1164340 – segfault when viewing a RHEL entitlement certificate in X509V3_EXT_get v3_lib.c:15

Bug 1164340 - segfault when viewing a RHEL entitlement certificate in X509V3_EXT_get v3_lib.c:15

Summary: segfault when viewing a RHEL entitlement certificate in X509V3_EXT_get v3_lib...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xca
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Patrick Monnerat
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-14 17:22 UTC by Adrian Likins
Modified:	2015-01-14 07:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:	xca-1.1.0-1.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-14 07:26:22 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
example rhel entitlement cert that crashes xca cert "show details" (2.44 KB, text/x-vhdl) 2014-11-14 17:47 UTC, Adrian Likins	no flags	Details
targz of 'dump db" output with cert that shows crash (1.19 KB, application/x-gzip) 2014-11-14 17:51 UTC, Adrian Likins	no flags	Details
View All

Description Adrian Likins 2014-11-14 17:22:11 UTC

Description of problem:

I imported a entitlement certificate from a RHEL system
(/etc/pki/entitlement/*.pem).

When trying to view the cert details from the certificate tab, I
got a segfault.

#0  X509V3_EXT_get (ext=ext@entry=0x0) at v3_lib.c:115
#1  0x0000003940525b92 in X509V3_EXT_print (out=0xd4b8c0, ext=0x0, flag=0, indent=0) at v3_prn.c:117
#2  0x000000000047b472 in x509v3ext::getValue (this=this@entry=0xd4a910, html=html@entry=true) at x509v3ext.cpp:103
#3  0x000000000047c92d in x509v3ext::getHtml (this=0xd4a910) at x509v3ext.cpp:737
#4  0x000000000047f000 in extList::getHtml (this=this@entry=0x7fffffffc5e0, sep=...) at x509v3ext.cpp:803
#5  0x00000000004cb0ca in CertDetail::setX509super (this=this@entry=0xcd7f00, x=x@entry=0xc25f20) at CertDetail.cpp:69
#6  0x00000000004cb366 in CertDetail::setCert (this=this@entry=0xcd7f00, cert=cert@entry=0xc25f20) at CertDetail.cpp:83
#7  0x000000000042c2ad in db_x509::showPki (this=0xc0fd60, pki=0xc25f20) at db_x509.cpp:590
#8  0x00000000004f8529 in MainWindow::on_certView_doubleClicked (this=this@entry=0x94fc70, m=...) at MW_database.cpp:453
#9  0x00000000004989ab in MainWindow::qt_static_metacall (_o=_o@entry=0x94fc70, _c=_c@entry=QMetaObject::InvokeMetaMethod, _id=_id@entry=29, _a=_a@entry=0x7fffffffca40)
    at moc_MainWindow.cpp:242
#10 0x0000000000498d13 in MainWindow::qt_metacall (this=0x94fc70, _c=QMetaObject::InvokeMetaMethod, _id=29, _a=0x7fffffffca40) at moc_MainWindow.cpp:313
#11 0x00000031d459b594 in QMetaObject::activate (sender=sender@entry=0x955a10, m=m@entry=0x38eaebcf20 <QAbstractItemView::staticMetaObject>, local_signal_index=local_signal_index@entry=2, 
    argv=argv@entry=0x7fffffffca40) at kernel/qobject.cpp:3597
#12 0x00000038ea8e7275 in QAbstractItemView::doubleClicked (this=this@entry=0x955a10, _t1=...) at .moc/release-shared/moc_qabstractitemview.cpp:354
