2020-06-29 13:06:15 |
Dariusz Gadomski |
bug |
|
|
added bug |
2020-06-29 13:06:24 |
Dariusz Gadomski |
nominated for series |
|
Ubuntu Xenial |
|
2020-06-29 13:06:24 |
Dariusz Gadomski |
bug task added |
|
nss (Ubuntu Xenial) |
|
2020-06-29 13:06:24 |
Dariusz Gadomski |
nominated for series |
|
Ubuntu Bionic |
|
2020-06-29 13:06:24 |
Dariusz Gadomski |
bug task added |
|
nss (Ubuntu Bionic) |
|
2020-06-29 13:08:49 |
Dariusz Gadomski |
bug task deleted |
nss (Ubuntu Xenial) |
|
|
2020-06-29 13:09:18 |
Dariusz Gadomski |
description |
When in FIPS mode there some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. |
When in FIPS mode there some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. |
|
2020-06-29 13:45:10 |
Dariusz Gadomski |
summary |
freebl_fipsSoftwareIntegrityTest fails in FIPS mode |
[fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode |
|
2020-06-29 13:45:13 |
Dariusz Gadomski |
tags |
|
sts |
|
2020-06-29 14:14:21 |
Dariusz Gadomski |
description |
When in FIPS mode there some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. |
In FIPS mode there are some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. |
|
2020-06-29 14:14:22 |
Dariusz Gadomski |
nss (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2020-06-29 14:14:25 |
Dariusz Gadomski |
nss (Ubuntu): importance |
Undecided |
Medium |
|
2020-06-30 13:35:23 |
Eduardo Barretto |
bug |
|
|
added subscriber Joy Latten |
2020-06-30 13:35:34 |
Eduardo Barretto |
bug |
|
|
added subscriber Richard Maciel Costa |
2020-07-01 11:41:23 |
Dariusz Gadomski |
description |
In FIPS mode there are some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. |
In FIPS mode there are some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is done for *.so).
Solution C:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. |
|
2020-07-01 14:32:20 |
Richard Maciel Costa |
nss (Ubuntu): assignee |
|
Richard Maciel Costa (richardmaciel) |
|
2020-07-01 14:32:23 |
Richard Maciel Costa |
nss (Ubuntu Bionic): assignee |
|
Richard Maciel Costa (richardmaciel) |
|
2020-07-01 14:39:02 |
Dariusz Gadomski |
attachment added |
|
groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388751/+files/groovy.debdiff |
|
2020-07-01 14:39:32 |
Dariusz Gadomski |
attachment added |
|
focal.debdiff https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388752/+files/focal.debdiff |
|
2020-07-01 14:39:53 |
Dariusz Gadomski |
attachment added |
|
bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388753/+files/bionic.debdiff |
|
2020-07-01 14:40:18 |
Dariusz Gadomski |
attachment removed |
bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388753/+files/bionic.debdiff |
|
|
2020-07-01 14:40:38 |
Dariusz Gadomski |
attachment removed |
focal.debdiff https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388752/+files/focal.debdiff |
|
|
2020-07-01 14:40:47 |
Dariusz Gadomski |
attachment removed |
groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388751/+files/groovy.debdiff |
|
|
2020-07-01 14:41:24 |
Dariusz Gadomski |
attachment added |
|
groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388754/+files/groovy.debdiff |
|
2020-07-01 14:41:50 |
Dariusz Gadomski |
attachment added |
|
focal.debdiff https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388755/+files/focal.debdiff |
|
2020-07-01 14:42:15 |
Dariusz Gadomski |
attachment added |
|
bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388756/+files/bionic.debdiff |
|
2020-07-01 16:54:00 |
Ubuntu Foundations Team Bug Bot |
tags |
sts |
patch sts |
|
2020-07-14 20:01:20 |
Steve Beattie |
nss (Ubuntu): status |
New |
In Progress |
|
2020-07-14 20:01:23 |
Steve Beattie |
nss (Ubuntu Bionic): status |
New |
In Progress |
|
2020-07-15 13:34:09 |
Dariusz Gadomski |
nss (Ubuntu): assignee |
Richard Maciel Costa (richardmaciel) |
Dariusz Gadomski (dgadomski) |
|
2020-07-15 13:34:11 |
Dariusz Gadomski |
