Bug 206346 - fetchmail *really* likes to stat /etc/pki/tls/certs/e569cb81.0
fetchmail *really* likes to stat /etc/pki/tls/certs/e569cb81.0
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: fetchmail (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miloslav Trmač
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-13 15:57 EDT by Dave Jones
Modified: 2015-01-04 17:28 EST (History)
2 users (show)

See Also:
Fixed In Version: 6.3.4-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-30 22:19:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
snippet of strace -p `pidof fetchmail` (19.27 KB, text/plain)
2006-09-13 21:09 EDT, Dave Jones
no flags Details
Attempt to fix the broken logic (810 bytes, patch)
2006-10-03 09:30 EDT, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Dave Jones 2006-09-13 15:57:00 EDT
whilst chasing an NFS bug, I happened to strace fetchmail, which I had running
in daemon mode. Each time it woke up to do something it did this..

stat64("/etc/pki/tls/certs/e569cb81.0", 0xbf829930) = -1 ENOENT (No such file or
directory)

The problem is it did this over and over again.
In the space of 30 or so seconds, it did this nearly 1 million times.
Comment 1 Dave Jones 2006-09-13 21:07:10 EDT
.fetchmailrc looks like this.. (with IPs/passwords chopped out obviously)

poll 1.1.1.1 with proto IMAP
    user "davej" there with password "********" is davej here options fetchall
warnings 3600 ssl and wants mda "/usr/bin/procmail -d %T" ;

poll 2.2.2.2 with proto IMAP
    user "davej" there with password "***********" is davej here options
fetchall warnings 3600 ssl and wants mda "/usr/bin/procmail -d %T" ;

poll 3.3.3.3 with proto IMAP
    user "davej" there with password "********" is davej here options fetchall
warnings 3600 ssl and wants mda "/usr/bin/procmail -d %T" ;

poll 4.4.4.4 with proto pop3
    user "kernelslacker" there with password "********" is davej here options
fetchall warnings 3600 ssl and wants mda "/usr/bin/procmail -d %T" ;
Comment 2 Dave Jones 2006-09-13 21:09:07 EDT
Created attachment 136220 [details]
snippet of strace -p `pidof fetchmail`

segment of strace output.
Comment 3 Miloslav Trmač 2006-09-23 20:28:22 EDT
Each poll adds a single stat() call, so the fetchmail process must have been
running for months :)

fetchmail seems to be playing by the OpenSSL documentation, but OpenSSL behavior
differs from the documentation.

fetchmail uses a single SSL_CTX and reuses it for multiple connections; before
each SSL_new it sets up the SSL_CTX parameters for the new connection.  Among
other functions it calls SSL_CTX_load_verify_locations() or
SSL_CTX_set_default_verify_paths().

(man SSL_CTX_load_verify_locations) says the function "specifies the locations
for ctx"...;  actually it _appends_ the locations to its list.  There is no man
page for SSL_CTX_set_default_verify_paths(), nevertheless the name of the
function seems to contradict the appending behavior as well.

The immediate cause of the problem is that add_cert_dir() in
openssl/crypto/x509/by_dir.c adds a single directory multiple times (there is a
loop to detect duplicates (for(j=0...)...), but its result is ignored).

Tomas, do you think the above should be fixed in OpenSSL, or only documented as
intended behavior?

In any case, upstream fetchmail needs to be changed not to reuse the SSL_CTX
objects.
Comment 4 Miloslav Trmač 2006-09-23 22:52:30 EDT
Fixed in dist-fc6-HEAD fetchmail-6.3.4-2.  If you don't mind, I'll push this
as an update only after FC6 is released, to get more testers in updates-testing
and to possibly reflect upstream changes to the patch.
Comment 5 Tomas Mraz 2006-10-03 09:04:48 EDT
> The immediate cause of the problem is that add_cert_dir() in
> openssl/crypto/x509/by_dir.c adds a single directory multiple times (there is a
> loop to detect duplicates (for(j=0...)...), but its result is ignored).

This is clearly an openssl bug. The continue statement was probably meant for
the outer for loop and not the inner one. The logic in this function is also
broken by other means.

Comment 6 Tomas Mraz 2006-10-03 09:30:57 EDT
Created attachment 137645 [details]
Attempt to fix the broken logic
Comment 7 Fedora Update System 2006-10-24 17:18:23 EDT
fetchmail-6.3.4-2 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 8 Fedora Update System 2006-10-30 22:12:53 EST
fetchmail-6.3.4-2 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 9 Tomas Mraz 2006-11-03 05:46:20 EST
No response from openssl upstream on the patch above yet.
Comment 10 Tomas Mraz 2006-12-11 14:33:30 EST
The patch was picked up in openssl upstream CVS.

Note You need to log in before you can comment on or make changes to this bug.