Bug 138716 - (IT_53082) signature verification via http broken after upgrade from U1 to U2
signature verification via http broken after upgrade from U1 to U2
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: rpm (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
:
: IT#51465 144836 (view as bug list)
Depends On:
Blocks: 132991
  Show dependency treegraph
 
Reported: 2004-11-10 15:39 EST by David Lehman
Modified: 2007-11-30 17:07 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-18 10:45:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace of working rpm --nolibio -K (78.47 KB, text/plain)
2005-01-10 13:34 EST, Paul Nasrat
no flags Details
strace of failing rpm -K (78.29 KB, text/plain)
2005-01-10 13:39 EST, Paul Nasrat
no flags Details
Successful verification with rpm --rpmiodebug -Kv (18.66 KB, text/plain)
2005-01-12 11:10 EST, Steve Snodgrass
no flags Details
Failed verification with rpm --rpmiodebug -Kv (16.45 KB, text/plain)
2005-01-12 11:12 EST, Steve Snodgrass
no flags Details
Failed vertification with rpm --rpmiodebug --nolibio -Kv (10.95 KB, text/plain)
2005-01-12 11:12 EST, Steve Snodgrass
no flags Details
rpmio fix for bytesRemain updated multiple times in fdstat_exit (954 bytes, patch)
2005-01-20 15:52 EST, Charles R. Anderson
no flags Details | Diff

  None (edit)
Description David Lehman 2004-11-10 15:39:33 EST
Description of problem:
Signature checking returns false negatives for some packages when queried via
HTTP. Backing out rpm and popt (to U1 revs) eliminates false positives.

Version-Release number of selected component (if applicable):
rpm-4.2.2-0.14

How reproducible:
Always

Steps to Reproduce:
1. Setup and start httpd on localhost (an RHEL3-U3 machine)
2. Place arptables_jf-0.0.7-0.3E.i386.rpm somewhere httpd will serve it
3. run 'rpm -Kv http://localhost/<path>/arptables_jf-0.0.7-0.3E.i386.rpm'
  
Actual results:
[root@hogwash root]# rpm -Kv http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm
http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm:
    Header V3 DSA signature: OK, key ID db42a60e
    Header SHA1 digest: OK (ed2335c4ca90a50d23bb59281fa74a9551962b82)
    MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) !=
(26b0af6b001e752a2596610b80e19b4f)
    V3 DSA signature: BAD, key ID db42a60e
[root@hogwash root]#


Expected results:
http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm:
    Header V3 DSA signature: OK, key ID db42a60e
    Header SHA1 digest: OK (ed2335c4ca90a50d23bb59281fa74a9551962b82)
    MD5 digest: OK (820cd9dc0cb93108029c3b1b2afa97d5)
    V3 DSA signature: OK, key ID db42a60e


Additional info:
Comment 2 Jeff Johnson 2004-11-11 18:39:03 EST
*** Bug 138901 has been marked as a duplicate of this bug. ***
Comment 9 Pancrazio `ezio' de Mauro 2005-01-10 11:26:25 EST
Same for me here, rpm -K sporadically says "NOT OK", if I add --nolibio it seems
to always say "OK"

-- 
        ezio
Comment 10 Paul Nasrat 2005-01-10 13:34:35 EST
Created attachment 109570 [details]
strace of working rpm --nolibio -K

Note we read lead+sigh[96 + 16 + 328] hdr[16 +3984] store [84038]
Comment 11 Paul Nasrat 2005-01-10 13:39:12 EST
Created attachment 109571 [details]
strace of failing rpm -K

Note the short read on the store

[ 96 + 16 + 328 ] [ 16 + 3984 ] store [ 26886 ] 

If we read the rpm to the length we get the same actual MD5

rpm -Kv
http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm


MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) !=
(26b0af6b001e752a2596610b80e19b4f)

dd if=arptables_jf-0.0.7-0.3E.i386.rpm of=bar bs=1 count=31326

rpm -Kv bar | grep MD5
MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) !=
(26b0af6b001e752a2596610b80e19b4f)
Comment 12 Paul Nasrat 2005-01-10 14:11:30 EST
Note fails with same actual MD5 digest using ftp also, persuing some suggestions
from jbj in fdReadable
Comment 13 Paul Nasrat 2005-01-10 14:56:10 EST
From rpmiodebug

==>     fdRead(0x8567df8,0xb73df000,8192) rc 8192  clen 51462   | LIBIO
0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048
==>     fdRead(0x8567df8,0xb73df000,8192) rc 8192  clen 26886   | LIBIO
0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048
==>     fdRead(0x8567df8,0xb73df000,8192) rc 8192  clen 2310    | LIBIO
0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048
==>     fdRead(0x8567df8,0xb73df000,8192) rc 2310  clen 0       | LIBIO
0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048

Comment 15 Paul Nasrat 2005-01-11 15:52:43 EST
*** Bug 144836 has been marked as a duplicate of this bug. ***
Comment 16 Paul Nasrat 2005-01-11 19:53:38 EST
With the help of Jeff Johnson we've tracked this down and have a proposed fix. 
Target U5
Comment 17 Steve Snodgrass 2005-01-12 09:50:57 EST
FYI, the --nolibio workaround doesn't appear to me to have any effect
on the problem.  I'm not sure if this is significant to the proposed
fix or not.
Comment 18 Paul Nasrat 2005-01-12 10:16:57 EST
Steve can you attach the stderr from both

rpm --rpmiodebug --nolibio -Kv http://URL/foo.rpm
rpm --rpmiodebug -Kv http://URL/foo.rpm
Comment 19 Steve Snodgrass 2005-01-12 11:10:24 EST
Created attachment 109671 [details]
Successful verification with rpm --rpmiodebug -Kv
Comment 20 Steve Snodgrass 2005-01-12 11:12:13 EST
Created attachment 109672 [details]
Failed verification with rpm --rpmiodebug -Kv
Comment 21 Steve Snodgrass 2005-01-12 11:12:56 EST
Created attachment 109673 [details]
Failed vertification with rpm --rpmiodebug --nolibio -Kv
Comment 22 Paul Nasrat 2005-01-12 11:54:30 EST
I'm pretty sure the fix should work for both cases for you as it fixes the clen
decrementing incorrectly which you're seeing in your nolibio case too.
Comment 24 Charles R. Anderson 2005-01-20 15:17:11 EST
I ran into this same problem with rpm -qp ftp:// on FC2 and FC3.  Jeff
Johnson gave me a patch from CVS that fixes the problem for me on FC3
rpm-4.3.2-21.  It would be nice if FC2/3 updates could be released
with this fix included.
Comment 25 Charles R. Anderson 2005-01-20 15:52:57 EST
Created attachment 110028 [details]
rpmio fix for bytesRemain updated multiple times in fdstat_exit
Comment 29 Dennis Gregorovic 2005-05-18 10:45:25 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-147.html

Note You need to log in before you can comment on or make changes to this bug.