Bug 1706779

Summary: Array bounds write violation
Product: [Fedora] Fedora Reporter: Zoltan Kelemen <misterzed88>
Component: compat-openssl10-pkcs11-helperAssignee: Rex Dieter <rdieter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: compat-openssl10-pkcs11-helper-1.22-8.fc30 compat-openssl10-pkcs11-helper-1.22-8.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-12 01:22:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zoltan Kelemen 2019-05-06 09:57:49 UTC 
Description of problem:
The compat-openssl10-pkcs11-helper package contains a patch (pkcs11-helper-rfc7512.patch) that makes the library understand RFC 7512 PKCS#11 URIs. The patch contains a potential off-by-one array bounds overwrite.

In the most simple case this leads to a failure parsing a valid URI where the serial field contains a serial number with the maximum length of 16 characters. More severe cases can lead to security violations.

The same bug has already been reported for the pkcs11-helper component, as bug #1516474.

Version-Release number of selected component (if applicable):
Discovered in compat-openssl10-pkcs11-helper-1.22-6.fc29.
Still present in compat-openssl10-pkcs11-helper-1.22-7.fc30.

How reproducible:
Happens every time.

Steps to Reproduce:
1. Install and configure gpgsm to use a PKCS #11 card through gnupg-pkcs11-scd.
2. Insert a card with a 16-character serial number.
3. Run gpgsm --learn-card

Actual results:

gpgsm fails with the following error message:
"gpgsm: error learning card: Card error"

Expected results:

gpgsm succeeds.

Additional info:

The following error is logged:
gnupg-pkcs11-scd[...]: PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID'
Comment 1 Zoltan Kelemen 2019-05-06 10:04:24 UTC 
This bug is a symptom of the underlying problem of having a duplicate code base for the library. What is the background for having compat-openssl10-pkcs11-helper in addition to pkcs11-helper?

If the compat lib can not easily be disposed of, wouldn't it be possible to change it to be a simple container for the pkcs11-helper library? (depending on that package and simply creating a symlink to the so file of that library?). Both compat-openssl10-pkcs11-helper and pkcs11-helper seems to use the same base code.
Comment 2 Rex Dieter 2019-05-06 13:50:29 UTC 
I don't recall which item needed it, but not all pkgs in kde/qt5 stack were ported to openssl-1.1.x (I *think* something telepathy-related).  That has since been fixed as at least as of fedora 30.

repoquery shows only one item,
gnupg-pkcs11-scd-0:0.9.1-5.fc30.x86_64

Depending on it anymore.  I will likely orphan this package for subsequent fedora releases.
Comment 3 Fedora Update System 2019-05-06 14:55:38 UTC 
compat-openssl10-pkcs11-helper-1.22-8.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1114631bfe
Comment 4 Fedora Update System 2019-05-06 14:56:36 UTC 
compat-openssl10-pkcs11-helper-1.22-8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ce323ce9af
Comment 5 Fedora Update System 2019-05-06 21:04:08 UTC 
compat-openssl10-pkcs11-helper-1.22-8.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1114631bfe
Comment 6 Fedora Update System 2019-05-07 14:13:45 UTC 
compat-openssl10-pkcs11-helper-1.22-8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ce323ce9af
Comment 7 Fedora Update System 2019-05-12 01:22:12 UTC 
compat-openssl10-pkcs11-helper-1.22-8.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2019-05-15 03:33:12 UTC 
compat-openssl10-pkcs11-helper-1.22-8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Zoltan Kelemen 2019-05-20 09:50:57 UTC 
I have tested the update on fc29 and can verify that the originally reported issue has disappeared (fixed).