nss (Ubuntu Bionic): assignee |
Richard Maciel Costa (richardmaciel) |
Dariusz Gadomski (dgadomski) |
|
2020-07-15 14:01:23 |
Dariusz Gadomski |
bug |
|
|
added subscriber STS Sponsors |
2020-07-16 12:16:53 |
Dan Streetman |
nominated for series |
|
Ubuntu Groovy |
|
2020-07-16 12:16:53 |
Dan Streetman |
bug task added |
|
nss (Ubuntu Groovy) |
|
2020-07-16 12:16:53 |
Dan Streetman |
nominated for series |
|
Ubuntu Focal |
|
2020-07-16 12:16:53 |
Dan Streetman |
bug task added |
|
nss (Ubuntu Focal) |
|
2020-07-16 12:17:09 |
Dan Streetman |
nss (Ubuntu Focal): assignee |
|
Dariusz Gadomski (dgadomski) |
|
2020-07-16 12:17:11 |
Dan Streetman |
nss (Ubuntu Focal): importance |
Undecided |
Medium |
|
2020-07-16 12:17:14 |
Dan Streetman |
nss (Ubuntu Focal): status |
New |
In Progress |
|
2020-07-17 06:44:18 |
Dariusz Gadomski |
description |
In FIPS mode there are some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is done for *.so).
Solution C:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. |
[Impact]
* Prevents using some parts of nss in FIPS mode - e.g. libfreeblpriv3.so (failed asserts). The library during initialization tries to verify it's own binaries against signatures in chk files shipped along with it (created at build time). They are installed at /usr/lib/$(DEB_HOST_MULTIARCH)/nss while it tries to look for them at /usr/lib/$(DEB_HOST_MULTIARCH).
[Test Case]
* Setup Ubuntu 18.04 in FIPS mode.
* sudo apt install chrony
* sudo chronyd -d
* chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
[Regression Potential]
* Fix introduces 2 new artifacts to the filesystem (symlinks to the chk files). It may cause alerts in e.g. CI systems.
[Other Info]
Original bug description:
In FIPS mode there are some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is done for *.so).
Solution C:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. |
|
2020-07-17 18:52:34 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/nss/+git/nss/+merge/387608 |
|
2020-07-17 21:52:05 |
Launchpad Janitor |
nss (Ubuntu Groovy): status |
In Progress |
Fix Released |
|
2020-07-20 19:02:50 |
Launchpad Janitor |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/nss/+git/nss/+merge/387608 |
|
|
2020-07-21 22:37:55 |
Brian Murray |
nss (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2020-07-21 22:38:00 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-07-21 22:38:08 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2020-07-21 22:38:25 |
Brian Murray |
tags |
patch sts |
patch sts verification-needed verification-needed-focal |
|
2020-07-21 22:44:20 |
Brian Murray |
nss (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2020-07-21 22:44:44 |
Brian Murray |
tags |
patch sts verification-needed verification-needed-focal |
patch sts verification-needed verification-needed-bionic verification-needed-focal |
|
2020-07-23 08:30:32 |
Dariusz Gadomski |
tags |
patch sts verification-needed verification-needed-bionic verification-needed-focal |
patch sts verification-done-bionic verification-needed verification-needed-focal |
|
2020-07-23 08:51:34 |
Dariusz Gadomski |
tags |
patch sts verification-done-bionic verification-needed verification-needed-focal |
patch sts verification-done verification-done-bionic verification-done-focal |
|
2020-07-27 13:39:50 |
Dariusz Gadomski |
tags |
patch sts verification-done verification-done-bionic verification-done-focal |
patch sts sts-sponsor-dgadomski verification-done verification-done-bionic verification-done-focal |
|
2020-08-10 17:51:46 |
Launchpad Janitor |
nss (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2020-08-10 17:51:46 |
Launchpad Janitor |
cve linked |
|
2020-12400 |
|
2020-08-10 17:51:46 |
Launchpad Janitor |
cve linked |
|
2020-12401 |
|
2020-08-10 17:51:46 |
Launchpad Janitor |
cve linked |
|
2020-6829 |
|
2020-08-10 17:51:47 |
Launchpad Janitor |
nss (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|