Summary: | openssl dumps core in 10.3-RELEASE-p7 during build of security/ca_root_nss | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Philip Homburg <pch-freebsd-bugs-1> | ||||
Component: | bin | Assignee: | Xin LI <delphij> | ||||
Status: | Closed Overcome By Events | ||||||
Severity: | Affects Many People | CC: | cmt, delphij, elij+freebsd, freebsd, jbeich, jkim, public2016 | ||||
Priority: | --- | Keywords: | patch | ||||
Version: | 10.3-RELEASE | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Philip Homburg
2016-09-23 12:03:46 UTC
This is how the build stops with poudriere: ... =========================================================================== =======================<phase: build >============================ ===> Building for ca_root_nss-3.26 ## Untrusted certificates omitted from this bundle: 20 openssl x509 failed with exit code 11 at /wrkdirs/usr/ports/security/ca_root_nss/work/MAca-bundle.pl line 78. *** Error code 255 Stop. make: stopped in /usr/ports/security/ca_root_nss ====>> Cleaning up wrkdir ===> Cleaning for ca_root_nss-3.26 build of security/ca_root_nss ended at Fri Sep 23 13:58:19 CEST 2016 build time: 00:00:25 !!! build failure encountered !!! I can reproduce the problem with the last FreeBSD-SA-16:26.openssl applied. It appears that this bug can be triggered by the data for two StartCom certs: # Certificate "StartCom Certification Authority" # Certificate "StartCom Certification Authority G2" Commenting out those two chunks of certificate and trust data results in 'perl work/MAca-bundle.pl < work/certdata.txt' finishing successfully. Created attachment 175115 [details] An upstream patch to fix the problem Please try this patch. This upstream patch fixed the problem for me. https://github.com/openssl/openssl/commit/3612ff6 (In reply to Jung-uk Kim from comment #4) Confirmed: that patch fixes the issue here. A commit references this bug: Author: delphij Date: Mon Sep 26 08:19:34 UTC 2016 New revision: 306335 URL: https://svnweb.freebsd.org/changeset/base/306335 Log: Apply upstream revision 3612ff6fcec0e3d1f2a598135fe12177c0419582: Fix overflow check in BN_bn2dec() Fix an off by one error in the overflow check added by 07bed46 ("Check for errors in BN_bn2dec()"). This fixes a regression introduced in SA-16:26.openssl. Submitted by: jkim PR: 212921 Changes: stable/9/crypto/openssl/crypto/bn/bn_print.c A commit references this bug: Author: delphij Date: Mon Sep 26 08:21:30 UTC 2016 New revision: 306336 URL: https://svnweb.freebsd.org/changeset/base/306336 Log: Apply upstream revision 3612ff6fcec0e3d1f2a598135fe12177c0419582: Fix overflow check in BN_bn2dec() Fix an off by one error in the overflow check added by 07bed46 ("Check for errors in BN_bn2dec()"). This fixes a regression introduced in SA-16:26.openssl. Submitted by: jkim PR: 212921 Approved by: so Changes: releng/10.1/UPDATING releng/10.1/crypto/openssl/crypto/bn/bn_print.c releng/10.1/sys/conf/newvers.sh releng/10.2/UPDATING releng/10.2/crypto/openssl/crypto/bn/bn_print.c releng/10.2/sys/conf/newvers.sh releng/10.3/UPDATING releng/10.3/crypto/openssl/crypto/bn/bn_print.c releng/10.3/sys/conf/newvers.sh releng/9.3/UPDATING releng/9.3/crypto/openssl/crypto/bn/bn_print.c releng/9.3/sys/conf/newvers.sh Surprisingly, it still fail in poudriere with p8. No problem directly on hardware. ====>> Building security/ca_root_nss build started at Mon Sep 26 11:22:03 CEST 2016 port directory: /usr/ports/security/ca_root_nss building for: FreeBSD 10-3amd64-local-job-01 10.3-RELEASE-p8 FreeBSD 10.3-RELEASE-p8 amd64 maintained by: ports-secteam@FreeBSD.org Makefile ident: $FreeBSD: head/security/ca_root_nss/Makefile 422682 2016-09-23 14:59:28Z mat $ Poudriere version: 3.1.14 Host OSVERSION: 