Debian Bug report logs - #826552
openssl: crl processing fails with X509_NAME_EX_D2I:too long

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christopher Odenbach <odenbach@uni-paderborn.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssl: crl processing fails with X509_NAME_EX_D2I:too long

Date: Mon, 06 Jun 2016 12:46:15 +0200

Package: openssl
Version: 1.0.1t-1+deb8u2
Severity: important

Dear Maintainer,

since the last openssl update (from 1.0.1k-3+deb8u5 to 1.0.1t-1+deb8u2)
in jessie, openssl fails to process our long CRL:

odenbach@viridian1:~$ openssl crl -in /var/tmp/network-ca-crl.pem -noout
unable to load CRL
140337784870544:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too long:x_name.c:203:
140337784870544:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
140337784870544:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=crl, Type=X509_CRL
140337784870544:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

odenbach@viridian1:~$ ls -l /var/tmp/network-ca-crl.pem
-rw-r--r-- 1 root root 2909209 Jun  6 06:26 /var/tmp/network-ca-crl.pem

A working version of openssl shows that the CRL contains nearly 100.000 entries:

odenbach@viridian1:~$ WORK/testssl.sh/openssl crl -in /var/tmp/network-ca-crl.pem -noout -text | grep Serial | wc -l
98988

Looks like this known bug:

https://www.mail-archive.com/openssl-dev@openssl.org/msg44242.html

-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssl depends on:
ii  libc6        2.19-18+deb8u4
ii  libssl1.0.0  1.0.1t-1+deb8u2

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20141019+deb8u1

-- no debconf information

Message #10 received at 826552@bugs.debian.org (full text, mbox, reply):

From: Christopher Odenbach <odenbach@uni-paderborn.de>

To: 826552@bugs.debian.org

Subject: Re: Bug#826552: Acknowledgement (openssl: crl processing fails with X509_NAME_EX_D2I:too long)

Date: Mon, 6 Jun 2016 13:45:22 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

I just tried to add the patch from commit

https://github.com/openssl/openssl/commit/a1eef756cc1948ed4d1f175d97367a
a2b24d962d

Works fine, crl processing works again.

Please add the fix to Debian stable.

Thanks,

Christopher

- -- 
======================================================
    Dipl.-Ing. Christopher Odenbach
    Zentrum fuer Informations- und Medientechnologien
    Universitaet Paderborn
    Raum N5.311
    odenbach@uni-paderborn.de
    Tel.: +49 5251 60 5315
======================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iD4DBQFXVWJShxiCJKeLY0IRAp3tAKC7gAJNUi86MwARJXsV8orj6lNF4wCYu9yV
Xq4TGeO7FwpMk2/Cl0vcDQ==
=h04G
-----END PGP SIGNATURE-----

Message #15 received at 826552@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Christopher Odenbach <odenbach@uni-paderborn.de>, 826552@bugs.debian.org

Subject: Re: [Pkg-openssl-devel] Bug#826552: Acknowledgement (openssl: crl processing fails with X509_NAME_EX_D2I:too long)

Date: Thu, 9 Jun 2016 22:39:09 +0200

On Mon, Jun 06, 2016 at 01:45:22PM +0200, Christopher Odenbach wrote:
> 
> Hi,
> 
> I just tried to add the patch from commit
> 
> https://github.com/openssl/openssl/commit/a1eef756cc1948ed4d1f175d97367a
> a2b24d962d

It's also already been fixed in the 1.0.1 branch as commit
b583c1bd069f6928c3973dc6d6864930f6c4bb3e.

It will be fixed in the next upload, just not sure when that's
going to happen.


Kurt

Message #22 received at 826552-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 826552-close@bugs.debian.org

