RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1971533 - MD5 HMAC computation should not cause glib to segfault in FIPS mode
Summary: MD5 HMAC computation should not cause glib to segfault in FIPS mode
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: glib2
Version: 8.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: beta
: ---
Assignee: Michael Catanzaro
QA Contact: Tomas Pelka
Depends On:
Blocks: 1938011 1971823
TreeView+ depends on / blocked
Reported: 2021-06-14 09:49 UTC by Milan Crha
Modified: 2022-07-17 18:36 UTC (History)
2 users (show)

Fixed In Version: glib2-2.56.4-156.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1971823 (view as bug list)
Last Closed: 2021-11-09 19:35:29 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4385 0 None None None 2021-11-09 19:35:52 UTC

Description Milan Crha 2021-06-14 09:49:11 UTC
This kinda blocks bug #1938011.

When the FIPS mode is enabled and the non-glib code needs an MD5 checksum, the glib2 aborts in the gnutls code, because MD5 is disabled by the crypto-policies:

Thread 14 "pool" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff8b7fe700 (LWP 7298)]
gnutls_hmac (handle=0x0, ptext=0x7fff7c01ee70, ptext_len=26)
    at crypto-api.c:408
408		return _gnutls_mac((mac_hd_st *) handle, ptext, ptext_len);
#0  gnutls_hmac (handle=0x0, ptext=0x7fff7c01ee70, ptext_len=26)
    at crypto-api.c:408
#1  0x00007ffff5bbfde9 in g_hmac_update (hmac=hmac@entry=0x5555559a5d40, 
    data=data@entry=0x7fff7c01ee70 "J", length=length@entry=26)
    at ghmac-gnutls.c:128
#2  0x00007ffff5bbffbb in g_compute_hmac_for_data (
    digest_type=<optimized out>, key=<optimized out>, key_len=<optimized out>, 
    data=0x7fff7c01ee70 "J", length=26) at ghmac-utils.c:70
#3  0x00007ffff2257ff9 in calc_hmac_md5 () from /lib64/libsoup-2.4.so.1
#4  0x00007ffff2259355 in soup_auth_ntlm_get_connection_authorization ()
   from /lib64/libsoup-2.4.so.1
#5  0x00007ffff225cfe4 in update_authorization_header ()
   from /lib64/libsoup-2.4.so.1

The current upstream version of the glib2 does not use GnuTLS anymore, but the one in RHEL 8 does use it. It would be good to not use GnuTLS for MD5 checkum computation.

Comment 1 Michael Catanzaro 2021-06-14 14:00:36 UTC
(In reply to Milan Crha from comment #0)
> The current upstream version of the glib2 does not use GnuTLS anymore, but
> the one in RHEL 8 does use it. It would be good to not use GnuTLS for MD5
> checkum computation.

Our downstream glib uses GnuTLS specifically because it's required for FIPS compliance. Upstream has never used GnuTLS. We have to either get our patch upstream somehow, or carry it downstream forever. See bug #1630260.

That said, GLib should not crash like this. It should crash with g_error() instead. I can refresh the patch to make that happen.

As for NTLMv2, let's discuss that in bug #1938011.

Comment 2 Michael Catanzaro 2021-06-14 14:13:21 UTC
BTW GLib should be able to do MD5 checksums, via GChecksum with G_CHECKSUM_MD5, just fine regardless. Your code isn't just doing a checksum, it's doing HMAC, using GHmac. The HMAC is what triggers the RHEL crypto policy. So to be clear:

 * GChecksum: expected to succeed even if MD5 is disabled in system crypto policy. MD5 checksums should still work.
 * GHmac: expected to fail if MD5 is disabled in system crypto policy. Software that needs this is required to break.

At least, I think that's the desired behavior.

Comment 3 Milan Crha 2021-06-14 14:15:27 UTC
Aha, it's a downstream patch. I thought it had been changed upstream long ago, because the RHEL 8.3 glib2 version is rather old. I didn't search for the custom/downstream patches at all.

Comment 4 Michael Catanzaro 2021-06-23 15:42:28 UTC
I added a test for this to glib's testsuite, so if our CI runs that, then it now has test coverage.

Comment 11 Michael Catanzaro 2021-07-01 14:40:19 UTC
Daiki found an error in my code. Moving back to ASSIGNED so I can fix this.

Comment 13 Michael Catanzaro 2021-07-01 21:34:18 UTC
I accidentally built revision -156 instead of -15.

It's annoying, but since it's higher than -15, I think we can live with it.

Comment 16 errata-xmlrpc 2021-11-09 19:35:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: glib2 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.