curl 7.68 does not init OpenSSL correctly

Bug #1940528 reported by Dimitri John Ledkov
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
curl (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
New
Undecided
Unassigned
Focal
Fix Released
Undecided
Dimitri John Ledkov

Bug Description

[Impact]

 * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use-after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis.

[Test Plan]

 * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack.

 * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used.

 * curl any https website

...
PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 338 100 338 0 0 3520 0 --:--:-- --:--:-- --:--:-- 3520
(exit status 0)

is good output from fixed curl.

Whereas:

PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 338 100 338 0 0 1169 0 --:--:-- --:--:-- --:--:-- 1169
Segmentation fault (core dumped)
(exit status non-zero)

is bad output from currently broken curl.

[Where problems could occur]

 * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect).

[Other Info]

 * References:
https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac
https://github.com/openssl/openssl/issues/13548
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518

Changed in curl (Ubuntu Focal):
status: New → Confirmed
Changed in curl (Ubuntu):
status: New → Fix Released
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Building test package in https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4654

But also uploaded it into focal unapproved, which is currently soft frozen.

Revision history for this message
Brian Murray (brian-murray) wrote :

I don't see the patch in debian/patches/series. Am I missing something?

Changed in curl (Ubuntu Focal):
status: Confirmed → Incomplete
Revision history for this message
Robie Basak (racb) wrote : Proposed package upload rejected

An upload of curl to focal-proposed has been rejected from the upload queue for the following reason: "Quilt patch missing in series file".

Changed in curl (Ubuntu Focal):
status: Incomplete → Triaged
Changed in curl (Ubuntu Focal):
assignee: nobody → Dimitri John Ledkov (xnox)
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Reuploaded curl into focal proposed, with series fix & on top of security upload that has happened since.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Not only patch was missing, it was partially missing. reuploading again.

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted curl into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in curl (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (curl/7.68.0-1ubuntu2.8)

All autopkgtests for the newly accepted curl (7.68.0-1ubuntu2.8) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

gnupg1/1.4.23-1 (armhf)
gnocchi/4.3.4-0ubuntu5 (armhf)
systemd/245.4-4ubuntu3.13 (amd64)
kopanocore/8.7.0-7ubuntu1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#curl

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Autopkgtests have now all passed.

Revision history for this message
James Bong (jamesbong861) wrote :

Hi, I can't update curl, what should I do?

This is the error code:
The following packages have unmet dependencies:
 libcurl4-openssl-dev : Depends: libcurl4 (= 7.68.0-1ubuntu2.8) but 7.68.0-1ubuntu2.7 is to be installed
E: Unable to correct problems, you have held broken packages.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

1) downgraded openssl to 1.1.1f-1ubuntu2.9 such that it doesn't have double free fix that was released in https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.10

2) installed old pka module from commit b0f32fa05298bf9e3997ea43fc1c11b90e0d662f

3) installed focal-updates version of curl

Observed double free core dump:

# dpkg-query -W | grep -e 1.1.1f -e curl -e pka
curl 7.68.0-1ubuntu2.7
libcurl3-gnutls:arm64 7.68.0-1ubuntu2.7
libcurl4:arm64 7.68.0-1ubuntu2.7
libpka1:arm64 1.3-1
libssl-dev:arm64 1.1.1f-1ubuntu2.9
libssl1.1:arm64 1.1.1f-1ubuntu2.9
openssl 1.1.1f-1ubuntu2.9

# curl -o /dev/null https://start.ubuntu.com/connectivity-check.html
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 576 100 576 0 0 2117 0 --:--:-- --:--:-- --:--:-- 2117
double free or corruption (out)
Aborted (core dumped)

Upgraded to new curl:

# dpkg-query -W | grep -e 1.1.1f -e curl -e pka
curl 7.68.0-1ubuntu2.8
libcurl3-gnutls:arm64 7.68.0-1ubuntu2.8
libcurl4:arm64 7.68.0-1ubuntu2.8
libpka1:arm64 1.3-1
libssl-dev:arm64 1.1.1f-1ubuntu2.9
libssl1.1:arm64 1.1.1f-1ubuntu2.9
openssl 1.1.1f-1ubuntu2.9

# curl -o /dev/null https://start.ubuntu.com/connectivity-check.html
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 576 100 576 0 0 1894 0 --:--:-- --:--:-- --:--:-- 1888

Observed success without any double-free or segfault in openssl.

Although this particular issue has already been fixed in openssl, it still makes sense to release this update of curl which includes correct openssl engine API usage.

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package curl - 7.68.0-1ubuntu2.10

---------------
curl (7.68.0-1ubuntu2.10) focal-security; urgency=medium

  * SECURITY UPDATE: OAUTH2 bypass
    - debian/patches/CVE-2022-22576.patch: check sasl additional
      parameters for conn resuse in lib/strcase.c, lib/strcase.h,
      lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
    - CVE-2022-22576
  * SECURITY UPDATE: Credential leak on redirect
    - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
      in the info struct to make it available after the connection ended
      in lib/connect.c, lib/urldata.h.
    - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
      or ports clear auth in lib/transfer.c.
    - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
      these fix in tests/data/Makefile.inc, tests/data/test973,
      tests/data/test974, tests/data/test975, tests/data/test976.
    - CVE-2022-27774
  * SECURITY UPDATE: Bad local IPV6 connection reuse
    - debian/patches/CVE-2022-27775.patch: include the zone id in the
      'bundle' haskey in lib/conncache.c.
    - CVE-2022-27775
  * SECURITY UPDATE: Auth/cookie leak on redirect
    - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
      same host diff port in lib/http.c, lib/urldata.h.
    - CVE-2022-27776

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 25 Apr 2022 10:02:10 -0300

Changed in curl (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.