Bug 1464293

Summary: libfaketime triggers openssl (libcrypto?) segfault in FIPS mode
Product: [Fedora] Fedora EPEL Reporter: Travers Carter <tcarter>
Component: libfaketimeAssignee: Paul Wouters <pwouters>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-09 02:07:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Travers Carter 2017-06-23 01:45:03 UTC 
Description of problem:
Use of libfaketime with openssl triggers a segfault if the system is in FIPS mode. See
* [BUG] https://github.com/wolfcw/libfaketime/issues/93
* [BUG] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1613658
* [PATCH] https://github.com/wolfcw/libfaketime/commit/0bde083556e243e87bddaaf94e68f2ef85dad769


Version-Release number of selected component (if applicable):
libfaketime-0.9.6-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. yum install hmaccalc fipscheck dracut-fips dracut-fips-aesni
2. rebuild initrd (dracut -f)
3. Boot the system with "fips=1" in the kernel boot arguments
4. Run "faketime -f '2017-01-01 00:00:00' openssl"


Actual results:
# faketime -f '2017-06-23 01:02:03' openssl ciphers
Caught Segmentation fault

Expected results:
faketime -f '2017-06-23 01:02:03' openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:KRB5-DES-CBC3-SHA

Additional info:
Not sure whether the initrd build is mandatory or just booting with fips=1 is sufficient.
Comment 1 Paul Wouters 2017-06-23 02:44:10 UTC 
upstream is about to release 0.9.7 which includes that fix. So if this isn't super urgent, I'd prefer to wait and just to 0.9.7 since there are quite a lot of fixes since 0.9.6
Comment 2 Travers Carter 2017-06-23 03:13:52 UTC 
Not super urgent from my perspective.

I'd love to see fix within the next month or so, so if the next release is expected within the next few weeks it would absolutely make sense to just wait for that rather than cherry-picking the individual fix.
Comment 3 Troy Dawson 2024-07-09 02:07:18 UTC 
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.