Bug 872761
Summary: | Sporadic failure of 'certutil' to convert ASCII cert request to binary . . . | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matthew Harmsen <mharmsen> | ||||||
Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 18 | CC: | amarecek, emaldona, jcholast, kdudka, kengert, mkosek, rcritten, spoore | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | nss-3.14.3-2.fc17 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-04-25 14:16:24 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 953485 | ||||||||
Attachments: |
|
Description
Matthew Harmsen
2012-11-02 23:01:07 UTC
Hi, the bug is in function SECU_ReadDERFromFile. It reads the certificate file into a buffer and then passes the buffer unmodified to ATOB_ConvertAsciiToItem if the certificate file is ASCII without PEM header and trailer. ATOB_ConvertAsciiToItem uses PORT_Strlen to determine the length of the buffer, which is wrong in this case, because the buffer is not null-terminated. The buffer and the incorrect length are then passed to NSSBase64_DecodeBuffer, which in turn tries to decode characters past the end of the buffer, which causes the failure described in this bug. We are hitting this issue again on during our Fedora 19 Test Days (https://fedoraproject.org/wiki/Test_Day:2013-04-18). What are your plans on addressing it? Jan already provided an exact spot in the source code - this should help fixing it. Thanks to Jan for pointing us to the issue. Somehow I had not seen it yet. Working on a patch now... I've attached a patch to the upstream bug. Elio, once we have review upstream, we should submit updated packages of NSS for Fedora 18 + 19 (at least). I've submitted a F19 scratch build with the patch applied. Could you please test it (will probably take 1-2 hours until the build is done)? http://koji.fedoraproject.org/koji/taskinfo?taskID=5270773 (It should be sufficient to install the nss-tools package only.) fixed my issue. I'm no longer seeing the issue from bug 953485 Is there somewhere I can go give this karma to get it pushed through? Or is it just going to go through auto-magically? Thank! (In reply to comment #6) > > Is there somewhere I can go give this karma to get it pushed through? Not yet. Waiting for upstream review, then we can do a regular build for Fedora, then you'll see an automatic comment appearing in this bug (about a package being ready for testing), then your karma will be appreciated. Thanks As another data point, I'm still seeing the install failure with the test build. certutil: could not decode certificate: security library: improperly formatted DER-encoded message. Created attachment 737727 [details]
cert that demonstrates the problem
# rpm -q nss
nss-3.14.3-11.fc19.test.808217.1.x86_64
# certutil -N -d /tmp/db
# certutil -d /tmp/db -A -t u,u,u -n ipaCert -a -i /tmp/testcert
Thank you for the test case. I identified another bug in function SECITEM_ReallocItem... Another scratch build that fixes the second bug, too: http://koji.fedoraproject.org/koji/taskinfo?taskID=5278092 Created attachment 737769 [details]
Failling with build 2 as well
Attaching the latest cert
# rpm -q nss
nss-3.14.3-11.fc19.test.808217.2.x86_64
# certutil -d /tmp/db -A -t u,u,u -n ipaCert -a -i /tmp/testcert2
certutil: could not decode certificate: security library: improperly formatted DER-encoded message.
The previous scratch build didn't work, because my fix was in a shared library that is contained in the nss-util package - which I had forgotten to build for you. But in the meantime, Bob has asked for a different approach to fix the bug - which cannot be backported to NSS 3.14.3. So, for the short term, I will give you a workaround patch, where the fix is contained in the tool code, only. I've started another scratch build with that newer fix. http://koji.fedoraproject.org/koji/taskinfo?taskID=5278741 Again, it's only the nss and nss-tools package, but this time it should be sufficient. (For some reason I cannot reproduce the bug in my Fedora 19 VM, although I am able to reproduce on my primary F18 system. It probably depends on the dynamic contents of memory, it doesn't crash if your runtime memory happens to be fresh and initialized with zeroes...) Using this build I was able to use certutil and the previous test certs standalone and do a full IPA installation as well. nss-3.14.3-2.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/nss-3.14.3-2.fc18 nss-3.14.3-2.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/nss-3.14.3-2.fc17 nss-3.14.3-12.0.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/nss-3.14.3-12.0.fc19 (In reply to comment #14) > Using this build I was able to use certutil and the previous test certs > standalone and do a full IPA installation as well. Great, thanks for testing Rob! Please give Karma to get the packages into the regular updates. Package nss-3.14.3-12.0.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-3.14.3-12.0.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-6247/nss-3.14.3-12.0.fc19 then log in and leave karma (feedback). nss-3.14.3-12.0.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. nss-3.14.3-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. Once we submit NSS 3.15 packages (very soon), it would be great to get help from QA to re-test. The reason is, the patch used for 3.14 is different than the patch that has been accepted for the main line of 3.15 development. Thanks in advance. nss-3.14.3-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |