Bug 265800 - net/gemserv: Update to 0.6.6
Summary: net/gemserv: Update to 0.6.6
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Fernando Apesteguía
URL: https://git.sr.ht/~int80h/gemserv/tre...
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2022-08-12 17:58 UTC by Evilham
Modified: 2023-01-26 18:19 UTC (History)
2 users (show)

See Also:
ea: maintainer-feedback+


Attachments
net/gemserv: update to 0.6.6 (40.07 KB, patch)
2022-08-13 13:53 UTC, Evilham
no flags Details | Diff
net/gemserv: update to 0.6.6 (41.81 KB, patch)
2022-08-17 13:41 UTC, Evilham
contact: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Evilham 2022-08-12 17:58:49 UTC
I'll add the patch within a couple days (compiling as I report this).

This update includes a fix for a security issue without CVE regarding a directory traversal.

See: https://git.sr.ht/~int80h/gemserv/refs
Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2022-08-12 18:06:23 UTC
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field.
Comment 2 Evilham 2022-08-13 13:53:42 UTC
Created attachment 235880 [details]
net/gemserv: update to 0.6.6

While at it, use Makefile.crates as in other rust ports and fix a couple complains from portlint -A

Note that a previous patch needed for powerpc is not necessary due to a newer version of the libc crate being used. I checked that indeed the changes are incorporated, but am unable to test against that arch.
Comment 3 Evaldas Auryla 2022-08-16 14:06:32 UTC
Hi, thanks for the patch, it does build ok, just tried to build the package in 13.1 jail. But server wouldn't start with error message:

thread 'main' panicked at 'error loading key: General("The server certificate is not valid for the given name")', src/lib/tls.rs:55:14

although I double checked and the generated test cert does have CN corresponding to FQDN of jail's hostname, which also resolves in DNS to jail's IP. Any clue ?
Comment 4 Evilham 2022-08-16 14:25:01 UTC
Thanks for taking a look!

I'm certainly not well versed in rust, but my wild guess is: are you using self-signed certificates?
There might be an issue with gemserv there, basing the guess on this comment in the source code:
https://git.sr.ht/~int80h/gemserv/tree/v0.6.6/item/src/lib/tls.rs#L123
Note the TLS logic has been completely rewritten since last version we have on FreeBSD repos.

FWIW I've been running 0.6.6 off my pkg repositories for a few days without issues now.
Comment 5 Evaldas Auryla 2022-08-17 07:27:46 UTC
Hi, thanks for pointing to the comment in the source code, indeed, I was testing with self-signed cert. So I grabbed one of my Letsencrypt issued certs, and got this in /var/log/messages:

Aug 17 07:54:04 gemserv gemserv[81330]: 2022-08-17 05:54:04,555 INFO  [gemserv] Serving 1 vhosts
Aug 17 07:54:04 gemserv gemserv[81330]: thread 'main' panicked at 'removal index (is 0) should be < len (is 0)', src/lib/tls.rs:46:42
Aug 17 07:54:04 gemserv gemserv[81330]: stack backtrace:
Aug 17 07:54:04 gemserv gemserv[81330]:    0:     0x26ac1dff085d - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hf271a1988635e66b
Aug 17 07:54:04 gemserv gemserv[81330]:    1:     0x26ac1ded30ae - core::fmt::write::h06f611de0d6a5aeb
Aug 17 07:54:04 gemserv gemserv[81330]:    2:     0x26ac1dfcabd4 - std::io::Write::write_fmt::h825a3caddcfda349
Aug 17 07:54:04 gemserv gemserv[81330]:    3:     0x26ac1dfd8ba6 - std::panicking::default_hook::{{closure}}::h48207883971a61ed
Aug 17 07:54:04 gemserv gemserv[81330]:    4:     0x26ac1dfd97bf - std::panicking::rust_panic_with_hook::hb1605447e655ad18
Aug 17 07:54:04 gemserv gemserv[81330]:    5:     0x26ac1dff0c22 - std::panicking::begin_panic_handler::{{closure}}::h72e6f0c380d86540
Aug 17 07:54:04 gemserv gemserv[81330]:    6:     0x26ac1dff0b96 - std::sys_common::backtrace::__rust_end_short_backtrace::h9602d023f6801785
Aug 17 07:54:04 gemserv gemserv[81330]:    7:     0x26ac1dfd9182 - rust_begin_unwind
Aug 17 07:54:04 gemserv gemserv[81330]:    8:     0x26ac1ded5b02 - core::panicking::panic_fmt::h735f12c53d12ea24
Aug 17 07:54:04 gemserv gemserv[81330]:    9:     0x26ac1dec78b1 - alloc::vec::Vec<T,A>::remove::assert_failed::h89829a84e8dde3ab
Aug 17 07:54:04 gemserv gemserv[81330]:   10:     0x26ac1de9e931 - gemserv::lib::tls::tls_acceptor_conf::he7ebc86cebbbbfe9
Aug 17 07:54:04 gemserv gemserv[81330]:   11:     0x26ac1dea2f9e - gemserv::run::{{closure}}::h47eb3bc4db1af29a
Aug 17 07:54:04 gemserv gemserv[81330]:   12:     0x26ac1de837a0 - <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll::h7096b8765f4e0031
Aug 17 07:54:04 gemserv gemserv[81330]:   13:     0x26ac1deb20a1 - gemserv::main::h1794507196c913e9
Aug 17 07:54:04 gemserv gemserv[81330]:   14:     0x26ac1de520b3 - std::sys_common::backtrace::__rust_begin_short_backtrace::h469d0ba2741643ee
Aug 17 07:54:04 gemserv gemserv[81330]:   15:     0x26ac1de52e9d - std::rt::lang_start::{{closure}}::he3ab2a2e7f3b24d0
Aug 17 07:54:04 gemserv gemserv[81330]:   16:     0x26ac1deb3f6d - main

