View Issue Details

IDProjectCategoryView StatusLast Update
0008079Kali LinuxKali Package Bugpublic2023-02-16 04:23
Reporterjojonas Assigned Toarnaudr  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Product Versionkali-dev 
Summary0008079: The DNS server "named" (from the bind9) package crashes with the following error message:
Description

┌──(kali㉿kali)-[~]
└─$ named --help
tls.c:88: fatal error: RUNTIME_CHECK(OPENSSL_init_ssl((0x00000200L | 0x00000400L | 0x00001000L | 0x00002000L | 0x00004000L) | 0x00000040L, ((void *)0)) == 1) failed
zsh: IOT instruction named --help

Steps To Reproduce

Install package "bind9":

$ sudo apt install bind9

Start named (either via systemctl service or directly from the command line):

$ sudo systemctl start named
$ named --help

Activities

jojonas

jojonas

2022-12-03 00:35

reporter   ~0017121

The reason for the crash is that named is not allowed to read Kali's OpenSSL configuration at /etc/ssl/kali.cnf which is included by /etc/ssl/openssl.cnf, as the following strace output shows:

┌──(kali㉿kali)-[~]
└─$ sudo strace -e trace=file named --help
execve("/usr/sbin/named", ["named", "--help"], 0x7ffe20ca96c8 / 13 vars /) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
[... loading .so libraries ...]
readlink("/etc/malloc.conf", 0x7ffe3c544760, 4096) = -1 ENOENT (No such file or directory)
open("/proc/sys/vm/overcommit_memory", O_RDONLY|O_CLOEXEC) = 3
open("/sys/kernel/mm/transparent_hugepage/enabled", O_RDONLY) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=12550, ...}, AT_EMPTY_PATH) = 0
newfstatat(AT_FDCWD, "/etc/ssl/kali.cnf", {st_mode=S_IFREG|0644, st_size=653, ...}, 0) = 0
openat(AT_FDCWD, "/etc/ssl/kali.cnf", O_RDONLY) = -1 EACCES (Permission denied)
tls.c:88: fatal error: RUNTIME_CHECK(OPENSSL_init_ssl((0x00000200L | 0x00000400L | 0x00001000L | 0x00002000L | 0x00004000L) | 0x00000040L, ((void *)0)) == 1) failed
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2631, si_uid=0} ---
+++ killed by SIGABRT +++
zsh: IOT instruction sudo strace -e trace=file named --help

This is due to the file /etc/ssl/kali.cnf not being included in the Apparmor policy /etc/apparmor.d/usr.sbin.named which is shipped as part of the "bind9" package.

Adding a line like "/etc/ssl/kali.cnf r," to the Apparmor policy fixes the issue.

arnaudr

arnaudr

2022-12-06 07:37

manager   ~0017148

Thanks for the excellent bug report!

I opened an issue on the Debian bug tracker, to see if the bind9 maintainers would be willing to relax the apparmor profile for named: https://bugs.debian.org/1025519.

arnaudr

arnaudr

2022-12-27 03:06

manager   ~0017284

This is solved in package bind9 version 9.18.10-2, in Debian. The package didn't reach Kali yet.

arnaudr

arnaudr

2023-01-17 15:43

manager   ~0017403

The package bind9 9.18.10-2 is now in kali-rolling, so the issue is solved with:

<pre>
apt update && apt full-upgrade -y
</pre>

Closing.

Issue History

Date Modified Username Field Change
2022-12-03 00:34 jojonas New Issue
2022-12-03 00:35 jojonas Note Added: 0017121
2022-12-06 07:37 arnaudr Note Added: 0017148
2022-12-06 07:37 arnaudr Assigned To => arnaudr
2022-12-06 07:37 arnaudr Status new => assigned
2022-12-27 03:06 arnaudr Note Added: 0017284
2023-01-17 15:43 arnaudr Note Added: 0017403
2023-01-17 15:44 arnaudr Status assigned => resolved
2023-01-17 15:44 arnaudr Resolution open => fixed