Bug 703648 - x509 certs can not have serial numbers larger than python int
Summary: x509 certs can not have serial numbers larger than python int
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: m2crypto
Version: 5.7
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: beta
: ---
Assignee: Miloslav Trmač
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 675214
TreeView+ depends on / blocked
 
Reported: 2011-05-10 23:27 UTC by Adrian Likins
Modified: 2011-07-21 11:23 UTC (History)
2 users (show)

Fixed In Version: m2crypto-0.16-8.el5
Doc Type: Bug Fix
Doc Text:
Previously, calling the m.2asn1_INTEGER_get() function resulted in an incorrect numerical value for the serial number due to a data type mismatch. As a consequence, the subscription-manager application displayed an error message about the serial number being less than zero. Serial numbers are now handled correctly and no error message appears.
Clone Of:
Environment:
Last Closed: 2011-07-21 11:23:05 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1058 0 normal SHIPPED_LIVE m2crypto bug fix update 2011-07-20 15:43:22 UTC

Description Adrian Likins 2011-05-10 23:27:58 UTC
Description of problem:

This is the upstream bug: 
https://bugzilla.osafoundation.org/show_bug.cgi?id=11693

serial numbers larger than int's wrap around to negative. We
are seeing this with the products for subscription-manager
in RHEL5





Version-Release number of selected component (if applicable):
m2crypto-0.17-1

How reproducible:
Any cert larger than int


Steps to Reproduce:

I'll attach a x509 cert that shows it. Add it to /etc/pki/product/
and run "subscription-manager list --available" and /var/log/rhsm/rhsm.log
will show errors about the serial number being < 0. 

upstream 0.19 or upstream svn r694 has the fix.

We tested a build of m2crypto-0.20 we had on RHEL5, and it fixes this problem. We have also never seen it on RHEL6.

Comment 2 Adrian Likins 2011-05-10 23:32:27 UTC
correction to above version, we are seeing this on 0.16-1, the version in rhel5.7.

Comment 3 Adrian Likins 2011-05-10 23:36:06 UTC
sigh, 0.16-1 that is.

Comment 4 Adrian Likins 2011-05-10 23:36:40 UTC
let's try one more time, 0.16-7

Comment 14 Eliska Slobodova 2011-06-24 14:26:04 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, calling the m.2asn1_INTEGER_get() function resulted in an incorrect numerical value for the serial number due to a data type mismatch. As a consequence, the subscription-manager application displayed an error message about the serial number being less than zero. Serial numbers are now handled correctly and no error message appears.

Comment 15 errata-xmlrpc 2011-07-21 11:23:05 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1058.html


Note You need to log in before you can comment on or make changes to this bug.