Debian Bug report logs - #838710
php5: segfault when calling openssl_x509_parse on a valid certificate

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>; Source for openssl is src:openssl (PTS, buildd, popcon).

Reported by: Jean-Paul Deveaux <jp@tenchek.com>

Date: Fri, 23 Sep 2016 19:42:01 UTC

Severity: normal

Found in version openssl/1.0.1t-1+deb8u4

Fixed in version openssl/1.0.1t-1+deb8u5

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#838710; Package php5. (Fri, 23 Sep 2016 19:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jean-Paul Deveaux <jp@tenchek.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Fri, 23 Sep 2016 19:42:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: php5
Version: 5.6.24+dfsg-0+deb8u1
Severity: normal

Dear Maintainer,

Upgraded PHP5 using Debian stable repo today; code that parsed client certificate for user authentication stopped working.

$cert = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);

In previous versions of PHP5 (5.6.22-0+deb8u1), this call works without any problems (returning associative array of cert guts)
In current version, seg fault.

For the time being, my work around involves an 'exec' call to openssl to extract cert details for authentication. I could probably also do it at the apache level.



-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages php5 depends on:
ii  libapache2-mod-php5  5.6.24+dfsg-0+deb8u1
ii  php5-common          5.6.24+dfsg-0+deb8u1

php5 recommends no packages.

php5 suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#838710; Package php5. (Fri, 23 Sep 2016 20:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Fri, 23 Sep 2016 20:15:03 GMT) (full text, mbox, link).

Message #10 received at 838710@bugs.debian.org (full text, mbox, reply):

Control: reassign -1 openssl 1.0.1t-1+deb8u4

Hi,

On Fri, Sep 23, 2016 at 03:57:02PM -0300, Jean-Paul Deveaux wrote:
> Package: php5
> Version: 5.6.24+dfsg-0+deb8u1
> Severity: normal
> 
> Dear Maintainer,
> 
> Upgraded PHP5 using Debian stable repo today; code that parsed client certificate for user authentication stopped working.
> 
> $cert = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
> 
> In previous versions of PHP5 (5.6.22-0+deb8u1), this call works without any problems (returning associative array of cert guts)
> In current version, seg fault.
> 
> For the time being, my work around involves an 'exec' call to openssl to extract cert details for authentication. I could probably also do it at the apache level.

I think this is the regression in the recent openssl DSA, and should
be fixed soon with the followup update 1.0.1t-1+deb8u5.

Regards,
Salvatore

Bug reassigned from package 'php5' to 'openssl'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 838710-submit@bugs.debian.org. (Fri, 23 Sep 2016 20:15:03 GMT) (full text, mbox, link).

No longer marked as found in versions php5/5.6.24+dfsg-0+deb8u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to 838710-submit@bugs.debian.org. (Fri, 23 Sep 2016 20:15:04 GMT) (full text, mbox, link).

Marked as found in versions openssl/1.0.1t-1+deb8u4. Request was from Salvatore Bonaccorso <carnil@debian.org> to 838710-submit@bugs.debian.org. (Fri, 23 Sep 2016 20:15:05 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Fri, 23 Sep 2016 20:21:03 GMT) (full text, mbox, link).

Notification sent to Jean-Paul Deveaux <jp@tenchek.com>:
Bug acknowledged by developer. (Fri, 23 Sep 2016 20:21:03 GMT) (full text, mbox, link).

Message #21 received at 838710-done@bugs.debian.org (full text, mbox, reply):

Source: openssl
Source-Version: 1.0.1t-1+deb8u5

Hi

DSA-3673-2 (regression update for openssl) was released fixing this
issue.

Regards,
Salvatore

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 22 Oct 2016 07:25:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 02:45:17 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #838710 php5: segfault when calling openssl_x509_parse on a valid certificate

Debian Bug report logs - #838710
php5: segfault when calling openssl_x509_parse on a valid certificate