Ubuntu
polarssl package

PolarSSL SIGPIPE - Ubuntu using old version

Bug #1338650 reported by Eduardo Silva
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
polarssl (Ubuntu)
New
Undecided
Unassigned

Bug Description

Ubuntu 14.04 distributes PolarSSL 1.3.4, and any server that depends on it its currently broken. The issue can be reproduced in the following way:

 1) get Monkey HTTP Server v1.5.1 from http://monkey-project.com
 2) compile and enable SSL support: ./configure --enable-plugins=polarssl
 3) run the server: bin/monkey

 note: documentation about configuring Monkey with PolarSSL here:

   http://monkey-project.com/documentation/1.5/plugins/polarssl.html

when running the server and issuing a simple connection with Curl but without -k option, the server stop working because a SIGPIPE on libpolarssl, here is the backtrace:

(gdb) bt
#0 0x00007ffff79c735d in write () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff65a183a in net_send () from /usr/lib/libpolarssl.so.5
#2 0x00007ffff65bc18a in ssl_flush_output () from /usr/lib/libpolarssl.so.5
#3 0x00007ffff65bc5bb in ssl_write_record () from /usr/lib/libpolarssl.so.5
#4 0x00007ffff65b6b14 in ssl_handshake_server_step () from /usr/lib/libpolarssl.so.5
#5 0x00007ffff65bfb80 in ssl_handshake () from /usr/lib/libpolarssl.so.5
#6 0x00007ffff65c0aca in ssl_read () from /usr/lib/libpolarssl.so.5
#7 0x00007ffff67f1196 in _mkp_network_io_read (fd=9, buf=0x7fffe684e058, count=4096) at polarssl.c:649
#8 0x000000000041497f in mk_socket_read (socket_fd=9, buf=0x7fffe684e058, count=4096) at mk_socket.c:197
#9 0x000000000040a708 in mk_handler_read (socket=9, cs=0x7fffe684e000) at mk_request.c:672
#10 0x0000000000411f23 in mk_conn_read (socket=9) at mk_connection.c:75
#11 0x000000000040fbef in mk_epoll_init (server_fd=15, efd=10, max_events=252) at mk_epoll.c:281
#12 0x0000000000410a50 in mk_sched_launch_worker_loop (thread_conf=0x7ffff6c14540) at mk_scheduler.c:441
#13 0x00007ffff79c0182 in start_thread (arg=0x7fffef7fe700) at pthread_create.c:312
#14 0x00007ffff76ed30d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

when using PolarSSL 1.3.7 (compiled from sources) the issue is not reproducible.

This is a major security issue that needs to be addressed.

Revision history for this message
Eduardo Silva (edsiper) wrote :

Additional test:

i performed the same test on Debian Wheezy where it comes with PolarSSL 1.2.9 and the issue is *not* reproducible. The current package used in 14.04 comes from Testing according to:

     https://packages.qa.debian.org/p/polarssl.html

PolarSSL 1.3.7-2 (where the issue is fixed) is available on newer version of Debian testing.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the Stable Release Updates (SRU) Team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/StableReleaseUpdates

I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

Thanks

information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.