RPM libraries cause catastrophic failure of applications using NSS for PKI
Bug #1086465 reported by
Jeff Johnson
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
RPM |
New
|
Undecided
|
Unassigned | ||
rpm (CentOS) |
Fix Released
|
High
|
Bug Description
The RPM library will initialize NSS without a database thus preventing any application linking against RPM from using NSS with a database, a catastrophic failure for the application because it will be unable to access PKI resources.
Changed in rpm (CentOS): | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
To post a comment you must log in.
This problem showed up using the python binding to RPM but I suspect the problem is generic to any process linking to the RPM libraries.
The RPM library will initialize NSS without a database thus preventing any application linking against RPM from using NSS with a database, a catastrophic failure for the application because it will be unable to access PKI resources.
Here is a stack trace from a Python application in which the RPM module was loaded.
#1 0xb77b5200 in NSS_NoDB_Init (configdir= configdir@ entry=0x0) at nssinit.c:909 entry=0x0, target= target@ entry=0x0)
#2 0xb78f7477 in rpmInitCrypto () at rpmpgp.c:1642
#3 0xb7b26910 in rpmReadConfigFiles (file=file@
at rpmrc.c:1772
#4 0xb7fcee7c in initModule (m=<module at remote 0x80d3be4>) at rpmmodule.c:280
#5 init_rpm () at rpmmodule.c:264
As you can see rpmInitCrypto() calls NSS_NoDB_Init(). This happens before the application has the opportunity to initialize NSS with it's desired database. Once NSS has been initialized subsequent calls to initialize NSS are ignored. This causes catastrophic failure for the application because it is being denied access to it's PKI resources (because rpmInitCrypto declared PKI resources should be disabled)
The following document fully explains the issue and the solution:
https:/ /wiki.mozilla. org/NSS_ Library_ Init
In particular pay attention to Scenario 2, this is the issue at hand.
In essence it means calling NSS_InitContext() instead of NSS_NoDB_Init() and NSS_ShutdownCon text() instead of NSS_Shutdown().