Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Problem in gajim IM with pyopenssl 17.4.0 in ArchLinux #722

Closed
Genues opened this issue Nov 28, 2017 · 12 comments
Closed

Problem in gajim IM with pyopenssl 17.4.0 in ArchLinux #722

Genues opened this issue Nov 28, 2017 · 12 comments

Comments

@Genues
Copy link

Genues commented Nov 28, 2017
edited
Loading

Hi!
Please help solved problem in gajim IM with pyopenssl 17.4.0 in ArchLinux:
$ gajim
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nbxmpp/idlequeue.py", line 549, in _process_events
return IdleQueue._process_events(self, fd, flags)
File "/usr/lib/python2.7/site-packages/nbxmpp/idlequeue.py", line 409, in _process_events
obj.pollin()
File "/usr/lib/python2.7/site-packages/nbxmpp/transports_nb.py", line 446, in pollin
self._do_receive()
File "/usr/lib/python2.7/site-packages/nbxmpp/transports_nb.py", line 669, in _do_receive
self._on_receive(received)
File "/usr/lib/python2.7/site-packages/nbxmpp/transports_nb.py", line 683, in _on_receive
self.on_receive(data)
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 332, in
self.onreceive(lambda _data:self._xmpp_connect_machine(mode, _data))
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 385, in _xmpp_connect_machine
self._xmpp_connect_machine(mode='STREAM_STARTED')
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 388, in _xmpp_connect_machine
self._on_stream_start()
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 424, in _on_stream_start
self._on_connect()
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 461, in _on_connect
self.on_connect(self, self.connected)
File "/usr/lib/python2.7/site-packages/gajim/common/connection.py", line 1428, in _connect_success
return self.connection_accepted(con, con_type)
File "/usr/lib/python2.7/site-packages/gajim/common/connection.py", line 1498, in connection_accepted
hostname) and '100' not in gajim.config.get_per('accounts',
File "/usr/lib/python2.7/site-packages/gajim/common/check_X509.py", line 171, in check_certificate
subject = cert.get_subject()
File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py", line 1438, in get_subject
self._subject_invalidator.add(name)
AttributeError: 'X509' object has no attribute '_subject_invalidator'

Version 17.3.0 work fine.
@reaperhulk
Copy link
Member

This looks likely to be a situation where you have multiple copies of pyOpenSSL installed and your Python is loading part of each of them.

@Genues
Copy link
Author

Genues commented Nov 28, 2017
edited
Loading

@reaperhulk How to check it? Why if i going back to 17.3.0 gajim run fine?
In my system installed two pyopenssl - for Python2 and Python3.

@reaperhulk
Copy link
Member

Did you install pyopenssl via arch's package manager or via pip?

@Genues
Copy link
Author

Genues commented Nov 28, 2017

@reaperhulk arch's package manager - pacman

@reaperhulk
Copy link
Member

Hmm, okay. Could you look at /usr/lib/python2.7/site-packages/OpenSSL/crypto.py and confirm that _subject_invalidator is set in the __init__ for the X509 class?

I'll be very surprised if it's not... Do you have any other copies of crypto.py on your system?

@Genues
Copy link
Author

Genues commented Nov 28, 2017
edited by alex
Loading

@reaperhulk

class X509(object):
    """
    An X.509 certificate.
    """
    def __init__(self):
        x509 = _lib.X509_new()
        _openssl_assert(x509 != _ffi.NULL)
        self._x509 = _ffi.gc(x509, _lib.X509_free)
            
        self._issuer_invalidator = _X509NameInvalidator()
        self._subject_invalidator = _X509NameInvalidator()

I not install any other pyopenssl packages.

@alex
Copy link
Member

alex commented Nov 28, 2017

@reaperhulk it's our bug: https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/SSL.py#L312-L313

note to self, figure out the memory management here: https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/crypto.py#L1093

@reaperhulk
Copy link
Member

@alex sigh, my __new__ guess on IRC was right, but in our own repo 👎

@reaperhulk reaperhulk mentioned this issue Nov 29, 2017
Merged
@Genues
Copy link
Author

Genues commented Nov 29, 2017

Can i fix something any files for gajim works?

@reaperhulk
Copy link
Member

@Genues I'm writing a fix now. In addition to this bug the memory handling here is wrong so we need to add some new things to cryptography as well.

@Genues
Copy link
Author

Genues commented Nov 29, 2017

@reaperhulk Thank you.

reaperhulk added a commit to reaperhulk/pyopenssl that referenced this issue Nov 29, 2017
@reaperhulk
fix a memory leak and a potential UAF and also pyca#722
b95817a
reaperhulk added a commit to reaperhulk/pyopenssl that referenced this issue Nov 29, 2017
@reaperhulk
fix a memory leak and a potential UAF and also pyca#722
915d1d8
@reaperhulk reaperhulk mentioned this issue Nov 30, 2017
Closed
alex pushed a commit that referenced this issue Nov 30, 2017
@reaperhulk @alex
fix a memory leak and a potential UAF and also #722 (#723)
e738186 
* fix a memory leak and a potential UAF and also #722

* sanity check

* bump cryptography minimum version, add changelog
@reaperhulk
Copy link
Member

This should be resolved in 17.5.0

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 16, 2020
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alex @reaperhulk @Genues