871485 – RPM libraries cause catastrophic failure of applications using NSS for PKI

Bug 871485 - RPM libraries cause catastrophic failure of applications using NSS for PKI

Summary: RPM libraries cause catastrophic failure of applications using NSS for PKI

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rpm
Sub Component:
Version:	17
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Fedora Packaging Toolset Team
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-30 14:05 UTC by John Dennis
Modified:	2013-05-20 11:18 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-05-20 11:18:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description John Dennis 2012-10-30 14:05:10 UTC

This problem showed up using the python binding to RPM but I suspect the problem is generic to any process linking to the RPM libraries.

The RPM library will initialize NSS without a database thus preventing any application linking against RPM from using NSS with a database, a catastrophic failure for the application because it will be unable to access PKI resources.

Here is a stack trace from a Python application in which the RPM module was loaded.

#1  0xb77b5200 in NSS_NoDB_Init (configdir=configdir@entry=0x0) at nssinit.c:909
#2  0xb78f7477 in rpmInitCrypto () at rpmpgp.c:1642
#3  0xb7b26910 in rpmReadConfigFiles (file=file@entry=0x0, target=target@entry=0x0)
    at rpmrc.c:1772
#4  0xb7fcee7c in initModule (m=<module at remote 0x80d3be4>) at rpmmodule.c:280
#5  init_rpm () at rpmmodule.c:264

As you can see rpmInitCrypto() calls NSS_NoDB_Init(). This happens before the application has the opportunity to initialize NSS with it's desired database. Once NSS has been initialized subsequent calls to initialize NSS are ignored. This causes catastrophic failure for the application because it is being denied access to it's PKI resources (because rpmInitCrypto declared PKI resources should be disabled)

The following document fully explains the issue and the solution:

https://wiki.mozilla.org/NSS_Library_Init

In particular pay attention to Scenario 2, this is the issue at hand.

In essence it means calling NSS_InitContext() instead of NSS_NoDB_Init() and  NSS_ShutdownContext() instead of NSS_Shutdown().

Comment 1 Panu Matilainen 2012-10-30 15:29:34 UTC

Right, the NSS_*Context() variants didn't exist back when rpm switched to NSS crypto and I haven't been paying that much attention to what happens in that world except when somebody reports problems - this is the first time this particular issue has been reported.

Anyway, seems like a straightforward thing to fix and perhaps even make the NSS init/shutdown that little bit less painful to rpm.

Comment 2 Panu Matilainen 2012-10-31 07:52:10 UTC

Fixed upstream: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=5ecfdcea4e80e58f133ffddd69130ee8df28b2ac

Comment 3 Panu Matilainen 2012-11-16 12:42:52 UTC

This is supposed to be fixed in rawhide now (rpm >= 4.10.90), so if you have an easy way to reproduce it, testing wouldn't hurt.

Comment 4 Panu Matilainen 2013-05-20 11:18:36 UTC

This has been fixed in Fedora >= 18, backporting to F17 doesn't seem worth the trouble at this point.

Note You need to log in before you can comment on or make changes to this bug.