[Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Mauricio Faria de Oliveira 1951279 at bugs.launchpad.net
Fri Aug 5 14:19:01 UTC 2022


Update: this has been fixed in Focal (same fix commit):

openssl (1.1.1f-1ubuntu2.11) focal; urgency=medium

  * Fixup pointer authentication for armv8 systems that support it when
    using the poly1305 MAC, preventing segmentation faults. (LP: #1960863)
    - d/p/lp-1960863-crypto-poly1305-asm-fix-armv8-pointer-authenticat.patch

 -- Matthew Ruffell <matthew.ruffell at canonical.com>  Tue, 15 Feb 2022
10:10:01 +1300

** Changed in: openssl (Ubuntu Focal)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in OpenSSL:
  Fix Released
Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  Fix Released
Status in openssl package in Debian:
  Fix Released

Bug description:
  Description
  -----------

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  ------------------------
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  ------------------

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---------------

  Segmentation fault (core dumped)

  
  Notes
  -----

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1951279/+subscriptions




More information about the Ubuntu-sponsors mailing list