Bug 138716 (IT_53082)

Summary: signature verification via http broken after upgrade from U1 to U2
Product: Red Hat Enterprise Linux 3 Reporter: David Lehman <dlehman>
Component: rpmAssignee: Paul Nasrat <nobody+pnasrat>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: cra, maharig, nobody+pnasrat, pdemauro, sconklin, ssnodgra, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-18 14:45:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 132991    
Attachments:
Description Flags
strace of working rpm --nolibio -K
none
strace of failing rpm -K
none
Successful verification with rpm --rpmiodebug -Kv
none
Failed verification with rpm --rpmiodebug -Kv
none
Failed vertification with rpm --rpmiodebug --nolibio -Kv
none
rpmio fix for bytesRemain updated multiple times in fdstat_exit none

Description David Lehman 2004-11-10 20:39:33 UTC 
Description of problem:
Signature checking returns false negatives for some packages when queried via
HTTP. Backing out rpm and popt (to U1 revs) eliminates false positives.

Version-Release number of selected component (if applicable):
rpm-4.2.2-0.14

How reproducible:
Always

Steps to Reproduce:
1. Setup and start httpd on localhost (an RHEL3-U3 machine)
2. Place arptables_jf-0.0.7-0.3E.i386.rpm somewhere httpd will serve it
3. run 'rpm -Kv http://localhost/<path>/arptables_jf-0.0.7-0.3E.i386.rpm'
  
Actual results:
[root@hogwash root]# rpm -Kv http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm
http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm:
    Header V3 DSA signature: OK, key ID db42a60e
    Header SHA1 digest: OK (ed2335c4ca90a50d23bb59281fa74a9551962b82)
    MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) !=
(26b0af6b001e752a2596610b80e19b4f)
    V3 DSA signature: BAD, key ID db42a60e
[root@hogwash root]#


Expected results:
http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm:
    Header V3 DSA signature: OK, key ID db42a60e
    Header SHA1 digest: OK (ed2335c4ca90a50d23bb59281fa74a9551962b82)
    MD5 digest: OK (820cd9dc0cb93108029c3b1b2afa97d5)
    V3 DSA signature: OK, key ID db42a60e


Additional info:
Comment 2 Jeff Johnson 2004-11-11 23:39:03 UTC 
*** Bug 138901 has been marked as a duplicate of this bug. ***
Comment 8 Paul Nasrat 2005-01-10 16:04:18 UTC 
Just an update - I can reproduce.  Can others confirm if it works using --nolibio 

rpm -K
http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm
http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm:
(sha1) dsa sha1 MD5 GPG NOT OK

rpm  --nolibio -K
http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm
http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm:
(sha1) dsa sha1 md5 gpg OK
Comment 9 Pancrazio `ezio' de Mauro 2005-01-10 16:26:25 UTC 
Same for me here, rpm -K sporadically says "NOT OK", if I add --nolibio it seems
to always say "OK"

-- 
        ezio
Comment 10 Paul Nasrat 2005-01-10 18:34:35 UTC 
Created attachment 109570 [details]
strace of working rpm --nolibio -K

Note we read lead+sigh[96 + 16 + 328] hdr[16 +3984] store [84038]
Comment 11 Paul Nasrat 2005-01-10 18:39:12 UTC 
Created attachment 109571 [details]
strace of failing rpm -K

Note the short read on the store

[ 96 + 16 + 328 ] [ 16 + 3984 ] store [ 26886 ] 

If we read the rpm to the length we get the same actual MD5

rpm -Kv
http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm


MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) !=
(26b0af6b001e752a2596610b80e19b4f)

dd if=arptables_jf-0.0.7-0.3E.i386.rpm of=bar bs=1 count=31326

rpm -Kv bar | grep MD5
MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) !=
(26b0af6b001e752a2596610b80e19b4f)
Comment 12 Paul Nasrat 2005-01-10 19:11:30 UTC 
Note fails with same actual MD5 digest using ftp also, persuing some suggestions
from jbj in fdReadable
Comment 13 Paul Nasrat 2005-01-10 19:56:10 UTC 
From rpmiodebug

==>     fdRead(0x8567df8,0xb73df000,8192) rc 8192  clen 51462   | LIBIO
0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048
==>     fdRead(0x8567df8,0xb73df000,8192) rc 8192  clen 26886   | LIBIO
0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048
==>     fdRead(0x8567df8,0xb73df000,8192) rc 8192  clen 2310    | LIBIO
0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048
==>     fdRead(0x8567df8,0xb73df000,8192) rc 2310  clen 0       | LIBIO
0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048
Comment 15 Paul Nasrat 2005-01-11 20:52:43 UTC 
*** Bug 144836 has been marked as a duplicate of this bug. ***
Comment 16 Paul Nasrat 2005-01-12 00:53:38 UTC 
With the help of Jeff Johnson we've tracked this down and have a proposed fix. 
Target U5
Comment 17 Steve Snodgrass 2005-01-12 14:50:57 UTC 
FYI, the --nolibio workaround doesn't appear to me to have any effect
on the problem.  I'm not sure if this is significant to the proposed
fix or not.
Comment 18 Paul Nasrat 2005-01-12 15:16:57 UTC 
Steve can you attach the stderr from both

rpm --rpmiodebug --nolibio -Kv http://URL/foo.rpm
rpm --rpmiodebug -Kv http://URL/foo.rpm
Comment 19 Steve Snodgrass 2005-01-12 16:10:24 UTC 
Created attachment 109671 [details]
Successful verification with rpm --rpmiodebug -Kv
Comment 20 Steve Snodgrass 2005-01-12 16:12:13 UTC 
Created attachment 109672 [details]
Failed verification with rpm --rpmiodebug -Kv
Comment 21 Steve Snodgrass 2005-01-12 16:12:56 UTC 
Created attachment 109673 [details]
Failed vertification with rpm --rpmiodebug --nolibio -Kv
Comment 22 Paul Nasrat 2005-01-12 16:54:30 UTC 
I'm pretty sure the fix should work for both cases for you as it fixes the clen
decrementing incorrectly which you're seeing in your nolibio case too.
Comment 24 Charles R. Anderson 2005-01-20 20:17:11 UTC 
I ran into this same problem with rpm -qp ftp:// on FC2 and FC3.  Jeff
Johnson gave me a patch from CVS that fixes the problem for me on FC3
rpm-4.3.2-21.  It would be nice if FC2/3 updates could be released
with this fix included.
Comment 25 Charles R. Anderson 2005-01-20 20:52:57 UTC 
Created attachment 110028 [details]
rpmio fix for bytesRemain updated multiple times in fdstat_exit
Comment 29 Dennis Gregorovic 2005-05-18 14:45:25 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-147.html