1003000 Jail OSVERSION: 1003000 ---Begin Environment--- SHELL=/bin/csh UNAME_v=FreeBSD 10.3-RELEASE-p8 UNAME_r=10.3-RELEASE-p8 BLOCKSIZE=K MAIL=/var/mail/root STATUS=1 ARCH=amd64 SAVED_TERM=screen MASTERMNT=/usr/local/poudriere/data/.m/10-3amd64-local/ref UID=0 FORCE_PACKAGE=yes PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin _JAVA_VERSION_LIST_REGEXP=1.6\|1.7\|1.8\|1.6+\|1.7+\|1.8+ POUDRIERE_BUILD_TYPE=bulk PKGNAME=ca_root_nss-3.26 OSREL=10.3 _OSRELEASE=10.3-RELEASE-p8 PYTHONBASE=/usr/local OLDPWD=/ _SMP_CPUS=8 PWD=/usr/local/poudriere/data/.m/10-3amd64-local/ref/.p/pool HAVE_COMPAT_IA32_KERN=YES OPSYS=FreeBSD MASTERNAME=10-3amd64-local SCRIPTPREFIX=/usr/local/share/poudriere _JAVA_VENDOR_LIST_REGEXP=openjdk\|oracle\|sun USER=root HOME=/root POUDRIERE_VERSION=3.1.14 SCRIPTPATH=/usr/local/share/poudriere/bulk.sh CONFIGURE_MAX_CMD_LEN=262144 LIBEXECPREFIX=/usr/local/libexec/poudriere LOCALBASE=/usr/local PACKAGE_BUILDING=yes _JAVA_OS_LIST_REGEXP=native\|linux OSVERSION=1003000 ---End Environment--- ---Begin OPTIONS List--- ===> The following configuration options are available for ca_root_nss-3.26: ETCSYMLINK=off: Add symlink to /etc/ssl/cert.pem ===> Use 'make config' to modify these settings ---End OPTIONS List--- --CONFIGURE_ARGS-- --End CONFIGURE_ARGS-- --CONFIGURE_ENV-- ac_cv_path_PERL=/usr/local/bin/perl ac_cv_path_PERL_PATH=/usr/local/bin/perl XDG_DATA_HOME=/wrkdirs/usr/ports/security/ca_root_nss/work XDG_CONFIG_HOME=/wrkdirs/usr/ports/security/ca_root_nss/work HOME=/wrkdirs/usr/ports/security/ca_root_nss/work TMPDIR="/tmp" SHELL=/bin/sh CONFIG_SHELL=/bin/sh --End CONFIGURE_ENV-- --MAKE_ENV-- OPENSSLBASE=/usr OPENSSLDIR=/etc/ssl OPENSSLINC=/usr/include OPENSSLLIB=/usr/lib XDG_DATA_HOME=/wrkdirs/usr/ports/security/ca_root_nss/work XDG_CONFIG_HOME=/wrkdirs/usr/ports/security/ca_root_nss/work HOME=/wrkdirs/usr/ports/security/ca_root_nss/work TMPDIR="/tmp" NO_PIE=yes WITHOUT_DEBUG_FILES=yes WITHOUT_KERNEL_SYMBOLS=yes SHELL=/bin/sh NO_LINT=YES PREFIX=/usr/local LOCALBASE=/usr/local LIBDIR="/usr/lib" CC="cc" CFLAGS="-O2 -pipe -fstack-protector -fno-strict-aliasing" CPP="cpp" CPPFLAGS="" LDFLAGS=" -fstack-protector" LIBS="" CXX="c++" CXXFLAGS="-O2 -pipe -fstack-protector -fno-strict-aliasing " MANPREFIX="/usr/local" BSD_INSTALL_PROGRAM="install -s -m 555" BSD_INSTALL_LIB="install -s -m 444" BSD_INSTALL_SCRIPT="install -m 555" BSD_INSTALL_DATA="install -m 0644" BSD_INSTALL_MAN="install -m 444" --End MAKE_ENV-- --PLIST_SUB-- CERTDIR=share/certs ETCSYMLINK="@comment " NO_ETCSYMLINK="" OSREL=10.3 PREFIX=%D LOCALBASE=/usr/local RESETPREFIX=/usr/local PORTDOCS="" PORTEXAMPLES="" LIB32DIR=lib PERL_VERSION=5.20.3 PERL_VER=5.20 PERL5_MAN1=lib/perl5/site_perl/man/man1 PERL5_MAN3=lib/perl5/site_perl/man/man3 SITE_PERL=lib/perl5/site_perl SITE_ARCH=lib/perl5/site_perl/mach/5.20 DOCSDIR="share/doc/ca_root_nss" EXAMPLESDIR="share/examples/ca_root_nss" DATADIR="share/ca_root_nss" WWWDIR="www/ca_root_nss" ETCDIR="etc/ca_root_nss" --End PLIST_SUB-- --SUB_LIST-- VERSION_NSS=3.26 ETCSYMLINK="@comment " NO_ETCSYMLINK="" PREFIX=/usr/local LOCALBASE=/usr/local DATADIR=/usr/local/share/ca_root_nss DOCSDIR=/usr/local/share/doc/ca_root_nss EXAMPLESDIR=/usr/local/share/examples/ca_root_nss WWWDIR=/usr/local/www/ca_root_nss ETCDIR=/usr/local/etc/ca_root_nss --End SUB_LIST-- ---Begin make.conf--- USE_PACKAGE_DEPENDS=yes BATCH=yes WRKDIRPREFIX=/wrkdirs PORTSDIR=/usr/ports PACKAGES=/packages DISTDIR=/distfiles ---End make.conf--- =======================<phase: check-sanity >============================ ===> License MPL accepted by the user ===> Found saved configuration for ca_root_nss-3.17.2_1 =========================================================================== =======================<phase: