Description of problem: The compat-openssl10-pkcs11-helper package contains a patch (pkcs11-helper-rfc7512.patch) that makes the library understand RFC 7512 PKCS#11 URIs. The patch contains a potential off-by-one array bounds overwrite. In the most simple case this leads to a failure parsing a valid URI where the serial field contains a serial number with the maximum length of 16 characters. More severe cases can lead to security violations. The same bug has already been reported for the pkcs11-helper component, as bug #1516474. Version-Release number of selected component (if applicable): Discovered in compat-openssl10-pkcs11-helper-1.22-6.fc29. Still present in compat-openssl10-pkcs11-helper-1.22-7.fc30. How reproducible: Happens every time. Steps to Reproduce: 1. Install and configure gpgsm to use a PKCS #11 card through gnupg-pkcs11-scd. 2. Insert a card with a 16-character serial number. 3. Run gpgsm --learn-card Actual results: gpgsm fails with the following error message: "gpgsm: error learning card: Card error" Expected results: gpgsm succeeds. Additional info: The following error is logged: gnupg-pkcs11-scd[...]: PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID'
This bug is a symptom of the underlying problem of having a duplicate code base for the library. What is the background for having compat-openssl10-pkcs11-helper in addition to pkcs11-helper? If the compat lib can not easily be disposed of, wouldn't it be possible to change it to be a simple container for the pkcs11-helper library? (depending on that package and simply creating a symlink to the so file of that library?). Both compat-openssl10-pkcs11-helper and pkcs11-helper seems to use the same base code.
I don't recall which item needed it, but not all pkgs in kde/qt5 stack were ported to openssl-1.1.x (I *think* something telepathy-related). That has since been fixed as at least as of fedora 30. repoquery shows only one item, gnupg-pkcs11-scd-0:0.9.1-5.fc30.x86_64 Depending on it anymore. I will likely orphan this package for subsequent fedora releases.
compat-openssl10-pkcs11-helper-1.22-8.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1114631bfe
compat-openssl10-pkcs11-helper-1.22-8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ce323ce9af
compat-openssl10-pkcs11-helper-1.22-8.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1114631bfe
compat-openssl10-pkcs11-helper-1.22-8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ce323ce9af
compat-openssl10-pkcs11-helper-1.22-8.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
compat-openssl10-pkcs11-helper-1.22-8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
I have tested the update on fc29 and can verify that the originally reported issue has disappeared (fixed).