(regression) cannot contact ldaps server

Bug #1003841 reported by Thorsten Glaser
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls13 (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
gnutls26 (Debian)
Fix Released
Undecided
Unassigned
gnutls26 (Ubuntu)
Fix Released
High
Unassigned
Lucid
Fix Released
High
Unassigned
Oneiric
Fix Released
High
Unassigned
Precise
Fix Released
High
Unassigned

Bug Description

Impact:

gnutls-cli (linked with libgnutls26, like the OpenLDAP client libraries) cannot contact our LDAP server securely in precise

Test case:

if you generate two CA
certificates (#1 and #2) with the same DN and hash, then sign the LDAP server’s
certificate (#3) with #2, not #1, GnuTLS 2.x will not validate it.

Regression potential:

the fix is coming from upstream and is available in Debian

---

Hi,

while trying to debug NSS with LDAP and SSL (not LP#423252 because it failed even for nōn-suid programmes) I found that gnutls-cli (linked with libgnutls26, like the OpenLDAP client libraries) cannot contact our LDAP server securely in precise. More testing resulted in determining this to be a regression between natty and oneiric, still present in precise. I’m in contact with upstream about this already. More information will thus follow.

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

Upstream provided a fix, and I’ve built a package with the fix and tested it. First for oneiric…

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

… and now against precise (I think you could build this in precise-updates and then promote the binary to quantal; otherwise you’d have to build it twice with differing version suffix in the debian/changelog).

Please apply, to enable us to use precise in our company. Thanks!

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "fix from upstream as debdiff against oneiric-security package" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Thorsten Glaser (mirabilos) wrote :

Turns out this bug is also in hardy, only the method of contacting the LDAP server changed… will provide backported fixes for the LTS versions, too.

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

Here’s the debdiff for the LTS version, tested.

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

src:gnutls26 in lenny and squeeze are also affected (but I don’t know how hard it’ll be to get a fix in).

gnutls-bin is built from src:gnutls28 in wheezy/sid, which is not affected, so I cannot test there. Best to assume it’s probably also affected.

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

And finally, the trivial debdiff against that other LTS version, also tested.

Applying this to the Debian packages is equally as trivial and just works the same; tested this exemplarily with squeeze. Andreas, I’ll leave it to you whether this warrants an spu.

Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

Thorsten Glaser (mirabilos) wrote:
> gnutls-bin is built from src:gnutls28 in wheezy/sid, which is not affected, so I cannot test there. Best
> to assume it’s probably also affected.

I will upload fixed packages to sid soonish.

FWIW libgnutls26-dbg contains gnutls-cli linked against gnutls26.

cu andreas

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for your work, could you update the bug with the infos required for a stable update:
https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

the important one there as having a testcase to be able to test the fix as well as describing the impact and the regression potential

Note that Debian uploaded a fix today:
http://packages.qa.debian.org/g/gnutls26/news/20120607T173257Z.html

I will backport that change to quantal after the alpha1 freeze, then we can work on stable updates for precise (as well as other series if needed)

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

Thanks Andreas, yes, with gnutls-cli from libgnutls26-dbg the issue can be reproduced on wheezy.

Sebastien, I’ve provided debdiffs against the current versions of all packages
in *buntu, not sure what more I can provide. I cannot grant anyone access to
the company’s internal LDAP server, but effectively, if you generate two CA
certificates (#1 and #2) with the same DN and hash, then sign the LDAP server’s
certificate (#3) with #2, not #1, GnuTLS 2.x will not validate it. That should
be sufficient information to reproduce.

Sorry, I’ve been a bit fed up with *buntu issue handling and feel the package
maintainers on the *buntu side could actually do such maintenance tasks by
themselves. I’ve rolled out the packages from the patched source with the
exact patches I applied save the version number (used a local suffix that
sorts lower than any *buntu update) in the company’s internal APT repository
for now.

(Also see the discussion on the gnutls mailing list; the patch was provided
by upstream.)

Revision history for this message
Sebastien Bacher (seb128) wrote :

> Sebastien, I’ve provided debdiffs against the current versions of all packages in *buntu, not sure what more I can provide.

thanks for your work, what is usually needed as mentioned before is a testcase (i.e a way for the SRU team to test reproduce the bug so they can verify the fix validity)

> Sorry, I’ve been a bit fed up with *buntu issue handling and feel the package maintainers on the *buntu side could actually do such maintenance tasks by themselves.

that's wrong worded, you are "fed up" that Ubuntu doesn't have enough resources to have an active maintainer for every source in the archive, I can understand the frustration, we would like to get extra contributors as well.