Subject: Bug#826552: fixed in openssl 1.0.1t-1+deb8u3

Date: Mon, 05 Sep 2016 22:17:14 +0000

Source: openssl
Source-Version: 1.0.1t-1+deb8u3

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 826552@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 11 Jun 2016 19:18:11 +0200
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1t-1+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
 libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl-doc - Secure Sockets Layer toolkit - development documentation
 libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
 libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
Closes: 826552 833156
Changes:
 openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
 .
   [ Kurt Roeckx ]
   * Fix length check for CRLs. (Closes: #826552)
 .
   [ Sebastian Andrzej Siewior ]
   * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov.
     (Closes: #833156).
Checksums-Sha1:
 54083162d078a0bf78ef407e0ac2b7f33e4cc6f4 2255 openssl_1.0.1t-1+deb8u3.dsc
 a2dd65e4f02d3af90f56c99bb438fe77e56fd205 97104 openssl_1.0.1t-1+deb8u3.debian.tar.xz
 a6ba76d082fff3824a3714e4b2d45d382db856f2 1166838 libssl-doc_1.0.1t-1+deb8u3_all.deb
 f87a4ef9d51e2e0f57758342e0433cc44129c6ca 664334 openssl_1.0.1t-1+deb8u3_amd64.deb
 ead13b0fd1beb9a06c78d61f0d2f6913578ae475 1045554 libssl1.0.0_1.0.1t-1+deb8u3_amd64.deb
 67c68e91a07ca83476c116f89d368b8b831b07f5 643786 libcrypto1.0.0-udeb_1.0.1t-1+deb8u3_amd64.udeb
 2b8ac8a6949917eaa311766fd62816ac07ef66a2 1281530 libssl-dev_1.0.1t-1+deb8u3_amd64.deb
 199f4fad62067964d3263b840891e97e5a2af694 2816468 libssl1.0.0-dbg_1.0.1t-1+deb8u3_amd64.deb
Checksums-Sha256:
 aad37a98b1fd87c5ba5ae8fd724655cdbdbd9fd4c58818858c57045a36c02ff6 2255 openssl_1.0.1t-1+deb8u3.dsc
 fb078fe66d58cf3ef6606c1470b5dc7c8a3ae57bed669d436d26592f82175d24 97104 openssl_1.0.1t-1+deb8u3.debian.tar.xz
 1c890eb2aa2becae57a4f84b27709233f9e92e78b4e95b5899537b4e71456474 1166838 libssl-doc_1.0.1t-1+deb8u3_all.deb
 9d04e590361bc6b14e71940f20f61fe60a18d0e3e8963c50c321506e53b288ee 664334 openssl_1.0.1t-1+deb8u3_amd64.deb
 9b1e5583735c21d3e33ad1f50accabca34c36db439f9f41f75d801f11bd860b9 1045554 libssl1.0.0_1.0.1t-1+deb8u3_amd64.deb
 4cf78370479764eb74af380824fa2a875f1cf523653a39aa5db86fd7cd7bad00 643786 libcrypto1.0.0-udeb_1.0.1t-1+deb8u3_amd64.udeb
 d5426aa774c450c6dca22010db90dee558c29bdd265ecf9e5183c3f4f6e00fb2 1281530 libssl-dev_1.0.1t-1+deb8u3_amd64.deb
 42b7c8c2f3200bb5eb151dd44713aa4ee4be590d4561239116cbf0df54329707 2816468 libssl1.0.0-dbg_1.0.1t-1+deb8u3_amd64.deb
Files:
 225f5a9877e74b681c0821664a2ee17d 2255 utils optional openssl_1.0.1t-1+deb8u3.dsc
 baf7647c2b7d7b4421fa4a75f076e282 97104 utils optional openssl_1.0.1t-1+deb8u3.debian.tar.xz
 89687a948d85707c5b82d44aa51aaabe 1166838 doc optional libssl-doc_1.0.1t-1+deb8u3_all.deb
 75adfa928f299f3f3d1d6c2a73e13654 664334 utils optional openssl_1.0.1t-1+deb8u3_amd64.deb
 a52d53469d3139ac8c3be8f13e496b7a 1045554 libs important libssl1.0.0_1.0.1t-1+deb8u3_amd64.deb
 437c46d082bfc6c3957f0389c2fdab5b 643786 debian-installer optional libcrypto1.0.0-udeb_1.0.1t-1+deb8u3_amd64.udeb
 5418245beba7b55cc52d52765bfe1c50 1281530 libdevel optional libssl-dev_1.0.1t-1+deb8u3_amd64.deb
 d410d2671dd2b8b3944675dc736d657a 2816468 debug extra libssl1.0.0-dbg_1.0.1t-1+deb8u3_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXzHpOAAoJEOPE3c0eTBJEXEoP/RrGOxB9KMNl0Je8Msj+ADzp
w/1z7vDVfnR5wFmmdeAD+gJ/dfW/vjaMSgOdGGzZDYQvV2eOTjDEMOeeKgA39A6E
H9KIVW7msl+G+4VdsrUSL8ylUjSVcJYyhmDS5mNLhNaBYtKE7PPkiCv4/7JKA5CJ
Uhvyn5sOSuT4jmQs9P7v0SD4GE8iTUKcmT4qYNUDlQoZac1qt0wYe2Mltf8Apz2m
j4ZdGCgmgotV21c342T8Dq+pGJUz+VVIT/0DRWTaO6OqKEeASJC1SL1V+h8Z20t5
ABgOffy9ggcwm4bQ2mYxZ7odcF70zUtpdrnktA5gkzueLhCV3QgCBHsUul3OXXX7
hgi/XuD7965I80DKwgAUyp92eNFQjd0HPecvnTCjPKhR6CEIaoDDWRcCB3JHmpVc
OQZtfhcyFma4PMe68CIPutfMcKr2E3FmR1bhtPC/H9NniQuPZMyKhIQt6yMYdHmc
SgbyOGFvhaP2AAvi82bg/Az23LVuIuITTQIRMgVYQ4M747ZPrAtQSyKoFeJz5wLu
NhnQEVuPe2s6q/H+eocGwj0+DRy1Hnu2loMusICaYgksZr0NEKh5/3f3e1MdUG8h
WIw+fAOU16hEyW5p5/Xr96OiAI+o0cYn8G8RaWRuFCeYPQ4JnAXFdOCU3ISjlqNV
CvcDwDY4nCtJjjE5cEWi
=S3CD
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.