Bug 703648 - x509 certs can not have serial numbers larger than python int
x509 certs can not have serial numbers larger than python int
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: m2crypto (Show other bugs)
5.7
Unspecified Unspecified
urgent Severity high
: beta
: ---
Assigned To: Miloslav Trmač
BaseOS QE Security Team
:
Depends On:
Blocks: 675214
  Show dependency treegraph
 
Reported: 2011-05-10 19:27 EDT by Adrian Likins
Modified: 2011-07-21 07:23 EDT (History)
2 users (show)

See Also:
Fixed In Version: m2crypto-0.16-8.el5
Doc Type: Bug Fix
Doc Text:
Previously, calling the m.2asn1_INTEGER_get() function resulted in an incorrect numerical value for the serial number due to a data type mismatch. As a consequence, the subscription-manager application displayed an error message about the serial number being less than zero. Serial numbers are now handled correctly and no error message appears.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 07:23:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adrian Likins 2011-05-10 19:27:58 EDT
Description of problem:

This is the upstream bug: 
https://bugzilla.osafoundation.org/show_bug.cgi?id=11693

serial numbers larger than int's wrap around to negative. We
are seeing this with the products for subscription-manager
in RHEL5





Version-Release number of selected component (if applicable):
m2crypto-0.17-1

How reproducible:
Any cert larger than int


Steps to Reproduce:

I'll attach a x509 cert that shows it. Add it to /etc/pki/product/
and run "subscription-manager list --available" and /var/log/rhsm/rhsm.log
will show errors about the serial number being < 0. 

upstream 0.19 or upstream svn r694 has the fix.

We tested a build of m2crypto-0.20 we had on RHEL5, and it fixes this problem. We have also never seen it on RHEL6.
Comment 2 Adrian Likins 2011-05-10 19:32:27 EDT
correction to above version, we are seeing this on 0.16-1, the version in rhel5.7.
Comment 3 Adrian Likins 2011-05-10 19:36:06 EDT
sigh, 0.16-1 that is.
Comment 4 Adrian Likins 2011-05-10 19:36:40 EDT
let's try one more time, 0.16-7
Comment 14 Eliska Slobodova 2011-06-24 10:26:04 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, calling the m.2asn1_INTEGER_get() function resulted in an incorrect numerical value for the serial number due to a data type mismatch. As a consequence, the subscription-manager application displayed an error message about the serial number being less than zero. Serial numbers are now handled correctly and no error message appears.
Comment 15 errata-xmlrpc 2011-07-21 07:23:05 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1058.html

Note You need to log in before you can comment on or make changes to this bug.