[stunnel-users] [Sebastian.Leske at sleske.name: Bug#637932: stunnel4: segfault if certificate file cannot be read during verification]

• Previous message (by thread): [stunnel-users] Stunnel and CryptoAPI
• Next message (by thread): [stunnel-users] [Sebastian.Leske at sleske.name: Bug#637932: stunnel4: segfault if certificate file cannot be read during verification]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Forwarded message from Sebastian Leske <Sebastian.Leske at sleske.name> -----

Date: Mon, 15 Aug 2011 21:21:05 +0200

Package: stunnel4
Version: 3:4.40-1
Severity: normal

I use certificate verification with stunnel4 (verify=2 in
stunnel.conf).
I accidentally changed the access rights of a PEM file required for
verification to be unreadable. As a consequence, stunnel4 incorrectly
reports "Verification error: self signed certificateVerification
error: self signed certificate" (the cert in question is not
self-signed), then segfaults.

With stunnel4 version 4.29-1_i386, this does not occur: stunnel4
correctly reports that it cannot access the PEM file.

Log and backtrace (generated with setting foreground=yes in
stunnel.conf):

Starting program: /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
[Thread debugging using libthread_db enabled]
2011.08.15 21:16:54 LOG5[9584:3082946768]: stunnel 4.40 on i486-pc-linux-gnu platform
2011.08.15 21:16:54 LOG5[9584:3082946768]: Compiled/running with OpenSSL 1.0.0d 8 Feb 2011
2011.08.15 21:16:54 LOG5[9584:3082946768]: Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6
2011.08.15 21:16:54 LOG5[9584:3082946768]: Reading configuration from file /etc/stunnel/stunnel.conf
2011.08.15 21:16:54 LOG6[9584:3082946768]: Compression enabled using zlib method
2011.08.15 21:16:54 LOG6[9584:3082946768]: Initializing SSL context for service pop3sl
2011.08.15 21:16:54 LOG6[9584:3082946768]: SSL context initialized
2011.08.15 21:16:54 LOG6[9584:3082946768]: Initializing SSL context for service https
2011.08.15 21:16:54 LOG6[9584:3082946768]: SSL context initialized
2011.08.15 21:16:54 LOG6[9584:3082946768]: Initializing SSL context for service ssmtp
2011.08.15 21:16:54 LOG6[9584:3082946768]: SSL context initialized
2011.08.15 21:16:54 LOG5[9584:3082946768]: Configuration successful
[New Thread 0xb7fdfb70 (LWP 9593)]
2011.08.15 21:16:57 LOG5[9584:3086875504]: Service pop3sl accepted connection from 127.0.0.1:60903
2011.08.15 21:16:57 LOG6[9584:3086875504]: connect_blocking: connecting 213.187.93.221:995
2011.08.15 21:16:57 LOG5[9584:3086875504]: connect_blocking: connected 213.187.93.221:995
2011.08.15 21:16:57 LOG5[9584:3086875504]: Service pop3sl connected remote server from 192.168.1.101:39914
2011.08.15 21:16:57 LOG4[9584:3086875504]: CERT: Verification error: self signed certificate in certificate chain
2011.08.15 21:16:57 LOG4[9584:3086875504]: Certificate check failed: depth=2, /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
2011.08.15 21:16:57 LOG3[9584:3086875504]: error queue: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7fdfb70 (LWP 9593)]
0xb7ca2119 in ?? () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7ca2119 in ?? () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#1  0xb7ca3c1b in calloc () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#2  0x0804cd20 in ?? ()
#3  0x080574bf in ?? ()
#4  0x08057529 in ?? ()
#5  0x08058129 in ?? ()
#6  0x0804d945 in ?? ()
#7  0x0804e79b in ?? ()
#8  0x0804fafe in ?? ()
#9  0xb7f98c39 in start_thread () from
/lib/i386-linux-gnu/i686/cmov/libpthread.so.0
#10 0xb7d0196e in clone () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
(gdb) 


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages stunnel4 depends on:
ii  adduser                       3.110      add and remove users and groups
ii  libc6                         2.13-10    Embedded GNU C Library: Shared lib
ii  libssl1.0.0                   1.0.0d-3   SSL shared libraries
ii  libwrap0                      7.6.q-16   Wietse Venema's TCP wrappers libra
ii  netbase                       4.34       Basic TCP/IP networking system
ii  openssl                       1.0.0d-3   Secure Socket Layer (SSL) binary a
ii  perl-modules                  5.12.4-2   Core Perl modules

stunnel4 recommends no packages.

Versions of packages stunnel4 suggests:
pn  logcheck-database             <none>     (no description available)

-- no debconf information



----- End forwarded message -----

-- 
Rodrigo Gallardo

• Previous message (by thread): [stunnel-users] Stunnel and CryptoAPI
• Next message (by thread): [stunnel-users] [Sebastian.Leske at sleske.name: Bug#637932: stunnel4: segfault if certificate file cannot be read during verification]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]