[Sts-sponsors] [Bug 1885562] [NEW] [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

Launchpad Bug Tracker Wed, 15 Jul 2020 07:02:21 -0700

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Dariusz Gadomski 
(dgadomski):


In FIPS mode there are some additional checks performed.

They lead to verifying binaries signatures. Those signatures are shipped
in the libnss3 package as *.chk files installed in
/usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
libraries themselves (libfreebl3.so  libfreeblpriv3.so  libnssckbi.so
libnssdbm3.so  libsoftokn3.so).

Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so

The client binaries are linked against the symlinks, so when the verification 
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the 
symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is 
in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.

[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.

Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures 
and libs in /usr/lib/$(DEB_HOST_MULTIARCH).

Solution B:
Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is 
done for *.so).

Solution C:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk 
where the symlinks lead to.

** Affects: nss (Ubuntu)
     Importance: Medium
     Assignee: Dariusz Gadomski (dgadomski)
         Status: In Progress

** Affects: nss (Ubuntu Bionic)
     Importance: Medium
     Assignee: Dariusz Gadomski (dgadomski)
         Status: In Progress


** Tags: patch sts
-- 
[fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
https://bugs.launchpad.net/bugs/1885562
You received this bug notification because you are a member of STS Sponsors, 
which is subscribed to the bug report.

-- 
Mailing list: https://launchpad.net/~sts-sponsors
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~sts-sponsors
More help   : https://help.launchpad.net/ListHelp

[Sts-sponsors] [Bug 1885562] [NEW] [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

Reply via email to