Description of problem: while using m2crypto-0.18 to maintain ssl connections, we experienced occasional segmentation faults. Version-Release number of selected component (if applicable): m2crypto-0.16-6.el5.3 These segfaults may very well be related to the following upstream bug https://bugzilla.osafoundation.org/show_bug.cgi?id=11686 as we did not experience segfaults with m2crypto-0.19.1. Just like bug 472690, it has obvious security implications.
Thanks for your report. The bug describes segfaults caused by loading public key (without the private exponent) and using it in one of the RSA methods, which implies a call to RSA.check_key (RSA_check_key). This crashes because it attempts to access the private exponent, which is NULL. The current upstream fix changes the API (see https://bugzilla.osafoundation.org/show_bug.cgi?id=12465 ), so it is unusable for RHEL5. AFAICS this crash is entirely deterministic and not security related. If the segmentation faults were "occasional", this change is probably not relevant to your problem. As long as we are guessing, the following CHANGES entry is another option: > - Prevent Connection.makefile from freeing bio redundantly, by Thomas Uram but it would be much better to know the cause of the crashes for certain. I'm inclined to close this bug WONTFIX - have I overlooked a reason not to?