Bug 206346
Summary: | fetchmail *really* likes to stat /etc/pki/tls/certs/e569cb81.0 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dave Jones <davej> | ||||||
Component: | fetchmail | Assignee: | Miloslav Trmač <mitr> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Brock Organ <borgan> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | rawhide | CC: | pfrields, tmraz | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | 6.3.4-2 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2006-10-31 03:19:37 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Dave Jones
2006-09-13 19:57:00 UTC
.fetchmailrc looks like this.. (with IPs/passwords chopped out obviously) poll 1.1.1.1 with proto IMAP user "davej" there with password "********" is davej here options fetchall warnings 3600 ssl and wants mda "/usr/bin/procmail -d %T" ; poll 2.2.2.2 with proto IMAP user "davej" there with password "***********" is davej here options fetchall warnings 3600 ssl and wants mda "/usr/bin/procmail -d %T" ; poll 3.3.3.3 with proto IMAP user "davej" there with password "********" is davej here options fetchall warnings 3600 ssl and wants mda "/usr/bin/procmail -d %T" ; poll 4.4.4.4 with proto pop3 user "kernelslacker" there with password "********" is davej here options fetchall warnings 3600 ssl and wants mda "/usr/bin/procmail -d %T" ; Created attachment 136220 [details]
snippet of strace -p `pidof fetchmail`
segment of strace output.
Each poll adds a single stat() call, so the fetchmail process must have been running for months :) fetchmail seems to be playing by the OpenSSL documentation, but OpenSSL behavior differs from the documentation. fetchmail uses a single SSL_CTX and reuses it for multiple connections; before each SSL_new it sets up the SSL_CTX parameters for the new connection. Among other functions it calls SSL_CTX_load_verify_locations() or SSL_CTX_set_default_verify_paths(). (man SSL_CTX_load_verify_locations) says the function "specifies the locations for ctx"...; actually it _appends_ the locations to its list. There is no man page for SSL_CTX_set_default_verify_paths(), nevertheless the name of the function seems to contradict the appending behavior as well. The immediate cause of the problem is that add_cert_dir() in openssl/crypto/x509/by_dir.c adds a single directory multiple times (there is a loop to detect duplicates (for(j=0...)...), but its result is ignored). Tomas, do you think the above should be fixed in OpenSSL, or only documented as intended behavior? In any case, upstream fetchmail needs to be changed not to reuse the SSL_CTX objects. Fixed in dist-fc6-HEAD fetchmail-6.3.4-2. If you don't mind, I'll push this as an update only after FC6 is released, to get more testers in updates-testing and to possibly reflect upstream changes to the patch. > The immediate cause of the problem is that add_cert_dir() in
> openssl/crypto/x509/by_dir.c adds a single directory multiple times (there is a
> loop to detect duplicates (for(j=0...)...), but its result is ignored).
This is clearly an openssl bug. The continue statement was probably meant for
the outer for loop and not the inner one. The logic in this function is also
broken by other means.
Created attachment 137645 [details]
Attempt to fix the broken logic
fetchmail-6.3.4-2 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. fetchmail-6.3.4-2 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. No response from openssl upstream on the patch above yet. The patch was picked up in openssl upstream CVS. |