Bug 11549 - the openssl libs in mageia seem to have this bug
: the openssl libs in mageia seem to have this bug
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: RPM Packages
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://openssl.6102.n7.nabble.com/NUL...
:
:
: 12096
:
  Show dependency treegraph
 
Reported: 2013-10-27 23:25 CET by sridhar s
Modified: 2014-01-05 21:12 CET (History)
5 users (show)

See Also:
Source RPM: libopenssl
CVE:


Attachments

Description sridhar s 2013-10-27 23:25:40 CET
Description of problem:
ssl_get_certificate bug

Version-Release number of selected component (if applicable):


How reproducible:
do some development against openssl.


1.0.1e-1.mga3

Reproducible: 

Steps to Reproduce:
Comment 1 sridhar s 2013-10-27 23:26:49 CET
it seems that the openssl people have already fixed it:

 http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=147dbb2fe3bead7a10e2f280261b661ce7af7adc
Comment 2 Colin Guthrie 2013-10-28 12:04:25 CET
Can you describe the problem better please? There really isn't enough information to describe the problem case enough. It might be very obvious to you what is at fault here if you've done development with openssl before, but please keep in mind that not everyone is in that fortunate position.

An example program that should work but fails or some exiting program that fails would be great, such that QA can both verify the problem and also verify any fix.

Thanks!
Comment 3 Guillaume Rousse 2013-10-28 12:28:28 CET
Given than upstream developpers acknowledged the issue, and already fixed it  themselves, it seems overkill to ask our users to prove the issue. Especially given the difficulty to set up a test case here in this specific case. I'd eventually debate the opportunity to provide an update for mageia 3, given the very limited scope of the problem.

I fixed the issue in cauldron, and I submitted an openssl-1.0.1e-1.1.mga3 release in updates_testing.
Comment 4 Colin Guthrie 2013-10-28 12:30:29 CET
If you're happy with that then cool. I don't know OpenSSL enough to know if this change has knock on effects etc. hence I couldn't offer any kind of guidance on regression testing etc.

As you seem to be able to provide that info, I'll leave it to you :)
Comment 5 sridhar s 2013-10-28 16:42:07 CET
I do have some "source" that did make clear to me that the issue exist, but it is in pascal; lazarus; fpc, and quite frankly not very tidy; just doing some prototyping for myself. So I was a bit reluctant to show this "mesh" to the rest of the world, and was kind of hoping that because OpenSSL did already fixed it themselves, those links would be good enough.
I am glad to here that Mageia will fix this. Thanks and appreciation for the people behind Mageia.
This week I will download and test openssl-1.0.1e-1.1.mga3 and will be happy to let you know the results (against by meshed-up program)
Sridhar.
Comment 6 sridhar s 2013-11-01 12:44:31 CET
Hello,
I am happy to report that the bug is fixed with the version of openssl in core/testing.
Thank you Mageia people.
Sridhar.
Comment 7 Colin Guthrie 2013-11-01 13:04:25 CET
We need to keep it open such that it goes through the proper QA and release cycle.

Guillaume can you write the advisory and test case for QA?
Comment 8 Guillaume Rousse 2013-11-01 16:20:12 CET
As already said, this seems to be a quite specific problem, and I'm not even sure than standard users could be potentially affected.

I'm unable to set up a test case, nor to provide a better advisory than: "a NULL pointer reference issue have been fixed in  SSL_get_certificate". If that's not enough for standard QA procedure, I'm perfectly fine not providing any update until we have any better idea of problem impact.
Comment 9 sridhar s 2013-11-01 22:02:54 CET
Dear Mageia people,
Maybe the following does help: squid proxy suffers from the same problem. Google will return the squid patches when searching on squid and the bug in ssl_get_certificate. Maybe squid can be setup in a test case for testing this fix.
Kind regards, Gursimrah
Comment 10 Dave Hodgins 2013-11-02 00:14:40 CET
If there is no publicly known poc, it's fine to assign it
to qa, and we'll just test the update to ensure it works in
normal usage.
Comment 11 Guillaume Rousse 2013-12-31 17:02:13 CET
Re-assigning.
Comment 12 Dave Hodgins 2014-01-05 21:12:32 CET
openssl-1.0.1e-1.2.mga3 update validated in bug 12096, so closing this bug.

Note You need to log in before you can comment on or make changes to this bug.