openssl has catastrophic issues when locale set to TR_UTF8

I've uploaded a fix to the jammy unapproved queue, but it's a rather large patch and I think it should be reviewed by another member of the release team.

Upstream did a review of these changes and I think they have some valid points:
https://github.com/openssl/openssl/pull/18115#issuecomment-1099784064

I'm also worried that the newlocale() calls have no corresponding freelocale() counterparts. I think this needs a bit more tinkering before we proceed - in lieu of these uncertainties, I'll reject if from the queue.

Note that because these locale objects are declared 'static', they don't go out of scope until the library is unloaded. So the only way this results in a memory leak is if a process is opening libssl via dlopen, then unloading it, then loading it again.

Moving back to In Progress and assigning to me, as there is now an upstream fix that has been merged in their 3.0 branch: https://github.com/openssl/openssl/pull/18103 (patches applied manually, hence the wrong status of the PR)

(note that the patch caused a regression on their master branch, but apparently *not* on the 3.0 branch)

I'll prepare an SRU for it ASAP.

Attached is the patch for the Jammy SRU.

You can find a build of it in this PPA: https://launchpad.net/~schopin/+archive/ubuntu/test-ppa/+sourcepub/13495859/+listing-archive-extra
(just pop the extra changelog entry)

Here's the debdiff for kinetic, which is the whole 3.0.3 upstream release.

You'll find a build for it in my PPA: https://launchpad.net/~schopin/+archive/ubuntu/test-ppa/+sourcepub/13495897/+listing-archive-extra

(just pop the extra changelog entry)

Hello Ilgaz, or anyone else affected,

Accepted openssl into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Good news, proposed patch fixed the issue.

Fresh Kubuntu (Turkish) on a VM with proposed patches enabled. Original symptom isn't there

# sudo ua status
[sudo] ilgaz için parola:
SERVICE AVAILABLE DESCRIPTION
cc-eal no Common Criteria EAL2 Provisioning Packages
cis no Security compliance and audit tools
esm-infra yes UA Infra: Extended Security Maintenance (ESM)
fips no NIST-certified core packages
fips-updates no NIST-certified core packages with priority security updates
livepatch yes Canonical Livepatch service

This machine is not attached to a UA subscription.

Additionally this works (another symptom, wget)

# wget https://cdimage.ubuntu.com/kubuntu/releases/22.04/release/kubuntu-22.04-desktop-amd64.iso.torrent
--2022-05-06 14:33:48-- https://cdimage.ubuntu.com/kubuntu/releases/22.04/release/kubuntu-22.04-desktop-amd64.iso.torrent
cdimage.ubuntu.com (cdimage.ubuntu.com) çözümleniyor... 91.189.91.124, 91.189.91.123, 185.125.190.37, ...
cdimage.ubuntu.com (cdimage.ubuntu.com)|91.189.91.124|:443 bağlanılıyor... bağlantı kuruldu.
HTTP isteği gönderildi, cevap bekleniyor... 200 OK
Uzunluk: 280634 (274K) [application/x-bittorrent]
Kayıt yeri: ‘kubuntu-22.04-desktop-amd64.iso.torrent’

kubuntu-22.04-desktop-a 100%[===============================>] 274,06K 505KB/s süre 0,5s

2022-05-06 14:33:49 (505 KB/s) - ‘kubuntu-22.04-desktop-amd64.iso.torrent’ kaydedildi [280634/280634]

# apt info openssl
Package: openssl
Version: 3.0.2-0ubuntu1.2
Priority: important
Section: utils
Origin: Ubuntu

All autopkgtests for the newly accepted openssl (3.0.2-0ubuntu1.2) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

mysql-8.0/8.0.29-0ubuntu0.22.04.2 (i386)
resource-agents/1:4.7.0-1ubuntu7 (armhf)
seqkit/2.1.0+ds-1 (arm64)
ngircd/26.1-1 (s390x)
linux-lowlatency/5.15.0-30.31 (arm64)
python-bonsai/1.3.0+ds-3build1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#openssl

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I've been using 3.0.2-0ubuntu1.2 on jammy for a couple of days without any noticeable regression, and have confirmed that the bug has been fixed using the curl method outlined above.

Marking as verified on jammy.

The verification of the Stable Release Update for openssl has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package openssl - 3.0.2-0ubuntu1.2

---------------
openssl (3.0.2-0ubuntu1.2) jammy; urgency=medium

  * d/p/lp1968997/*: cherry-pick a patchset to fix issues with the Turkish
    locale (LP: #1968997)

 -- Simon Chopin <email address hidden> Thu, 05 May 2022 10:04:52 +0200

This bug was fixed in the package openssl - 3.0.3-0ubuntu1

---------------
openssl (3.0.3-0ubuntu1) kinetic; urgency=medium

  * New upstream release (LP: #1968997):
    - d/p/CVE-2022-*: dropped, present upstream
    - d/p/c_rehash-compat.patch: refreshed

 -- Simon Chopin <email address hidden> Thu, 05 May 2022 10:56:04 +0200