Bug 2083581
| Summary: | capinfos aborts in FIPS | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Ondrej Moriš <omoris> | ||||||
| Component: | wireshark | Assignee: | Michal Ruprich <mruprich> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | František Hrdina <fhrdina> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 9.0 | CC: | fhrdina | ||||||
| Target Milestone: | rc | Keywords: | AutoVerified, Patch, Reproducer, Triaged | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | wireshark-3.4.10-4.el9 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 2227004 (view as bug list) | Environment: | |||||||
| Last Closed: | 2023-05-09 07:52:12 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 2227004 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1898725 [details]
Patch
Folks, I still see the aborts in RHEL-9.2.0-20230327.16: # rpm -q wireshark wireshark-3.4.10-4.el9.x86_64 # fips-mode-setup --check FIPS mode is enabled. # tshark -nVxr segfault-pcap/fuzz-2010-05-02-27948.pcap >/dev/null Running as user "root" and group "root". This could be dangerous. (process:69782): packet-wireguard-WARNING **: 10:45:16.996: proto_register_wg: decryption will not be possible due to lack of algorithms support Ohhhh jeeee: gcry_md_open failed for algo 301: Invalid digest algorithmfatal error in libgcrypt, file misc.c, line 146, function _gcry_logv: internal error (fatal or bug) Aborted (core dumped) # tshark -nVxr sample_captures/Obsolete_Packets.cap >/dev/null Running as user "root" and group "root". This could be dangerous. (process:69798): packet-wireguard-WARNING **: 10:45:43.863: proto_register_wg: decryption will not be possible due to lack of algorithms support Ohhhh jeeee: gcry_md_open failed for algo 301: Invalid digest algorithmfatal error in libgcrypt, file misc.c, line 146, function _gcry_logv: internal error (fatal or bug) Aborted (core dumped) # tshark -nVxr sample_captures/smbtorture.cap.gz >/dev/null Running as user "root" and group "root". This could be dangerous. (process:69806): packet-wireguard-WARNING **: 10:46:04.948: proto_register_wg: decryption will not be possible due to lack of algorithms support Ohhhh jeeee: gcry_md_open failed for algo 301: Invalid digest algorithmfatal error in libgcrypt, file misc.c, line 146, function _gcry_logv: internal error (fatal or bug) Aborted (core dumped) # tshark -nVxr segfault-pcap/fuzz-2010-05-02-27948.pcap >/dev/null Running as user "root" and group "root". This could be dangerous. (process:69814): packet-wireguard-WARNING **: 10:46:22.923: proto_register_wg: decryption will not be possible due to lack of algorithms support Ohhhh jeeee: gcry_md_open failed for algo 301: Invalid digest algorithmfatal error in libgcrypt, file misc.c, line 146, function _gcry_logv: internal error (fatal or bug) Aborted (core dumped) Is this wireshark or libgcrypt issue? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: wireshark security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2373 After looking at this in a Fedora bug for this, it seems to me that there is not much to do with the last core dump. This one is actually a result of reading a packet capture with crypto that is not permitted by FIPS. Not sure if there is a mechanism to allow this particular case in RHEL? The question is if segfault is the correct behavior in this case, is it? Shouldn't it fail gracefully when it cannot use FIPS-forbidden crypto? |
Created attachment 1878294 [details] Testing pcap Description of problem: When capinfos is used in FIPS mode, it aborts. Version-Release number of selected component (if applicable): wireshark-3.4.10-1.el9 How reproducible: 100% in FIPS Steps to Reproduce: 1. Enable FIPS mode. # fips-mode-setup --enable && reboot 2. Use capinfos on attached pcap file: # capinfos ./testsetpackets.pcap ./testsetpackets.pcap Actual results: fatal error in libgcrypt, file misc.c, line 92, function _gcry_fatal_error: requested algo not in md context Fatal error: requested algo not in md context Aborted (core dumped)