Embargoed issue as reported at https://gitlab.com/gnutls/gnutls/-/issues/1525 (duplicate - https://gitlab.com/gnutls/gnutls/-/issues/1527) --- Description of problem: I'm reporting a crash observed during chain building/verification. I've turned into a reproducer (not minimal yet, but reliably crashes for me), which I'm attaching to this issue. As additional context: this reproducer comes from Netflix's BetterTLS (github.com/Netflix/bettertls) project; specifically, it's test case 61 in their "path validation" suite. As such, it's already public on the Internet. However, nobody appears to have run BetterTLS against a recent version of GnuTLS, so I'm filing this as a private issue for triage. Version of gnutls used: This crash has been observed on GnuTLS 3.8.3, via certtool. I'm using the Homebrew distribution of GnuTLS 3.8.3: https://formulae.brew.sh/formula/gnutls#default How reproducible: I'm attaching a reproducer in the form of a PEM bundle Steps to Reproduce: certtool --verify-chain --infile bug.pem Expected results: I expected a normal program exit, with an exit code of 1 or 0. Actual results: The program crashes with SIGTRAP, which is probably just because macOS catches the SIGSEGV for triage. Observed output: Note that no verification profile was selected. In the future the medium profile will be enabled by default.Use --verify-profile low to apply the default verification of NORMAL priority string.|<1>| There was a non-CA certificate in the trusted list: O=bettertls.com,CN=D,serialNumber=9d9b1ac3-6af5-47f2-9cdb-2201652648a0.Trace/BPT trap: 5
Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 2270594]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1879 https://access.redhat.com/errata/RHSA-2024:1879
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2570 https://access.redhat.com/errata/RHSA-2024:2570