Ubuntu
php8.1 package

error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading

Bug #1975626 reported by Athos Ribeiro
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php8.1 (Ubuntu)
Fix Released
Undecided
Athos Ribeiro
Jammy
Fix Released
Undecided
Athos Ribeiro
Kinetic
Fix Released
Undecided
Athos Ribeiro

Bug Description

[Impact]

The unexpected EOF failure was introduced in OpenSSL 3 to prevent
truncation attacks.

Still there are many non compliant servers around. This have been causing breakage for users, including those not affected by possible truncation attacks.

This upload should fix this bug by applying the following upstream patch:
https://github.com/php/php-src/commit/74f75db0c3665677ec006cd379fd561feacffdc6
which keeps ssl connections behavior consistent between different openssl versions.

This is done by setting openssl's SSL_OP_IGNORE_UNEXPECTED_EOF option. See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html#SSL_OP_IGNORE_UNEXPECTED_EOF for further reference.

[Test Plan]

We can test a fix for this bug with the following php script:

# BEGIN #
<?php

$lines = file('https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=11.05.2020', FILE_IGNORE_NEW_LINES);

var_dump($lines);
# END #

A successful run of this reproducer script should not produce output to STDERR. On the other hand, a failure (i.e., running the script with an affected version of php) should generate:

# php reproduce.php > /dev/null
PHP Warning: file(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000126:SSL routines::unexpected eof while reading in /reproduce.php on line 3
PHP Warning: file(): SSL: Success in /reproduce.php on line 3

in STDOUT.

[Where problems could occur]

Apart from possible issues due to compatibilities with any build dependencies that may have been SRU'd since php8.1 was last built, we could introduce regressions due to the truncation attacks the new openssl3 feature was trying to prevent. Still, we need to compromise on having the latest features of openssl and supporting applications which did not make a full transition to support openssl3 yet.

If this indeed becomes a security issue in the future, we may circle back and drop this patch, requiring users to update their applications to newer versions which support the new openssl3 features. It is also worth mentioning that the patch being applied here was applied in php upstream and that the possibility of dropping it in the future should be discussed with the upstream project as well.

Finally, I did consult the security team on this and was let know that it should be OK to SRU the patch.

[Other Info]

This fix was included in the last kinetic merge and therefore is already fixed in our development release.

[ Original bug report ]

As reported in [1] and [2],

OpenSSL 3 is more strict about unexpected EOF (not sending close notify). This may be an issue for servers with non-compliant implementations.

A fix for the issue is available at [3].

[1] https://bugs.php.net/bug.php?id=79589
[2] https://github.com/php/php-src/issues/8369
[3] https://github.com/php/php-src/pull/8558

See original description

Related branches

~athos-ribeiro/ubuntu/+source/php8.1:fix-ss3-eof-jammy
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 113 lines (+88/-0)
3 files modified
debian/changelog (+11/-0)
debian/patches/0046-Fix-ssl3-unexpected-eof.patch (+76/-0)
debian/patches/series (+1/-0)
~athos-ribeiro/ubuntu/+source/php8.1:merge-lp1978364-kinetic
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Canonical Server Reporter: Pending requested
Canonical Server Reporter: Pending requested
Canonical Server: Pending requested
Diff: 369 lines (+238/-4)
7 files modified
debian/changelog (+60/-0)
debian/control (+28/-1)
debian/control.in (+28/-1)
debian/patches/0046-Update-gcc-func-attr-macro.patch (+29/-0)
debian/patches/0047-Fix-ssl3-unexpected-eof.patch (+76/-0)
debian/patches/series (+2/-0)
debian/rules (+15/-2)

CVE References

Athos Ribeiro (athos-ribeiro)
tags: added: server-todo
Changed in php8.1 (Ubuntu Kinetic):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Changed in php8.1 (Ubuntu Jammy):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php8.1 - 8.1.5-1ubuntu1

---------------
php8.1 (8.1.5-1ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1978364). Remaining changes:
    - Force upgrade from earlier mod-php's to version 8.1 (LP #1890263):
      + d/control: add transitional packages and Breaks/Replaces.
      + d/rules: exclude transitional packages in dh_install.
    - d/rules: Don't fill up build log with pedantic warnings.
    - d/p/0046-Update-gcc-func-attr-macro.patch: fix detection of unknown gcc
      function attributes. (LP #1882279)
    - d/rules: document garbage collection in ini files. (LP #1772915)
  * Dropped changes:
    - SECURITY UPDATE: use-after-free in php_filter_float()
      + debian/patches/CVE-2021-21708.patch: fix int handling in
        ext/filter/logical_filters.c, ext/filter/tests/bug81708.phpt.
      + CVE-2021-21708
      [ Fixed in 8.1.3-1 ]
  * New changes:
    - d/p/0047-Fix-ssl3-unexpected-eof.patch: fix OpenSSL3 related
      unexpected EOF failure. (LP: #1975626)

 -- Athos Ribeiro <email address hidden> Sat, 11 Jun 2022 00:08:45 -0300

Changed in php8.1 (Ubuntu Kinetic):
status: New → Fix Released
Athos Ribeiro (athos-ribeiro)
description: updated
Athos Ribeiro (athos-ribeiro)
description: updated
Athos Ribeiro (athos-ribeiro)
description: updated
Athos Ribeiro (athos-ribeiro)
Changed in php8.1 (Ubuntu Jammy):
status: New → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote :

Unfortunately, this version number has been burned by an additional security update of php8.1. Please rebase your changes on 8.1.2-1ubuntu2.2 from the archive and reupload.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks, Steve.

I rebased the changes and re-uploaded the package.

Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello Athos, or anyone else affected,

Accepted php8.1 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in php8.1 (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (php8.1/8.1.2-1ubuntu2.3)

All autopkgtests for the newly accepted php8.1 (8.1.2-1ubuntu2.3) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

php-luasandbox/4.0.2-3build1 (ppc64el, amd64)
composer/2.2.6-2ubuntu4 (s390x, ppc64el, amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#php8.1

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I verified this fix by

Using the test script in the SRU template. Running the script withou the fix, outputs:

php reproduce.php > /dev/null
PHP Warning: file(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000126:SSL routines::unexpected eof while reading in /root/reproduce.php on line 3
PHP Warning: file(): SSL: Success in /root/reproduce.php on line 3

After installing the package in proposed (8.1.2-1ubuntu2.3), re-running the script does not print anything to STDERR, which confirms the fix.

I am verifying the autopkgtest failures now.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I re-triggered the flaky failures. The composer ones are also failing for the migration-reference/0, therefore I will file a separate bug to handle it. We can proceed with this fix.

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I filed LP: #1986843 to track the composer dep8 failures.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php8.1 - 8.1.2-1ubuntu2.3

---------------
php8.1 (8.1.2-1ubuntu2.3) jammy; urgency=medium

  * d/p/0046-Fix-ssl3-unexpected-eof.patch: fix OpenSSL3 related unexpected
    EOF failure. This patch was originally introduced in PHP 8.1.7 to maintain
    compatibility with servers that are not yet compatible with new OpenSSL 3
    changes. This lack of compatibility would result in errors like
    "error:0A000126:SSL routines::unexpected eof while reading in LOCATION".
    (LP: #1975626)

 -- Athos Ribeiro <email address hidden> Mon, 15 Aug 2022 09:24:10 -0300

Changed in php8.1 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for php8.1 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.