Bug 2246372

Summary: [abrt] gnutls-utils: gnutls_x509_crt_deinit(): gnutls-cli killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Sandro Bonazzola <sbonazzo>
Component: gnutlsAssignee: Red Hat Crypto Team <crypto-team>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 39CC: ansasaki, crypto-team, dueno, fkrenzel, sbonazzo, tm, zfridric
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/49385027c8c2f19e342034eee628c06b216ff23
Whiteboard: abrt_hash:ffa44a591a4f92cd6ac389809ed1023aa56c4529;VARIANT_ID=workstation;
Fixed In Version: gnutls-3.8.3-1.fc39 gnutls-3.8.3-1.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-29 06:25:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: proc_pid_status
none
File: maps
none
File: limits
none
File: environ
none
File: open_fds
none
File: mountinfo
none
File: os_info
none
File: cpuinfo
none
File: core_backtrace
none
File: exploitable
none
File: dso_list
none
File: backtrace none

Description Sandro Bonazzola 2023-10-26 12:47:47 UTC 
Description of problem:
Executing ` gnutls-cli -d 1 tls-tls-tls.ctf.siesta.monster -p 8080 --ca-auto-retrieve` , just segfaulted

Version-Release number of selected component:
gnutls-utils-3.8.1-1.fc39

Additional info:
reporter:       libreport-2.17.11
type:           CCpp
reason:         gnutls-cli killed by SIGSEGV
journald_cursor: s=bc29ac64410c4532adce616b6afb2a1d;i=66bf2c;b=dbebcbd302e249028d66c825836827a4;m=153769e7f;t=6089de8135e7a;x=7e9fc9ed1c777540
executable:     /usr/bin/gnutls-cli
cmdline:        gnutls-cli -d 1 tls-tls-tls.ctf.siesta.monster -p 8080 --ca-auto-retrieve
cgroup:         0::/user.slice/user-20528.slice/user/app.slice/app-org.gnome.Terminal.slice/vte-spawn-8f3b4aac-6961-47d3-8c24-82b372b6167c.scope
rootdir:        /
uid:            20528
kernel:         6.5.8-300.fc39.x86_64
package:        gnutls-utils-3.8.1-1.fc39
runlevel:       N 5
backtrace_rating: 4
crash_function: gnutls_x509_crt_deinit
comment:        Executing ` gnutls-cli -d 1 tls-tls-tls.ctf.siesta.monster -p 8080 --ca-auto-retrieve` , just segfaulted

Truncated backtrace:
Thread no. 1 (13 frames)
 #0 gnutls_x509_crt_deinit at ../../../lib/x509/x509.c:294
 #1 retrieve_issuers at ../../../lib/x509/verify-high.c:946
 #2 gnutls_x509_trust_list_verify_crt2 at ../../../lib/x509/verify-high.c:1496
 #3 _gnutls_x509_cert_verify_peers at ../../lib/cert-session.c:594
 #4 gnutls_certificate_verify_peers at ../../lib/cert-session.c:766
 #5 cert_verify at ../../src/common.c:260
 #6 cert_verify_callback at ../../src/cli.c:488
 #7 _gnutls_run_verify_callback at ../../lib/handshake.c:3014
 #8 _gnutls13_handshake_client at ../../lib/handshake-tls13.c:136
 #9 handshake_client at ../../lib/handshake.c:3052
 #10 gnutls_handshake at ../../lib/handshake.c:2874
 #11 do_handshake at ../../src/cli.c:1855
 #12 socket_open2 at ../../src/socket.c:620
Comment 1 Sandro Bonazzola 2023-10-26 12:47:59 UTC 
Created attachment 1995622 [details]
File: proc_pid_status
Comment 2 Sandro Bonazzola 2023-10-26 12:48:02 UTC 
Created attachment 1995623 [details]
File: maps
Comment 3 Sandro Bonazzola 2023-10-26 12:48:05 UTC 
Created attachment 1995624 [details]
File: limits
Comment 4 Sandro Bonazzola 2023-10-26 12:48:07 UTC 
Created attachment 1995625 [details]
File: environ
Comment 5 Sandro Bonazzola 2023-10-26 12:48:09 UTC 
Created attachment 1995626 [details]
File: open_fds
Comment 6 Sandro Bonazzola 2023-10-26 12:48:14 UTC 
Created attachment 1995627 [details]
File: mountinfo
Comment 7 Sandro Bonazzola 2023-10-26 12:48:15 UTC 
Created attachment 1995628 [details]
File: os_info
Comment 8 Sandro Bonazzola 2023-10-26 12:48:17 UTC 
Created attachment 1995629 [details]
File: cpuinfo
Comment 9 Sandro Bonazzola 2023-10-26 12:48:20 UTC 
Created attachment 1995630 [details]
File: core_backtrace
Comment 10 Sandro Bonazzola 2023-10-26 12:48:22 UTC 
Created attachment 1995631 [details]
File: exploitable
Comment 11 Sandro Bonazzola 2023-10-26 12:48:26 UTC 
Created attachment 1995632 [details]
File: dso_list
Comment 12 Sandro Bonazzola 2023-10-26 12:48:29 UTC 
Created attachment 1995633 [details]
File: backtrace
Comment 13 Daiki Ueno 2023-11-09 02:37:35 UTC 
> Executing ` gnutls-cli -d 1 tls-tls-tls.ctf.siesta.monster -p 8080 --ca-auto-retrieve` , just segfaulted