#13 0x00000038ea92fcb3 in QTreeView::mouseDoubleClickEvent (this=0x955a10, event=0x7fffffffd220) at itemviews/qtreeview.cpp:1867
#14 0x00000038ea41dcaf in QWidget::event (this=this@entry=0x955a10, event=event@entry=0x7fffffffd220) at kernel/qwidget.cpp:8393
#15 0x00000038ea7d444e in QFrame::event (this=0x955a10, e=0x7fffffffd220) at widgets/qframe.cpp:557
#16 0x00000038ea8f0ca3 in QAbstractItemView::viewportEvent (this=this@entry=0x955a10, event=event@entry=0x7fffffffd220) at itemviews/qabstractitemview.cpp:1644
#17 0x00000038ea931b90 in QTreeView::viewportEvent (this=0x955a10, event=0x7fffffffd220) at itemviews/qtreeview.cpp:1252
#18 0x00000031d4586a66 in QCoreApplicationPrivate::sendThroughObjectEventFilters (this=<optimized out>, receiver=0x97b030, event=0x7fffffffd220) at kernel/qcoreapplication.cpp:1063
#19 0x00000038ea3cae3c in QApplicationPrivate::notify_helper (this=0x779520, receiver=0x97b030, e=0x7fffffffd220) at kernel/qapplication.cpp:4561
#20 0x00000038ea3d18f1 in QApplication::notify (this=<optimized out>, receiver=0x97b030, e=0x7fffffffd220) at kernel/qapplication.cpp:4108
#21 0x00000031d45868fd in QCoreApplication::notifyInternal (this=0x7fffffffd9e0, receiver=0x97b030, event=0x7fffffffd220) at kernel/qcoreapplication.cpp:953
#22 0x00000038ea3d1067 in QApplicationPrivate::sendMouseEvent (receiver=0x97b030, event=0x7fffffffd220, alienWidget=0x97b030, nativeWidget=0x94fc70, buttonDown=<optimized out>, 
    lastMouseReceiver=..., spontaneous=true) at ../../src/corelib/kernel/qcoreapplication.h:231
#23 0x00000038ea44663b in QETWidget::translateMouseEvent (this=0x94fc70, event=<optimized out>) at kernel/qapplication_x11.cpp:4540
#24 0x00000038ea4450ac in QApplication::x11ProcessEvent (this=0x7fffffffd9e0, event=event@entry=0x7fffffffd590) at kernel/qapplication_x11.cpp:3663
#25 0x00000038ea46cac4 in x11EventSourceDispatch (s=0x77beb0, callback=0x0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:148
#26 0x00000031c9c492a6 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#27 0x00000031c9c49628 in g_main_context_iterate.isra () from /lib64/libglib-2.0.so.0
#28 0x00000031c9c496dc in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#29 0x00000031d45b541e in QEventDispatcherGlib::processEvents (this=0x77a970, flags=...) at kernel/qeventdispatcher_glib.cpp:450
#30 0x00000038ea46cc46 in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:207
#31 0x00000031d458538f in QEventLoop::processEvents (this=this@entry=0x7fffffffd980, flags=...) at kernel/qeventloop.cpp:149
#32 0x00000031d45856dd in QEventLoop::exec (this=this@entry=0x7fffffffd980, flags=...) at kernel/qeventloop.cpp:204
#33 0x00000031d458ada9 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1225
#34 0x00000038ea3c94dc in QApplication::exec () at kernel/qapplication.cpp:3823
#35 0x00000000004221eb in main (argc=1, argv=<optimized out>) at main.cpp:86


