Bug 703648

Summary: x509 certs can not have serial numbers larger than python int
Product: Red Hat Enterprise Linux 5 Reporter: Adrian Likins <alikins>
Component: m2cryptoAssignee: Miloslav Trmač <mitr>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: urgent    
Version: 5.7CC: cduryee, jrieden
Target Milestone: beta   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: m2crypto-0.16-8.el5 Doc Type: Bug Fix
Doc Text:
Previously, calling the m.2asn1_INTEGER_get() function resulted in an incorrect numerical value for the serial number due to a data type mismatch. As a consequence, the subscription-manager application displayed an error message about the serial number being less than zero. Serial numbers are now handled correctly and no error message appears.
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 11:23:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 675214    

Description Adrian Likins 2011-05-10 23:27:58 UTC
Description of problem:

This is the upstream bug: 
https://bugzilla.osafoundation.org/show_bug.cgi?id=11693

serial numbers larger than int's wrap around to negative. We
are seeing this with the products for subscription-manager
in RHEL5





Version-Release number of selected component (if applicable):
m2crypto-0.17-1

How reproducible:
Any cert larger than int


Steps to Reproduce:

I'll attach a x509 cert that shows it. Add it to /etc/pki/product/
and run "subscription-manager list --available" and /var/log/rhsm/rhsm.log
will show errors about the serial number being < 0. 

upstream 0.19 or upstream svn r694 has the fix.

We tested a build of m2crypto-0.20 we had on RHEL5, and it fixes this problem. We have also never seen it on RHEL6.

Comment 2 Adrian Likins 2011-05-10 23:32:27 UTC
correction to above version, we are seeing this on 0.16-1, the version in rhel5.7.

Comment 3 Adrian Likins 2011-05-10 23:36:06 UTC
sigh, 0.16-1 that is.

Comment 4 Adrian Likins 2011-05-10 23:36:40 UTC
let's try one more time, 0.16-7

Comment 14 Eliska Slobodova 2011-06-24 14:26:04 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, calling the m.2asn1_INTEGER_get() function resulted in an incorrect numerical value for the serial number due to a data type mismatch. As a consequence, the subscription-manager application displayed an error message about the serial number being less than zero. Serial numbers are now handled correctly and no error message appears.

Comment 15 errata-xmlrpc 2011-07-21 11:23:05 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1058.html