Tried with "cert.pem", then "fullchain.pem", same error. Which CA certs are you using ?
Comment 6 Evilham 2022-08-17 08:00:19 UTC
Hunch: you are using RSA keys that are not in PKCS8 format and we just found a newly introduced bug in gemserv :-).

Can you confirm that your key's PEM headers look like this?

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

If that's the case, and removing "RSA " (aka, leaving only "BEGIN/END PRIVATE KEY") should get you a PKCS8 formatted key that ought to work.

Basing this hunch on:
https://git.sr.ht/~int80h/gemserv/tree/v0.6.6/item/src/lib/tls.rs#L37
And: https://docs.rs/rustls-pemfile/0.2.1/rustls_pemfile/fn.pkcs8_private_keys.html

If this is confirmed maybe we can use: https://docs.rs/rustls-pemfile/0.2.1/rustls_pemfile/fn.rsa_private_keys.html
To join that with the PKCS8 ones and publish 0.6.6 in ports with the patch, while submitting it upstream.
Comment 7 Evaldas Auryla 2022-08-17 08:48:56 UTC
Yes, works after removing "RSA" in key.pem. Not sure what to think of it. Maybe this should be baked in server code ?

The requirement to use third-party CA issued certs is it coming from Rust ? Sounds like it's not lined up with that strong recommendation to use self-signed certs together with some lightweight TOFU as per gemini specs.
Comment 8 Evilham 2022-08-17 09:10:46 UTC
Regarding CAs: IDK, that's up to gemserv's developers.

But could it be that your first issue was a mixture of: custom code to handle these cases + non-PKCS8 RSA key? Could you try again with the self-signed cert, making sure that the private key is PKCS8-formatted?
Comment 9 Evaldas Auryla 2022-08-17 09:30:38 UTC
Tried again with self-signed cert, generated with same CN, key.pem has no "RSA", this is what goes out in /var/log/messages:

Aug 17 11:25:19 pkg gemserv[87249]: thread 'main' panicked at 'error loading key: General("The server certificate is not valid for the given name")', src/lib/tls.rs:55:14
Comment 10 Evilham 2022-08-17 13:41:29 UTC
Created attachment 235966 [details]
net/gemserv: update to 0.6.6

This adds a patch to support reading both PKCS8 and OpenSSL-generated RSA private keys.

The patch has been sent upstream so it gets incoroporated or re-implemented in a way they see fit.
Comment 11 Fernando Apesteguía freebsd_committer freebsd_triage 2023-01-24 07:18:18 UTC
The last patch is not approved by maintainer. What's the status of this PR?
Comment 12 Evilham 2023-01-24 07:38:47 UTC
(In reply to Fernando Apesteguía from comment #11)
I'd guess maintainer timeout, upstream hasnt incorporated or replied to the patch either :-(.

FWIW it's been deployed in multiple servers without issues since first posted here.
Comment 13 Fernando Apesteguía freebsd_committer freebsd_triage 2023-01-26 18:19:02 UTC
Committed,

Thanks!
Comment 14 commit-hook freebsd_committer freebsd_triage 2023-01-26 18:19:14 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=740042a4126b6461d79eae867b50abb7a693938c

commit 740042a4126b6461d79eae867b50abb7a693938c
Author:     Evilham <contact@evilham.com>
AuthorDate: 2023-01-26 17:53:00 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-01-26 18:14:06 +0000

    net/gemserv: Update to 0.6.6

    ChangeLog: https://git.sr.ht/~int80h/gemserv/tree/v0.6.6/item/README#L79

    This update fixes a security issue for which there is no CVE assigned:

    https://git.sr.ht/~int80h/gemserv/refs

    PR:             265800
    Reported by:    contact@evilham.com
    Approved by:    ea@uoga.net (maintainer)

 net/gemserv/Makefile                         |  80 +-----
 net/gemserv/Makefile.crates (new)            | 103 ++++++++
 net/gemserv/distinfo                         | 366 +++++++++++++++------------
 net/gemserv/files/config.toml.sample.in      |  38 ++-
 net/gemserv/files/gemserv.in                 |   2 +
 net/gemserv/files/patch-powerpc (gone)       |  62 -----
 net/gemserv/files/patch-src_lib_tls.rs (new) |  35 +++
 net/gemserv/pkg-message                      |  12 +-
 8 files changed, 391 insertions(+), 307 deletions(-)