Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault with OpenSSL 1.1.1n and newer #1090

Closed
snoopcatt opened this issue Jul 2, 2022 · 14 comments
Closed

Segfault with OpenSSL 1.1.1n and newer #1090

snoopcatt opened this issue Jul 2, 2022 · 14 comments

Comments

@snoopcatt
Copy link

Hello, I've encountered a problem.
After my system has updated to OpenSSL 1.1.1n from 1.1.1k, my DigiDoc4 client segfaults when trying to open any signed container.

Downgrading to libssl 1.1.1k solves the problem, but it is not a reliable and secure way, I guess.
OS is Debian 11 Bullseye, open-eid from Ubuntu Focal repos.

Tried to re-compile qdigidoc4 from sources with system version of libssl, but result is the same - Segmentation fault.

I will attach:

  1. diagnostics file
    qdigidoc4_4.2.11.110_diagnostics.txt

  2. gdb backtrace
    backtrace.txt

I also have core dump, but github does not allow me to upload because of maximum 25MB file size.
If core dump is useful to someone, I can upload it to my home server and share a link.
@metsma
Copy link
Contributor

metsma commented Jul 2, 2022

open-eid/libdigidocpp#453

@metsma metsma closed this as completed Jul 2, 2022
@maltfield
Copy link

maltfield commented Jul 20, 2022
edited

@metsma any eta on when this will be released to the debian repos?

@maltfield
Copy link

@snoopcatt can you please provide the command you used to downgrade openssl as a workaround?

@metsma
Copy link
Contributor

metsma commented Jul 20, 2022

@metsma any eta on when this will be released to the debian repos?

RIA provides only official builds to Ubuntu.
Here is list of community supported linux distributions https://github.com/open-eid/linux-installer/wiki/Linux-Packages

@maltfield
Copy link

@metsma yes, sorry Debian uses the Ubuntu repo

user@estonia:~$ cat /etc/apt/sources.list.d/ria-repository.list 
deb https://installer.id.ee/media/ubuntu/ bionic main
user@estonia:~$

I meant to ask: any eta on when this will be released to the ubuntu bionic repo?

@metsma
Copy link
Contributor

metsma commented Jul 20, 2022

I think it got just published https://installer.id.ee/media/ubuntu/pool/main/libd/libdigidocpp/

@maltfield
Copy link

@metsma I just installed today (I have to install it fresh every time I boot my computer because there's an outstanding bug in the repos that blocks Tor users), and I'm still getting a SegFault.

user@estonia:~$ dpkg -l | grep -i digidoc
ii  libdigidocpp-common                   3.14.8.1420-1804                        all          DigiDoc digital signature library common files
ii  libdigidocpp-tools                    3.14.8.1420-1804                        amd64        DigiDoc digital signature library tools
ii  libdigidocpp1:amd64                   3.14.8.1420-1804                        amd64        DigiDoc digital signature library
ii  qdigidoc4                             4.2.11.110-1804                         amd64        Estonian digital signature application
user@estonia:~$

PS Any way you can ensure someone fixes the web server? Should I open an issue here instead?

@metsma
Copy link
Contributor

metsma commented Jul 20, 2022

https://installer.id.ee/media/ubuntu/dists/bionic/main/binary-amd64/Packages
seems to be up to date. Maybe there is some cache involved?
Everything involved with infra should go to https://www.id.ee/id-abikeskus/.

@maltfield
Copy link

looks like I was able to upgrade to 3.14.9 today

user@estonia:~/Downloads$ dpkg -l | grep -i digidoc
ii  libdigidocpp-common                   3.14.8.1420-1804                        all          DigiDoc digital signature library common files
ii  libdigidocpp-tools                    3.14.8.1420-1804                        amd64        DigiDoc digital signature library tools
ii  libdigidocpp1:amd64                   3.14.8.1420-1804                        amd64        DigiDoc digital signature library
ii  qdigidoc4                             4.2.11.110-1804                         amd64        Estonian digital signature application
user@estonia:~/Downloads$ 

