[Bug 1974214] Re: Segfaults on verify callout, in _gnutls_trust_list_get_issuer

Tobias Heider 1974214 at bugs.launchpad.net
Tue May 24 12:44:43 UTC 2022 

It looks like this is indeed an exim issue that was fixed in a recent
update. exim bug report can be found at:
https://bugs.exim.org/show_bug.cgi?id=2886

** Bug watch added: bugs.exim.org/ #2886
   http://bugs.exim.org/show_bug.cgi?id=2886

** Changed in: exim4 (Ubuntu)
   Importance: Undecided => Medium

** Changed in: exim4 (Ubuntu)
       Status: Confirmed => Triaged

** No longer affects: gnutls28 (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1974214

Title:
  Segfaults on verify callout, in _gnutls_trust_list_get_issuer

Status in exim4 package in Ubuntu:
  Triaged

Bug description:
  We are experiencing segfaults in exim since upgrading from impish
  (4.94.2-7ubuntu2 with libgnutls30 3.7.1-5ubuntu1) to jammy
  (4.95-4ubuntu2 with libgnutls30 3.7.3-4ubuntu1), in
  _gnutls_trust_list_get_issuer, seemingly in the sender/recipient
  verify callout during message submission.

  Typically the initial attempt to submit a message crashes an exim
  child thread, but the same message is accepted when the sender
  retries.

  gdb backtrace:

  Thread 2.1 "exim4" received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x7fe2f844d080 (LWP 29278)]
  0x00007fe2f8f3eb2b in _gnutls_trust_list_get_issuer (flags=<optimised out>, issuer=<optimised out>, cert=<optimised out>, list=<optimised out>) at x509/../../../lib/x509/verify-high.c:1026
  1026    x509/../../../lib/x509/verify-high.c: No such file or directory.
  (gdb) bt
  #0  0x00007fe2f8f3eb2b in _gnutls_trust_list_get_issuer (flags=<optimised out>, issuer=<optimised out>, cert=<optimised out>,
      list=<optimised out>) at x509/../../../lib/x509/verify-high.c:1026
  #1  gnutls_x509_trust_list_get_issuer (list=list at entry=0x55ef6bd9c260, cert=0x55ef6bd9be20, issuer=issuer at entry=0x7ffc82dba510,
      flags=flags at entry=16) at x509/../../../lib/x509/verify-high.c:1129
  #2  0x00007fe2f8f3f679 in gnutls_x509_trust_list_verify_crt2 (list=0x55ef6bd9c260, cert_list=0x7ffc82dba5c0,
      cert_list_size=<optimised out>, data=<optimised out>, elements=<optimised out>, flags=33554432, voutput=0x7ffc82dba888, func=0x0)
      at x509/../../../lib/x509/verify-high.c:1522
  #3  0x00007fe2f8ed7516 in _gnutls_x509_cert_verify_peers (status=0x7ffc82dba888, elements=0, data=0x0, session=0x55ef6c0c1150)
      at ../../lib/cert-session.c:597
  #4  gnutls_certificate_verify_peers (session=0x55ef6c0c1150, data=data at entry=0x0, elements=elements at entry=0,
      status=status at entry=0x7ffc82dba888) at ../../lib/cert-session.c:776
  #5  0x00007fe2f8ed8000 in gnutls_certificate_verify_peers2 (session=<optimised out>, status=status at entry=0x7ffc82dba888)
      at ../../lib/cert-session.c:653
  #6  0x000055ef6b7698ef in verify_certificate (state=<optimised out>, errstr=0x7ffc82dbaa20)
      at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/tls-gnu.c:2519
  #7  0x000055ef6b7a5d7b in tls_client_start.constprop.0 (cctx=cctx at entry=0x55ef6be0e688, conn_args=conn_args at entry=0x55ef6bdfe5f8,
      tlsp=0x55ef6b7f59c0 <tls_out>, errstr=errstr at entry=0x7ffc82dbaa20, cookie=<optimised out>)
      at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/tls-gnu.c:3593
  #8  0x000055ef6b78b0ef in smtp_setup_conn (sx=0x55ef6bdfe5e8, suppress_tls=<optimised out>) at transports/smtp.c:2673
  #9  0x000055ef6b776350 in do_callout (pm_mailfrom=<optimised out>, se_mailfrom=<optimised out>, options=<optimised out>,
      callout_connect=<optimised out>, callout_overall=<optimised out>, callout=<optimised out>, tf=0x7ffc82dbbc10,
      host_list=<optimised out>, addr=0x7ffc82dbbdd0)
      at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/verify.c:677
  #10 verify_address (vaddr=<optimised out>, fp=<optimised out>, options=<optimised out>, callout=<optimised out>,
      callout_overall=<optimised out>, callout_connect=<optimised out>, se_mailfrom=<optimised out>, pm_mailfrom=<optimised out>,
      routed=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/verify.c:1947
  #11 0x000055ef6b6f1660 in acl_verify (where=where at entry=0, addr=addr at entry=0x7ffc82dbc5e0,
      arg=0x55ef6babc2b8 "recipient/defer_ok/callout=30s,defer_ok,use_postmaster", user_msgptr=user_msgptr at entry=0x7ffc82dbca50,
      log_msgptr=log_msgptr at entry=0x7ffc82dbca58, basic_errno=basic_errno at entry=0x7ffc82dbc38c)
      at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:2168
  #12 0x000055ef6b6f479e in acl_check_condition (level=<optimised out>, basic_errno=0x7ffc82dbc38c, log_msgptr=<optimised out>,
      user_msgptr=<optimised out>, epp=<synthetic pointer>, addr=<optimised out>, where=<optimised out>, cb=0x55ef6babc298,
      verb=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:3838
  #13 acl_check_internal (where=where at entry=0, addr=addr at entry=0x7ffc82dbc5e0, s=s at entry=0x55ef6bab9990 "acl_check_rcpt",
      user_msgptr=user_msgptr at entry=0x7ffc82dbca50, log_msgptr=log_msgptr at entry=0x7ffc82dbca58)
      at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:4225
  #14 0x000055ef6b6f7b9e in acl_check (where=0, recipient=<optimised out>, s=0x55ef6bab9990 "acl_check_rcpt",
      user_msgptr=0x7ffc82dbca50, log_msgptr=0x7ffc82dbca58)
      at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:4539
  #15 0x000055ef6b75c2fd in smtp_setup_msg () at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/smtp_in.c:5283
  #16 0x000055ef6b6e5cda in handle_smtp_call (accepted=0x7ffc82dbceb0, accept_socket=<optimised out>,
      listen_socket_count=<optimised out>, listen_sockets=<optimised out>)
      at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/daemon.c:551
  #17 daemon_go () at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/daemon.c:2594
  #18 main (argc=<optimised out>, cargv=<optimised out>)
      at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/exim.c:4947

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1974214/+subscriptions

More information about the foundations-bugs mailing list