We do appreciate the help you are providing to get those fixes though

Changed in gnutls26 (Ubuntu):
importance: Undecided → High
Changed in gnutls26 (Debian):
status: New → Fix Released
Changed in gnutls26 (Ubuntu Precise):
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu4

---------------
gnutls26 (2.12.14-5ubuntu4) quantal; urgency=low

  * Apply upstream patch to fix validation of certificates when more than
    one with the same short hash exists in the CA bundle (LP: #1003841).
 -- Thorsten Glaser <email address hidden> Thu, 24 May 2012 11:19:12 +0200

Changed in gnutls26 (Ubuntu):
status: New → Fix Released
Changed in gnutls26 (Ubuntu Precise):
status: New → Fix Committed
description: updated
Revision history for this message
Sebastien Bacher (seb128) wrote :

I've uploaded the patch (renamed to use the same name as Debian to make the diff a bit smaller when we merge with them next time) to quantal, precise and oneiric, I will let the sponsors subscribed if somebody wants to sponsor for older series since I don't have install of those handy to test it there and I prefer to not SRU something to lucid I can't test

Changed in gnutls26 (Ubuntu Oneiric):
importance: Undecided → High
status: New → Fix Committed
Changed in gnutls26 (Ubuntu Lucid):
importance: Undecided → High
Changed in gnutls13 (Ubuntu Lucid):
status: New → Invalid
Changed in gnutls13 (Ubuntu Oneiric):
status: New → Invalid
Changed in gnutls13 (Ubuntu Precise):
status: New → Invalid
Changed in gnutls13 (Ubuntu):
status: New → Invalid
Revision history for this message
Thorsten Glaser (mirabilos) wrote :

OK, that’s fair. Thanks nevertheless!

Sorry, I won’t be becoming a contributor any time soon though, I’ve got my hands
full with MirBSD, FreeWRT, Debian, and other things. But yes, lack of manpower
is probably the issue (lack of QA too though; part of the frustration stems from
handling of fusionforge which is regularily broken, and having to deal with the
bugreports of that on the upstream side). Nothing personal.

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Thorsten, or anyone else affected,

Accepted gnutls26 into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Thorsten Glaser (mirabilos) wrote :

Fixed package from precise-proposed confirmed to work and fix the bug, thanks!

tags: removed: verification-needed
James Page (james-page)
Changed in gnutls26 (Ubuntu Precise):
milestone: none → ubuntu-12.04.1
Steve Langasek (vorlon)
tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.1

---------------
gnutls26 (2.12.14-5ubuntu3.1) precise-proposed; urgency=low

  * Apply upstream patch to fix validation of certificates when more than
    one with the same short hash exists in the CA bundle (LP: #1003841).
 -- Thorsten Glaser <email address hidden> Thu, 24 May 2012 11:19:12 +0200

Changed in gnutls26 (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Stéphane Graber (stgraber) wrote :

Can someone update the description to contain a step-by-step testcase?
This would make it much easier to test the SRU in Oneiric and the upcoming ones for Hardy and Lucid.

no longer affects: gnutls26 (Ubuntu Hardy)
Revision history for this message
Stéphane Graber (stgraber) wrote :

Uploaded hardy and lucid. Unsubscribing sponsors.

Changed in gnutls26 (Ubuntu Lucid):
status: New → In Progress
Changed in gnutls13 (Ubuntu Hardy):
status: New → In Progress
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hello Thorsten, or anyone else affected,

Accepted gnutls13 into hardy-proposed. The package will build now and be available in a few hours. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls13 (Ubuntu Hardy):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
Thorsten Glaser (mirabilos) wrote :

Clint,

sorry for the delay. I can confirm gnutls-bin plus libgnutls13 2.0.4-1ubuntu2.8 from hardy-proposed fix my problem.

Thanks!

tags: added: verification-done
removed: verification-needed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Thorsten, or anyone else affected,

Accepted gnutls26 into lucid-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnutls26/2.8.5-2ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls26 (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Thorsten, or anyone else affected,

Accepted gnutls26 into oneiric-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnutls26/2.10.5-1ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Thanks Thorsten, the fix for hardy should progress to hardy-updates in a few days.

tags: added: verification-done verification-done-hardy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls13 - 2.0.4-1ubuntu2.8

---------------
gnutls13 (2.0.4-1ubuntu2.8) hardy-proposed; urgency=low

  * Apply upstream patch to fix validation of certificates when more than
    one with the same short hash exists in the CA bundle (LP: #1003841).
 -- Thorsten Glaser <email address hidden> Thu, 31 May 2012 13:48:18 +0200

Changed in gnutls13 (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

Can anyone verify this on lucid and oneiric?

tags: removed: verification-done verification-done-hardy
Revision history for this message
Thorsten Glaser (mirabilos) wrote :

I can do lucid, and oneiric in a chroot.

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

I can confirm the following packages fix the bug:

libgnutls26 (2.10.5-1ubuntu3.2)

libgnutls26 (2.8.5-2ubuntu0.2)

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Thanks for testing Thorsten!

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.8.5-2ubuntu0.2

---------------
gnutls26 (2.8.5-2ubuntu0.2) lucid-proposed; urgency=low

  * Apply upstream patch to fix validation of certificates when more than
    one with the same short hash exists in the CA bundle (LP: #1003841).
 -- Thorsten Glaser <email address hidden> Thu, 31 May 2012 14:07:11 +0200

Changed in gnutls26 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.10.5-1ubuntu3.2

---------------
gnutls26 (2.10.5-1ubuntu3.2) oneiric-proposed; urgency=low

  * Apply upstream patch to fix validation of certificates when more than
    one with the same short hash exists in the CA bundle (LP: #1003841).
 -- Thorsten Glaser <email address hidden> Thu, 24 May 2012 11:10:16 +0200

Changed in gnutls26 (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.