Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem in gajim IM with pyopenssl 17.4.0 in ArchLinux #722

Closed
Genues opened this issue Nov 28, 2017 · 12 comments
Closed

Problem in gajim IM with pyopenssl 17.4.0 in ArchLinux #722

Genues opened this issue Nov 28, 2017 · 12 comments

Comments

@Genues
Copy link

Genues commented Nov 28, 2017
edited

Hi!
Please help solved problem in gajim IM with pyopenssl 17.4.0 in ArchLinux:
$ gajim
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nbxmpp/idlequeue.py", line 549, in _process_events
return IdleQueue._process_events(self, fd, flags)
File "/usr/lib/python2.7/site-packages/nbxmpp/idlequeue.py", line 409, in _process_events
obj.pollin()
File "/usr/lib/python2.7/site-packages/nbxmpp/transports_nb.py", line 446, in pollin
self._do_receive()
File "/usr/lib/python2.7/site-packages/nbxmpp/transports_nb.py", line 669, in _do_receive
self._on_receive(received)
File "/usr/lib/python2.7/site-packages/nbxmpp/transports_nb.py", line 683, in _on_receive
self.on_receive(data)
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 332, in
self.onreceive(lambda _data:self._xmpp_connect_machine(mode, _data))
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 385, in _xmpp_connect_machine
self._xmpp_connect_machine(mode='STREAM_STARTED')
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 388, in _xmpp_connect_machine
self._on_stream_start()
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 424, in _on_stream_start
self._on_connect()
File "/usr/lib/python2.7/site-packages/nbxmpp/client_nb.py", line 461, in _on_connect
self.on_connect(self, self.connected)
File "/usr/lib/python2.7/site-packages/gajim/common/connection.py", line 1428, in _connect_success
return self.connection_accepted(con, con_type)
File "/usr/lib/python2.7/site-packages/gajim/common/connection.py", line 1498, in connection_accepted
hostname) and '100' not in gajim.config.get_per('accounts',
File "/usr/lib/python2.7/site-packages/gajim/common/check_X509.py", line 171, in check_certificate
subject = cert.get_subject()
File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py", line 1438, in get_subject
self._subject_invalidator.add(name)
AttributeError: 'X509' object has no attribute '_subject_invalidator'

Version 17.3.0 work fine.
@reaperhulk
Copy link
Member

This looks likely to be a situation where you have multiple copies of pyOpenSSL installed and your Python is loading part of each of them.

@Genues
Copy link
Author

Genues commented Nov 28, 2017
edited

@reaperhulk How to check it? Why if i going back to 17.3.0 gajim run fine?
In my system installed two pyopenssl - for Python2 and Python3.

@reaperhulk
Copy link
Member

Did you install pyopenssl via arch's package manager or via pip?

@Genues
Copy link
Author

Genues commented Nov 28, 2017

@reaperhulk arch's package manager - pacman

@reaperhulk
Copy link
Member

Hmm, okay. Could you look at /usr/lib/python2.7/site-packages/OpenSSL/crypto.py and confirm that _subject_invalidator is set in the __init__ for the X509 class?

I'll be very surprised if it's not... Do you have any other copies of crypto.py on your system?

@Genues
Copy link
Author

Genues commented Nov 28, 2017
edited by alex

@reaperhulk

class X509(object):
    """
    An X.509 certificate.
    """
    def __init__(self):
        x509 = _lib.X509_new()
        _openssl_assert(x509 != _ffi.NULL)
        self._x509 = _ffi.gc(x509, _lib.X509_free)
            
        self._issuer_invalidator = _X509NameInvalidator()
        self._subject_invalidator = _X509NameInvalidator()

I not install any other pyopenssl packages.

@alex
Copy link
Member

alex commented Nov 28, 2017

@reaperhulk it's our bug: https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/SSL.py#L312-L313

note to self, figure out the memory management here: https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/crypto.py#L1093

@reaperhulk
Copy link
Member

@alex sigh, my __new__ guess on IRC was right, but in our own repo 👎

@reaperhulk reaperhulk mentioned this issue Nov 29, 2017
Merged
@Genues
Copy link
Author

Genues commented Nov 29, 2017

Can i fix something any files for gajim works?

@reaperhulk
Copy link
Member

@Genues I'm writing a fix now. In addition to this bug the memory handling here is wrong so we need to add some new things to cryptography as well.

@Genues
Copy link
Author

Genues commented Nov 29, 2017

@reaperhulk Thank you.

reaperhulk added a commit to reaperhulk/pyopenssl that referenced this issue Nov 29, 2017
@reaperhulk
fix a memory leak and a potential UAF and also pyca#722
b95817a
reaperhulk added a commit to reaperhulk/pyopenssl that referenced this issue Nov 29, 2017
@reaperhulk
fix a memory leak and a potential UAF and also pyca#722
915d1d8
@reaperhulk reaperhulk mentioned this issue Nov 30, 2017
Closed
alex pushed a commit that referenced this issue Nov 30, 2017
@reaperhulk @alex
fix a memory leak and a potential UAF and also #722 (#723)
e738186 
* fix a memory leak and a potential UAF and also #722

* sanity check

* bump cryptography minimum version, add changelog
@reaperhulk
Copy link
Member

This should be resolved in 17.5.0

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alex @reaperhulk @Genues