[Bug 1066032] Re: Deadlock when reading a public key

Mon Apr 15 14:57:10 UTC 2013

Hello Ivo, or anyone else affected,

Accepted openssl into quantal-proposed. The package will build now and
be available at http://launchpad.net/ubuntu/+source/openssl/1.0.1c-
3ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: openssl (Ubuntu Quantal)
       Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1066032

Title:
  Deadlock when reading a public key

Status in OpenSSL cryptography and SSL/TLS toolkit:
  Fix Released
Status in “openssl” package in Ubuntu:
  Fix Released
Status in “openssl” source package in Precise:
  In Progress
Status in “openssl” source package in Quantal:
  Fix Committed
Status in “openssl” source package in Raring:
  Fix Released

Bug description:
  [SRU request]

  [Impact]
  A deadlock exists in the public key decoding code of openssl in Precise and Quantal. Users of openssl is environments where a large number of keys are being processed may hit it, causing the application to hang. This has been fixed in the development release by backporting a trivial patch from upstream.

  [Test Case]
  There is currently no known reliable way of reproducing the deadlock.
  The openssl test suite passes with the patch, and the QRT scripts have been run successfully.

  [Regression Potential]
  The patch is trivial, and shouldn't cause any regressions. It has been used in a couple of upstream releases so far. If the patch does introduce a regression, it would affect public key decoding and would be apparent.

  Original report:
  We're experiencing deadlocks in Ubuntu 12.04 at our customers.  After some investigation, a known bug in OpenSSL 1.0.1c (and other versions) is causing this.  The bug itself was known since one day after this release (11th of May this year).

  OpenSSL bug report:
  http://rt.openssl.org/Ticket/Display.html?id=2813&user=guest&pass=guest

  Commit that fixes the issue in OpenSSL 1.0.1:
  http://cvs.openssl.org/chngview?cn=22570

  For now, we're distributing a modified version of the OpenSSL packages
  for Ubuntu, but of course we're not the only ones with this bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1066032/+subscriptions