pkg-depends >============================ ===> ca_root_nss-3.26 depends on file: /usr/local/sbin/pkg - not found ===> Installing existing package /packages/All/pkg-1.8.7_3.txz [10-3amd64-local-job-01] Installing pkg-1.8.7_3... [10-3amd64-local-job-01] Extracting pkg-1.8.7_3: .......... done ===> ca_root_nss-3.26 depends on file: /usr/local/sbin/pkg - found ===> Returning to build of ca_root_nss-3.26 =========================================================================== =======================<phase: fetch-depends >============================ =========================================================================== =======================<phase: fetch >============================ ===> License MPL accepted by the user ===> Found saved configuration for ca_root_nss-3.17.2_1 ===> Fetching all distfiles required by ca_root_nss-3.26 for building =========================================================================== =======================<phase: checksum >============================ ===> License MPL accepted by the user ===> Found saved configuration for ca_root_nss-3.17.2_1 ===> Fetching all distfiles required by ca_root_nss-3.26 for building => SHA256 Checksum OK for nss-3.26.tar.gz. =========================================================================== =======================<phase: extract-depends>============================ =========================================================================== =======================<phase: extract >============================ ===> License MPL accepted by the user ===> Found saved configuration for ca_root_nss-3.17.2_1 ===> Fetching all distfiles required by ca_root_nss-3.26 for building ===> Extracting for ca_root_nss-3.26 => SHA256 Checksum OK for nss-3.26.tar.gz. =========================================================================== =======================<phase: patch-depends >============================ =========================================================================== =======================<phase: patch >============================ ===> Patching for ca_root_nss-3.26 =========================================================================== =======================<phase: build-depends >============================ ===> ca_root_nss-3.26 depends on package: perl5>=5.20<5.21 - not found ===> Installing existing package /packages/All/perl5-5.20.3_15.txz [10-3amd64-local-job-01] Installing perl5-5.20.3_15... [10-3amd64-local-job-01] Extracting perl5-5.20.3_15: .......... done Message from perl5-5.20.3_15: The /usr/bin/perl symlink has been removed starting with Perl 5.20. For shebangs, you should either use: #!/usr/local/bin/perl or #!/usr/bin/env perl The first one will only work if you have a /usr/local/bin/perl, the second will work as long as perl is in PATH. ===> ca_root_nss-3.26 depends on package: perl5>=5.20<5.21 - found ===> Returning to build of ca_root_nss-3.26 =========================================================================== =======================<phase: lib-depends >============================ =========================================================================== =======================<phase: configure >============================ ===> Configuring for ca_root_nss-3.26 =========================================================================== =======================<phase: build >============================ ===> Building for ca_root_nss-3.26 ## Untrusted certificates omitted from this bundle: 20 openssl x509 failed with exit code 11 at /wrkdirs/usr/ports/security/ca_root_nss/work/MAca-bundle.pl line 78. *** Error code 255 Stop. make: stopped in /usr/ports/security/ca_root_nss ====>> Cleaning up wrkdir ===> Cleaning for ca_root_nss-3.26 build