Thank you for the report.  I'm trying to reproduce but it looks like the server only has a private address assigned. Would it be possible to point me to a public server, or could you collect the logs following the instruction below?

https://www.gnutls.org/manual/html_node/Debugging-and-auditing.html#Debugging-and-auditing
Comment 14 Daiki Ueno 2023-11-09 03:02:53 UTC 
I suspect that this might be hitting the case where a gap is found in the certificate chain while the EE cert doesn't have caIssuer AIA. In that case, the default issuer callback set by gnutls-cli returns 0 (success) but doesn't set issuers_size to 0:
https://gitlab.com/gnutls/gnutls/-/blob/f2fbef2c50952270eeeadebfacbf718da845fadc/src/cli.c#L2297
Comment 15 Sandro Bonazzola 2023-11-09 07:35:21 UTC 
(In reply to Daiki Ueno from comment #13)
> > Executing ` gnutls-cli -d 1 tls-tls-tls.ctf.siesta.monster -p 8080 --ca-auto-retrieve` , just segfaulted
> 
> Thank you for the report.  I'm trying to reproduce but it looks like the
> server only has a private address assigned. Would it be possible to point me
> to a public server, or could you collect the logs following the instruction
> below?
> 
> https://www.gnutls.org/manual/html_node/Debugging-and-auditing.
> html#Debugging-and-auditing

Sadly tls-tls-tls.ctf.siesta.monster is not available anymore as the CTF event ended last week so I can't provide more detailed debug info.
Comment 16 Daiki Ueno 2023-11-09 08:32:25 UTC 
OK, then let's assume my guess on comment 14 is correct :-) I've filed an MR in upstream to fix it:
https://gitlab.com/gnutls/gnutls/-/merge_requests/1792
Comment 17 Fedora Update System 2024-01-24 11:09:45 UTC 
FEDORA-2024-c43a6cc3f8 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2024-c43a6cc3f8
Comment 18 Fedora Update System 2024-01-24 11:09:47 UTC 
FEDORA-2024-80428c408c has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-80428c408c
Comment 19 Fedora Update System 2024-01-25 01:11:50 UTC 
FEDORA-2024-c43a6cc3f8 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c43a6cc3f8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c43a6cc3f8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 20 Fedora Update System 2024-01-25 01:12:04 UTC 
FEDORA-2024-80428c408c has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-80428c408c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-80428c408c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 21 Fedora Update System 2024-01-29 06:25:19 UTC 
FEDORA-2024-80428c408c has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 22 Fedora Update System 2024-02-09 01:50:19 UTC 
FEDORA-2024-c43a6cc3f8 (gnutls-3.8.3-1.fc38) has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.