Version-Release number of selected component (if applicable):
[~]$ rpm -q xca qt openssl glibc 
xca-1.0.0-1.fc20.x86_64
qt-4.8.6-10.fc20.x86_64
openssl-1.0.1e-40.fc20.x86_64
glibc-2.18-16.fc20.x86_64


How reproducible:
Always with that cert. 


I'll see if I can reproduce with a sharable entitlement certificate, but a few things to note about that cert. It's a client cert, it's big (~55k), there is a big blob at the 1.3.6.1.4.1.2312.9.7 ext).

Comment 1 Adrian Likins 2014-11-14 17:46:46 UTC

another stack trace, I'll attach the cert/db

(gdb) where
#0  X509V3_EXT_get (ext=ext@entry=0x0) at v3_lib.c:115
#1  0x0000003940525b92 in X509V3_EXT_print (out=0xd66400, ext=0x0, flag=0, indent=0) at v3_prn.c:117
#2  0x000000000047b472 in x509v3ext::getValue (this=this@entry=0xd63f20, html=html@entry=true) at x509v3ext.cpp:103
#3  0x000000000047c92d in x509v3ext::getHtml (this=0xd63f20) at x509v3ext.cpp:737
#4  0x000000000047f000 in extList::getHtml (this=this@entry=0x7fffffffc840, sep=...) at x509v3ext.cpp:803
#5  0x00000000004cb0ca in CertDetail::setX509super (this=this@entry=0xcd8430, x=x@entry=0x9a0310) at CertDetail.cpp:69
#6  0x00000000004cb366 in CertDetail::setCert (this=this@entry=0xcd8430, cert=cert@entry=0x9a0310) at CertDetail.cpp:83
#7  0x000000000042c2ad in db_x509::showPki (this=0xbfa3f0, pki=0x9a0310) at db_x509.cpp:590
#8  0x0000000000440c1e in db_base::showSelectedItems (this=0xbfa3f0, view=<optimized out>) at db_base.cpp:325
#9  0x00000000004f878b in MainWindow::on_BNdetailsCert_clicked (this=this@entry=0x94fbf0) at MW_database.cpp:515
#10 0x0000000000498aad in MainWindow::qt_static_metacall (_o=_o@entry=0x94fbf0, _c=_c@entry=QMetaObject::InvokeMetaMethod, _id=_id@entry=45, _a=_a@entry=0x7fffffffccf0)
    at moc_MainWindow.cpp:258
#11 0x0000000000498d13 in MainWindow::qt_metacall (this=0x94fbf0, _c=QMetaObject::InvokeMetaMethod, _id=45, _a=0x7fffffffccf0) at moc_MainWindow.cpp:313
#12 0x00000031d459b594 in QMetaObject::activate (sender=sender@entry=0x95cf30, m=m@entry=0x38eaecabc0 <QAbstractButton::staticMetaObject>, local_signal_index=local_signal_index@entry=2, 
    argv=argv@entry=0x7fffffffccf0) at kernel/qobject.cpp:3597
#13 0x00000038eaa4d6d2 in QAbstractButton::clicked (this=this@entry=0x95cf30, _t1=false) at .moc/release-shared/moc_qabstractbutton.cpp:219
#14 0x00000038ea790d73 in QAbstractButtonPrivate::emitClicked (this=this@entry=0x962440) at widgets/qabstractbutton.cpp:548
#15 0x00000038ea792127 in QAbstractButtonPrivate::click (this=this@entry=0x962440) at widgets/qabstractbutton.cpp:541
#16 0x00000038ea79222c in QAbstractButton::mouseReleaseEvent (this=0x95cf30, e=0x7fffffffd210) at widgets/qabstractbutton.cpp:1123
#17 0x00000038ea41dcc8 in QWidget::event (this=0x95cf30, event=0x7fffffffd210) at kernel/qwidget.cpp:8389
#18 0x00000038ea3cae5c in QApplicationPrivate::notify_helper (this=0x779520, receiver=0x95cf30, e=0x7fffffffd210) at kernel/qapplication.cpp:4565
#19 0x00000038ea3d18f1 in QApplication::notify (this=<optimized out>, receiver=0x95cf30, e=0x7fffffffd210) at kernel/qapplication.cpp:4108
#20 0x00000031d45868fd in QCoreApplication::notifyInternal (this=0x7fffffffd9d0, receiver=0x95cf30, event=0x7fffffffd210) at kernel/qcoreapplication.cpp:953
#21 0x00000038ea3d1067 in QApplicationPrivate::sendMouseEvent (receiver=0x95cf30, event=0x7fffffffd210, alienWidget=0x95cf30, nativeWidget=0x94fbf0, buttonDown=<optimized out>, 
    lastMouseReceiver=..., spontaneous=true) at ../../src/corelib/kernel/qcoreapplication.h:231
#22 0x00000038ea44663b in QETWidget::translateMouseEvent (this=0x94fbf0, event=<optimized out>) at kernel/qapplication_x11.cpp:4540
#23 0x00000038ea4450ac in QApplication::x11ProcessEvent (this=0x7fffffffd9d0, event=event@entry=0x7fffffffd580) at kernel/qapplication_x11.cpp:3663
#24 0x00000038ea46cac4 in x11EventSourceDispatch (s=0x77beb0, callback=0x0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:148
#25 0x00000031c9c492a6 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#26 0x00000031c9c49628 in g_main_context_iterate.isra () from /lib64/libglib-2.0.so.0
#27 0x00000031c9c496dc in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#28 0x00000031d45b541e in QEventDispatcherGlib::processEvents (this=0x77a970, flags=...) at kernel/qeventdispatcher_glib.cpp:450
#29 0x00000038ea46cc46 in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:207
#30 0x00000031d458538f in QEventLoop::processEvents (this=this@entry=0x7fffffffd970, flags=...) at kernel/qeventloop.cpp:149
#31 0x00000031d45856dd in QEventLoop::exec (this=this@entry=0x7fffffffd970, flags=...) at kernel/qeventloop.cpp:204
#32 0x00000031d458ada9 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1225
#33 0x00000038ea3c94dc in QApplication::exec () at kernel/qapplication.cpp:3823
#34 0x00000000004221eb in main (argc=1, argv=<optimized out>) at main.cpp:86
(gdb) quit
A debugging session is active.