of security/ca_root_nss ended at Mon Sep 26 11:22:15 CEST 2016 build time: 00:00:12 !!! build failure encountered !!! With 10.3-RELEASE-p9 it builds in poudriere. ====>> Building security/ca_root_nss build started at Mon Sep 26 12:31:24 CEST 2016 port directory: /usr/ports/security/ca_root_nss building for: FreeBSD 103amd64-default-job-01 10.3-RELEASE-p9 FreeBSD 10.3-RELEASE-p9 amd64 maintained by: ports-secteam@FreeBSD.org Makefile ident: $FreeBSD: head/security/ca_root_nss/Makefile 422682 2016-09-23 14:59:28Z mat $ Poudriere version: 3.1.14 Host OSVERSION: 1003000 Jail OSVERSION: 1003000 ---Begin Environment--- SHELL=/bin/csh UNAME_v=FreeBSD 10.3-RELEASE-p9 UNAME_r=10.3-RELEASE-p9 BLOCKSIZE=K MAIL=/var/mail/root STATUS=1 ARCH=amd64 SAVED_TERM=screen MASTERMNT=/usr/local/poudriere/data/.m/103amd64-default/ref UID=0 FORCE_PACKAGE=yes PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin _JAVA_VERSION_LIST_REGEXP=1.6\|1.7\|1.8\|1.6+\|1.7+\|1.8+ POUDRIERE_BUILD_TYPE=bulk PKGNAME=ca_root_nss-3.26 OSREL=10.3 _OSRELEASE=10.3-RELEASE-p9 PYTHONBASE=/usr/local OLDPWD=/ _SMP_CPUS=1 PWD=/usr/local/poudriere/data/.m/103amd64-default/ref/.p/pool HAVE_COMPAT_IA32_KERN=YES OPSYS=FreeBSD MASTERNAME=103amd64-default SCRIPTPREFIX=/usr/local/share/poudriere _JAVA_VENDOR_LIST_REGEXP=openjdk\|oracle\|sun USER=root HOME=/root POUDRIERE_VERSION=3.1.14 SCRIPTPATH=/usr/local/share/poudriere/bulk.sh CONFIGURE_MAX_CMD_LEN=262144 LIBEXECPREFIX=/usr/local/libexec/poudriere LOCALBASE=/usr/local PACKAGE_BUILDING=yes _JAVA_OS_LIST_REGEXP=native\|linux OSVERSION=1003000 ---End Environment--- [...] =========================================================================== =======================<phase: configure >============================ ===> Configuring for ca_root_nss-3.26 =========================================================================== =======================<phase: build >============================ ===> Building for ca_root_nss-3.26 ## Untrusted certificates omitted from this bundle: 20 ## Number of certificates: 175 =========================================================================== =======================<phase: run-depends >============================ =========================================================================== =======================<phase: stage >============================ ===> Staging for ca_root_nss-3.26 ===> Generating temporary packing list /bin/mkdir -p /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs install -m 0644 /wrkdirs/usr/ports/security/ca_root_nss/work/ca-root-nss.crt /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/s hare/certs /bin/mkdir -p /wrkdirs/usr/ports/security/ca_root_nss/work/stage/etc/ssl /bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /wrkdirs/usr/ports/security/ca_root_nss/work/stage/etc/ssl/cert.pem /bin/mkdir -p /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl /bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl/cert.pem.sample /bin/mkdir -p /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/openssl /bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/openssl/cert.pem.sample ====> Compressing man pages (compress-man) =========================================================================== =======================<phase: package >============================ ===> Building package for ca_root_nss-3.26 =========================================================================== ====>> Cleaning up wrkdir ===> Cleaning for ca_root_nss-3.26 build of security/ca_root_nss ended at Mon Sep 26 12:31:47 CEST 2016 build time: 00:00:23 This was fixed in the revised FreeBSD-SA-16:26.openssl security advisory: https://lists.freebsd.org/pipermail/freebsd-announce/2016-September/001751.html |