Red Hat Bugzilla – Full Text Bug Listing
|Summary:||pem module may attempt to free an uninitialized pointer|
|Product:||Red Hat Enterprise Linux 6||Reporter:||Elio Maldonado Batiz <emaldona>|
|Component:||nss||Assignee:||Elio Maldonado Batiz <emaldona>|
|Status:||CLOSED ERRATA||QA Contact:||BaseOS QE Security Team <qe-baseos-security>|
|Version:||6.3||CC:||amarecek, dapospis, emaldona, hkario, kdudka, kengert, nalin, rrelyea|
|Fixed In Version:||nss-3.13.3-6.el6||Doc Type:||Bug Fix|
No Documentation needed
|:||847462 (view as bug list)||Environment:|
|Last Closed:||2012-06-20 03:24:18 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||717338|
Description Elio Maldonado Batiz 2012-03-20 13:14:26 EDT
+++ This bug was initially created as a clone of Bug #717338 +++ Description of problem: When my application attempts to load a private key file, it crashes in pem_CreateObject(). Version-Release number of selected component (if applicable): nss-3.12.10-4.fc16.x86_64 How reproducible: Always Steps to Reproduce: 1. SECMOD_LoadUserModule(libnsspem.so) 2. PK11_CreateGenericObject(CKA_CLASS=CKO_PRIVATE_KEY,CKA_TOKEN=CK_TRUE) Actual results: pem_CreateObject() passes an uninitialized certDER.data to nss_ZFreeIf() Additional info: When I cut it down to the bare minimum to try to create a simpler reproducer, I don't get a crash any more, but valgrind at least still flags the errors. --- Additional comment from firstname.lastname@example.org on 2011-06-28 11:24:30 EDT --- Created attachment 510308 [details] minimal attempt at a reproducer --- Additional comment from email@example.com on 2011-06-28 11:59:56 EDT --- Created attachment 510313 [details] patch for NSS which fixes my application --- Additional comment from firstname.lastname@example.org on 2011-09-12 12:09:05 EDT --- Nalin, I'm picking up your patch. It will be applied with other I have in the queue. Thanks.
Comment 1 Elio Maldonado Batiz 2012-03-20 13:20:38 EDT
I was comparing the sources after all approved patches had been applied to RHEL 6.3 and Fedora and I noticed that we are missing this one. I recommend picking this up for RHEL 6.3.
Comment 3 Elio Maldonado Batiz 2012-03-20 15:26:55 EDT
Created attachment 571508 [details] Intialize the pointer to NULL This is Nalin' patch updated so it applies after all the other patches.
Comment 4 Bob Relyea 2012-03-20 18:24:07 EDT
Elio, can you attack a pointer to the full pobject.c The given context is not enough to review the patch. Thanks.
Comment 5 Elio Maldonado Batiz 2012-03-20 19:19:01 EDT
Aha, looking at the bigger context I realized the patch needs a bit more work.
Comment 6 Elio Maldonado Batiz 2012-03-20 19:51:36 EDT
Created attachment 571565 [details] init pointer to NULL and also bail out if mem alloc fails
Comment 9 Elio Maldonado Batiz 2012-04-30 18:33:11 EDT
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No Documentation needed
Comment 10 Bob Relyea 2012-05-04 13:15:18 EDT
Comment on attachment 571565 [details] init pointer to NULL and also bail out if mem alloc fails r+ relyea
Comment 12 errata-xmlrpc 2012-06-20 03:24:18 EDT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0973.html