Bug 1444860

Summary: PKCS #11 slot leakage hampers unload of nss-pem
Product: Red Hat Enterprise Linux 7 Reporter: Kamil Dudka <kdudka>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Stefan Dordevic <sdordevi>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: kdudka, sdordevi
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl-7.29.0-43.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of:
: 1445392 (view as bug list) Environment:
Last Closed: 2018-04-10 11:45:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1465901    
Attachments:
Description Flags
[WIP] test-case patch none

Description Kamil Dudka 2017-04-24 12:46:54 UTC 
Description of problem:
The PKCS #11 slot object returned by SECMOD_WaitForAnyTokenEvent() is leaked, which later prevents nss-pem from being unloaded.


Version-Release number of selected component (if applicable):
curl-7.29.0-42.el7


Steps to Reproduce:
1. install nss-pem-1.0.3-2.el7
2. load a private key from file using libcurl


Actual results:
nss-pem fails to unload


Expected results:
nss-pem unloads properly


Additional info:
This bug was revealed by the following nss-pem commit:
https://github.com/kdudka/nss-pem/commit/eefef228

Unfortunately, reverting the commit would reintroduce the one second sleep after loading a private key, which is something we do not want to do?
Comment 2 Kamil Dudka 2017-04-25 12:17:12 UTC 
upstream commit:

https://github.com/curl/curl/commit/curl-7_54_0-24-gc8ea86f
Comment 3 Kamil Dudka 2017-04-25 14:48:07 UTC 
Removing the Regression keyword.  The bug is triggered by a change in nss-pem, so the change will be reverted.
Comment 8 Kamil Dudka 2017-09-13 08:12:53 UTC 
This can be tested by the test for bug #1445384 with patched nss-pem (after reverting the revert).
Comment 14 Kamil Dudka 2018-02-09 11:43:15 UTC 
Created attachment 1393709 [details]
[WIP] test-case patch

Please clone /CoreOS/curl/Regression/bz694294-curl-AND-nss-need-to-be-able-to-use-pem-files and apply the attached patch on top if it.

It fails with:
libcurl-7.29.0-42.el7
nss-pem-1.0.3-2.el7

... but passes with:
libcurl-7.29.0-46
nss-pem-1.0.3-2.el7
Comment 18 errata-xmlrpc 2018-04-10 11:45:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0732