curl 7.68 does not init OpenSSL correctly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
curl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
New
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Dimitri John Ledkov |
Bug Description
[Impact]
* curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use-after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis.
[Test Plan]
* This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack.
* I.e. on arm64, compile and configure pka engine from https:/
* curl any https website
...
PKA_DEV: pka_dev_
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 338 100 338 0 0 3520 0 --:--:-- --:--:-- --:--:-- 3520
(exit status 0)
is good output from fixed curl.
Whereas:
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 338 100 338 0 0 1169 0 --:--:-- --:--:-- --:--:-- 1169
Segmentation fault (core dumped)
(exit status non-zero)
is bad output from currently broken curl.
[Where problems could occur]
* Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect).
[Other Info]
* References:
https:/
https:/
https:/
CVE References
Changed in curl (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in curl (Ubuntu): | |
status: | New → Fix Released |
Changed in curl (Ubuntu Focal): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
Building test package in https:/ /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ 4654
But also uploaded it into focal unapproved, which is currently soft frozen.