1442824 – Upgrade of GnuTLS seems to break svn

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1442824 - Upgrade of GnuTLS seems to break svn

Summary: Upgrade of GnuTLS seems to break svn

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	gnutls
Sub Component:
Version:	6.9
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Nikos Mavrogiannopoulos
QA Contact:	Stefan Dordevic
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1374441 1461138 1507541 1516695
TreeView+	depends on / blocked

Reported:	2017-04-17 16:57 UTC by Brian Hinz
Modified:	2018-06-19 05:11 UTC (History)
CC List:	9 users (show)
Fixed In Version:	gnutls-2.12.23-22.el6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-19 05:11:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:1868	0	None	None	None	2018-06-19 05:11:21 UTC

Description Brian Hinz 2017-04-17 16:57:28 UTC

Description of problem:

After upgrading from EL6.8 to 6.9, subversion client segfaults on all operations (backend server transport is https).  The following appears in the output of dmesg:

svn[4298]: segfault at 0 ip 00007fca8724ef78 sp 00007fffea738f10 error 4 in libgnutls.so.26.22.6[7fca8720d000+a9000]

After running 'yum downgrade gnutls gnutls-devel gnutls-utils' svn client works again

Version-Release number of selected component (if applicable):
subversion-1.6.11-15.el6_7
gnutls-2.12.23-21

How reproducible:
100%

Steps to Reproduce:
1. svn ls https://my.svn.server/my_repo


Actual results:
Segmentation fault

Expected results:
Repository contents listed

Additional info:
Downgrading gnutls to 2.8.5 allows subversion to work again

Comment 2 Joe Orton 2017-04-18 08:57:07 UTC

Brian, can you please open a support ticket for this? 

I can't immediately reproduce.

$ svn ls https://svn.apache.org/repos/asf/httpd/httpd/trunk/
$ rpm -q subversion gnutls neon
subversion-1.6.11-15.el6_7.x86_64
gnutls-2.12.23-21.el6.x86_64
neon-0.29.3-3.el6_4.x86_64

Can you capture a backtrace?

$ sudo debuginfo-install subversion neon gnutls
$ gdb svn ls ...
(gdb) run
...
(gdb) bt

Comment 3 Brian Hinz 2017-04-18 16:39:34 UTC

I will get the backtrace exported and uploaded ASAP (maybe today but probably won't be until tomorrow).  Until then, the backtrace indicates that the problem is in gnutls_privkey_get_pk_algorithm at gnutls_privkey.c:88.

Additionally, I did some poking around and realized that so far all of my affected users are using ssl-pkcs11-provider in their ~/.subversion/servers file (ie: PKI certificate resides on a smartcard device).  I have not yet located one of our users that has PKCS12 to confirm whether or not the problem is specific to PKCS11.

Comment 4 Joe Orton 2017-04-18 17:31:13 UTC

Thanks, that's helpful.

Running the neon test suite against RHEL6 and running the PKCS#11 tests, gnutls also segfaults as follows:

#0  gnutls_privkey_get_pk_algorithm (key=0x0, bits=0x0) at gnutls_privkey.c:88
#1  0x00000039dfc35bf1 in sign_tls_hash (session=0xfd8ab0, hash_algo=GNUTLS_DIG_SHA256, cert=0xfd1930, 
    pkey=<value optimized out>, hash_concat=0x7ffde2170250, signature=0x7ffde2170370) at gnutls_sig.c:248
#2  0x00000039dfc3608a in _gnutls_handshake_sign_cert_vrfy12 (session=0xfd8ab0, cert=0xfd1930, pkey=0x0, 
    signature=0x7ffde2170370) at gnutls_sig.c:646
#3  _gnutls_handshake_sign_cert_vrfy (session=0xfd8ab0, cert=0xfd1930, pkey=0x0, signature=0x7ffde2170370) at gnutls_sig.c:680
#4  0x00000039dfc328bc in _gnutls_gen_cert_client_cert_vrfy (session=0xfd8ab0, data=0x7ffde21703e8) at auth_cert.c:1548
#5  0x00000039dfc24417 in _gnutls_send_client_certificate_verify (session=0xfd8ab0, again=<value optimized out>)
    at gnutls_kx.c:331
#6  0x00000039dfc20cf5 in _gnutls_handshake_client (session=0xfd8ab0) at gnutls_handshake.c:2843
#7  0x00000039dfc21bb8 in gnutls_handshake (session=0xfd8ab0) at gnutls_handshake.c:2678
#8  0x00007f348b1bb531 in ne_sock_connect_ssl (sock=0xfd79a0, ctx=0xf7c310, userdata=<value optimized out>) at ne_socket.c:1794
#9  0x00007f348b1c75df in ne__negotiate_ssl (sess=0xf75940) at ne_gnutls.c:923

Comment 5 Brian Hinz 2017-04-18 17:36:55 UTC

Yeah, that backtrace looks identical so I won't bother attaching mine.  I'll ask our local RH support to open a ticket.

Comment 11 Nikos Mavrogiannopoulos 2017-04-21 06:08:24 UTC

Hi Brian,
 Would you like to check whether the patch at:
https://people.redhat.com/nmavrogi/redhat/

resolves the issue?

Comment 13 Brian Hinz 2017-04-24 15:33:21 UTC

Hi Nikos,

I was unable to get the patched RPMs on Friday and am getting them imported and will test today.

Thanks,
-brian

Comment 14 Nikos Mavrogiannopoulos 2017-04-24 16:02:04 UTC

Thank you. If that works for you, please make sure you create a support ticket referencing this bug.

Comment 15 Brian Hinz 2017-04-24 18:21:53 UTC

Nikos,

Thanks for the fast turn around.  Those RPMs do indeed seem to resolve the issue.  I did ask our local RH support personnel to create a support ticket.

Thanks,
-brian

Comment 28 errata-xmlrpc 2018-06-19 05:11:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1868

Note You need to log in before you can comment on or make changes to this bug.