user@estonia:~/Downloads$ sudo apt-get update && sudo apt-get install libdigidocpp-common
Hit:1 https://deb.debian.org/debian buster InRelease                                                                                     
Hit:2 https://deb.debian.org/debian-security buster/updates InRelease                                   
Hit:3 https://installer.id.ee/media/ubuntu bionic InRelease                                             
Hit:4 https://deb.qubes-os.org/r4.1/vm buster InRelease     
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  ethtool linux-image-4.19.0-10-amd64
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libdigidocpp-tools libdigidocpp1
The following packages will be upgraded:
  libdigidocpp-common libdigidocpp-tools libdigidocpp1
3 upgraded, 0 newly installed, 0 to remove and 28 not upgraded.
Need to get 774 kB of archives.
After this operation, 1,024 B disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 https://installer.id.ee/media/ubuntu bionic/main amd64 libdigidocpp-tools amd64 3.14.9.1426-1804 [250 kB]
Get:2 https://installer.id.ee/media/ubuntu bionic/main amd64 libdigidocpp1 amd64 3.14.9.1426-1804 [504 kB]                                          
Get:3 https://installer.id.ee/media/ubuntu bionic/main amd64 libdigidocpp-common all 3.14.9.1426-1804 [19.6 kB]                                     
Fetched 774 kB in 40s (19.2 kB/s)                                                                                                                   
Reading changelogs... Done
(Reading database ... 268951 files and directories currently installed.)
Preparing to unpack .../libdigidocpp-tools_3.14.9.1426-1804_amd64.deb ...
Unpacking libdigidocpp-tools (3.14.9.1426-1804) over (3.14.8.1420-1804) ...
Preparing to unpack .../libdigidocpp1_3.14.9.1426-1804_amd64.deb ...
Unpacking libdigidocpp1:amd64 (3.14.9.1426-1804) over (3.14.8.1420-1804) ...
Preparing to unpack .../libdigidocpp-common_3.14.9.1426-1804_all.deb ...
Unpacking libdigidocpp-common (3.14.9.1426-1804) over (3.14.8.1420-1804) ...
Setting up libdigidocpp-common (3.14.9.1426-1804) ...
Setting up libdigidocpp1:amd64 (3.14.9.1426-1804) ...
Setting up libdigidocpp-tools (3.14.9.1426-1804) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10+deb10u1) ...
Scanning processes...                                                                                                                                
Scanning linux images...                                                                                                                             

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.
user@estonia:~/Downloads$ 

user@estonia:~/Downloads$ dpkg -l | grep -i digidoc
ii  libdigidocpp-common                   3.14.9.1426-1804                        all          DigiDoc digital signature library common files
ii  libdigidocpp-tools                    3.14.9.1426-1804                        amd64        DigiDoc digital signature library tools
ii  libdigidocpp1:amd64                   3.14.9.1426-1804                        amd64        DigiDoc digital signature library
ii  qdigidoc4                             4.2.12.118-1804                         amd64        Estonian digital signature application
user@estonia:~/Downloads$

@maltfield
Copy link

I confirmed that I can now sign the document in qdigidoc4, but I still get the same error in the web browser when attempting to sign my annual report. And as far as I know, the workflow for signing an annual report in Estonia doesn't permit you to sign it locally with qdigidoc4 and then upload it 🤦 https://ariregister.rik.ee/eng

I upgraded the firefox extension "PKCS11 loader" to the latest versions as well

user@estonia:~$ sudo dpkg -l | grep -i firefox
ii  firefox-esr                           91.11.0esr-1~deb10u1                    amd64        Mozilla Firefox web browser - Extended Support Release (ESR)
ii  firefox-pkcs11-loader                 3.13.6.1084-1804                        all          Firefox PKCS#11 module loader
ii  web-eid-firefox                       2.0.0.552-1804                          all          Web eID browser extension for Firefox
user@estonia:~$

user@estonia:~$ sudo apt-get install web-eid-firefox firefox-pkcs11-loader
...
user@estonia:~$

user@estonia:~$ sudo dpkg -l | grep -i firefox
ii  firefox-esr                           91.11.0esr-1~deb10u1                    amd64        Mozilla Firefox web browser - Extended Support Release (ESR)
ii  firefox-pkcs11-loader                 3.13.6.1084-1804                        all          Firefox PKCS#11 module loader
ii  web-eid-firefox                       2.0.2.565-1804                          all          Web eID browser extension for Firefox
user@estonia:~$

...But I still get the same error from RIK's website:

Signing failed. Please make sure the ID-card software is installed and updated and web browsers are configured correctly. Further guidance
...
Signing interrupted (Signing failed. Please make sure the ID-card software is installed and updated and web browsers are configured correctly. Further guidance).

I assumed this was related to the SegFault, but I don't know. And I'm not sure how to find out because the firefox plugin doesn't have any sort of logging. I created a request for that here:

@maltfield maltfield mentioned this issue Jul 20, 2022
Closed
@metsma
Copy link
Contributor

metsma commented Jul 20, 2022

Web-eid component code is located in here http://github.com/web-eid

@maltfield
Copy link

maltfield commented Jul 20, 2022
edited

Web-eid component code is located in here http://github.com/web-eid

I don't really know what that means. Sorry, I think I need a map to navigate through this maze of projects and repos.

Is there a terms glossary that breaks-down the difference between things like:

  1. Web-eid
  2. Mobile ID
  3. Smart-ID
  4. open-eid
  5. PKCS11 Loader
  6. etc

@metsma
Copy link
Contributor

metsma commented Jul 20, 2022

I think best source is https://open-eid.github.io to identify all the components of this software package.

@maltfield maltfield mentioned this issue Jul 20, 2022
Open
@maltfield
Copy link

See also web-eid/web-eid-webextension#41

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@snoopcatt @maltfield @metsma