

  [Other info]

  The patches all come from upstream and have been merged on their 3.0
  maintenance branch.

  [Original report]

  Source: sscg
  Version: 3.0.2-1
  Severity: serious
  Tags: ftbfs

  https://buildd.debian.org/status/logs.php?pkg=sscg&ver=3.0.2-1%2Bb1

  ...
   1/10 generate_rsa_key_test FAIL              0.01s   killed by signal 11 SIGSEGV
  04:32:21 MALLOC_PERTURB_=87 /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/generate_rsa_key_test
  ...

  Summary of Failures:

   1/10 generate_rsa_key_test FAIL              0.01s   killed by signal
  11 SIGSEGV

  Ok:                 9
  Expected Fail:      0
  Fail:               1
  Unexpected Pass:    0
  Skipped:            0
  Timeout:            0
  dh_auto_test: error: cd obj-x86_64-linux-gnu && LC_ALL=C.UTF-8 MESON_TESTTHREADS=4 ninja test returned exit code 1
  make: *** [debian/rules:6: binary-arch] Error 25

  This has also been reported on the openssl-users mailing list:

  https://www.mail-archive.com/openssl-users@openssl.org/msg90830.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1974037/+subscriptions