	Inferior 1 [process 8479] will be killed.

Quit anyway? (y or n) n
Not confirmed.
(gdb) up
#1  0x0000003940525b92 in X509V3_EXT_print (out=0xd66400, ext=0x0, flag=0, indent=0) at v3_prn.c:117
117		if(!(method = X509V3_EXT_get(ext)))
(gdb) up
#2  0x000000000047b472 in x509v3ext::getValue (this=this@entry=0xd63f20, html=html@entry=true) at x509v3ext.cpp:103
103		ret = X509V3_EXT_print(bio, ext, X509V3_EXT_DEFAULT, 0);
(gdb) info locals
text = {static null = {<No data fields>}, static shared_null = {ref = {_q_value = 1}, alloc = 0, size = 0, data = 0x76c1da <QString::shared_null+26>, clean = 0, simpletext = 0, 
    righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, static shared_empty = {ref = {_q_value = 67}, alloc = 0, size = 0, 
    data = 0x31d48ec8fa <QString::shared_empty+26>, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, 
  d = 0x31d48ec8e0 <QString::shared_empty>, static codecForCStrings = 0x0}
ret = <optimized out>
p = 0x0
bio = 0xd66400
(gdb) up
#3  0x000000000047c92d in x509v3ext::getHtml (this=0xd63f20) at x509v3ext.cpp:737
737		html += ":</u></b><br><tt>" + getValue(true) + "</tt>";
(gdb) info locals
html = {static null = {<No data fields>}, static shared_null = {ref = {_q_value = 1}, alloc = 0, size = 0, data = 0x76c1da <QString::shared_null+26>, clean = 0, simpletext = 0, 
    righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, static shared_empty = {ref = {_q_value = 67}, alloc = 0, size = 0, 
    data = 0x31d48ec8fa <QString::shared_empty+26>, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, d = 0xd64a90, 
  static codecForCStrings = 0x0}
(gdb) p data
$1 = (struct here_cg_arc_record *) 0x0

Comment 2 Adrian Likins 2014-11-14 17:47:45 UTC

Created attachment 957689 [details]
example rhel entitlement cert that crashes xca cert "show details"

Comment 3 Adrian Likins 2014-11-14 17:51:19 UTC

Created attachment 957690 [details]
targz of 'dump db" output with cert that shows crash

Comment 4 Patrick Monnerat 2014-11-17 14:31:47 UTC

Confirmed.
Segfaults when trying to print a non-standard extension (2 of them in this certificate).
Working with upstream for a fix.
Thanks for reporting.

Comment 5 Fedora Update System 2014-11-17 16:59:09 UTC

xca-1.0.0-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/xca-1.0.0-2.fc20

Comment 6 Fedora Update System 2014-11-17 16:59:19 UTC

xca-1.0.0-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/xca-1.0.0-2.fc21

Comment 7 Fedora Update System 2014-11-18 12:11:45 UTC

Package xca-1.0.0-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xca-1.0.0-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15260/xca-1.0.0-2.fc20
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2014-11-24 14:51:39 UTC

xca-1.1.0-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/xca-1.1.0-1.fc20

Comment 9 Fedora Update System 2014-11-24 14:51:46 UTC

xca-1.1.0-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/xca-1.1.0-1.fc21

Comment 10 Fedora Update System 2015-01-14 07:26:22 UTC

xca-1.1.0-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-01-14 07:28:58 UTC

xca-1.1.0-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.