libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Precise |
Fix Released
|
High
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
High
|
Marc Deslauriers | ||
Xenial |
Fix Released
|
High
|
Marc Deslauriers |
Bug Description
Last night unattended-upgrades upgraded the openssl packages (libssl1.0.0, libssl-dev, openssl) from version 1.0.2g-1ubuntu4.1 to version 1.0.2g-1ubuntu4.4 on a CI build server. Then everything that used PHP to connect to a HTTPS site started crashing when verifying the server cert.
Like this:
```
jenkins@
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Import has a deprecated constructor in /var/lib/
Notice: Undefined offset: 4 in phar://
Segmentation fault (core dumped)
*** Segmentation fault
Register dump:
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 000000000000000c RSI: 000055665071af59 RDI: 0000000000000000
RBP: 0000556650a49e4e R8 : 0000556652364720 R9 : 0000000000000000
R10: 0000000000000000 R11: 00007fdb3c081730 R12: 000055665071af59
R13: 000000000000000c R14: 0000000000000000 R15: 00007fdb39418cf0
RSP: 00007ffc4bad7a08
RIP: 00007fdb3bf77d16 EFLAGS: 00010293
CS: 0033 FS: 0000 GS: 0000
Trap: 0000000e Error: 00000004 OldMask: 00000000 CR2: 00000000
FPUCW: 0000027f FPUSW: 00000000 TAG: 00000000
RIP: 00000000 RDP: 00000000
ST(0) 0000 0000000000000000 ST(1) 0000 0000000000000000
ST(2) 0000 0000000000000000 ST(3) 0000 0000000000000000
ST(4) 0000 0000000000000000 ST(5) 0000 0000000000000000
ST(6) 0000 0000000000000000 ST(7) 0000 0000000000000000
mxcsr: 1fa0
XMM0: 000000000000000
XMM2: 000000000000000
XMM4: 000000000000000
XMM6: 000000000000000
XMM8: 000000000000000
XMM10: 000000000000000
XMM12: 000000000000000
XMM14: 000000000000000
Backtrace:
/lib/x86_
php(add_
php(zif_
php(dtrace_
php(+0x2e37e0)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(zend_
php(zif_
php(dtrace_
php(+0x2e37e0)
php(execute_
php(dtrace_
php(zend_
php(zif_
php(dtrace_
php(+0x2e37e0)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2e391d)
php(execute_
php(dtrace_
php(+0x2ef65c)
php(execute_
php(dtrace_
php(+0x2efc7c)
php(execute_
php(dtrace_
php(zend_
php(zend_
php(php_
php(+0x2f48b7)
php(main+
/lib/x86_
php(_start+
```
Apparently something in libssl now returns a NULL or not-NUL-terminated C string which the PHP function openssl_x509_parse then passes to strlen, which crashes.
After downgrading to 1.0.2g-1ubuntu4.2 which luckily is still in the repos, everything works:
```
jenkins@
libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.2
Candidate: 1.0.2g-1ubuntu4.4
Version table:
1.
500 http://
*** 1.0.2g-1ubuntu4.2 500
500 http://
100 /var/lib/
1.
500 http://
jenkins@
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Import has a deprecated constructor in /var/lib/
Notice: Undefined offset: 4 in phar://
Installing WP-CFM (1.4.5)
Ladataan pakettia lähteestä https:/
Using cached file '/home/
Puretaan pakettia...
Asennetaan lisäosaa...
Poistetaan lisäosan vanhaa versiota...
Lisäosa päivitetty onnistuneesti.
Activating 'wp-cfm'...
Warning: Plugin 'wp-cfm' is already active.
jenkins@
```
So the issue was introduced between 1.0.2g-1ubuntu4.2 and 1.0.2g-1ubuntu4.4.
The only patch between them that seems relevant is this:
```
diff -Nru openssl-
--- openssl-
+++ openssl-
@@ -0,0 +1,66 @@
+From ff553f837172ecb
+From: "Dr. Stephen Henson" <email address hidden>
+Date: Sat, 17 Sep 2016 12:36:58 +0100
+Subject: [PATCH] Fix small OOB reads.
+
+In ssl3_get_
+ssl3_get_
+before reading a length.
+
+Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
+
+CVE-2016-6306
+
+Reviewed-by: Richard Levitte <email address hidden>
+Reviewed-by: Matt Caswell <email address hidden>
+---
+ ssl/s3_clnt.c | 11 +++++++++++
+ ssl/s3_srvr.c | 6 ++++++
+ 2 files changed, 17 insertions(+)
```
I didn't try building a binary with that patch reverted though, as I'm happy using the 1.0.2g-1ubuntu4.2 version without the security updates for the time being, given that this build server is not accessible from untrusted networks.
Of course, this might just as well be due to some insufficient error handling or otherwise improper libssl usage in php7.0, but the net effect is that the latest libssl makes the latest php7.0 in the stable Ubuntu 16.04 LTS version crash.
ProblemType: Crash
DistroRelease: Ubuntu 16.04
Package: php7.0-cli 7.0.8-0ubuntu0.
ProcVersionSign
Uname: Linux 4.4.0-36-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CrashCounter: 1
Date: Fri Sep 23 10:30:31 2016
ExecutablePath: /usr/bin/php7.0
ExecutableTimes
InstallationDate: Installed on 2016-05-18 (127 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
ProcCmdline: php /usr/local/bin/wp plugin install --force --activate wp-cfm
ProcCwd: /var/lib/
SegvAnalysis: Skipped: missing required field "Disassembly"
Signal: 11
SourcePackage: php7.0
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:
CVE References
summary: |
- libssl 1.0.2g-1ubuntu4.4 causes PHP7 SSL cert validation to segfault + libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert + validation to segfault |
Changed in openssl (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in openssl (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in openssl (Ubuntu Trusty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in openssl (Ubuntu Xenial): | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in openssl (Ubuntu Yakkety): | |
status: | Confirmed → Invalid |
no longer affects: | openssl (Ubuntu Yakkety) |
Changed in openssl (Ubuntu): | |
status: | Invalid → Fix Released |
tags: | added: regression-update |
The primary issue is some patch in the latest openssl, which breaks current php7.0. Not any change in the PHP package.