*** This bug is a security vulnerability ***
Public security bug reported:
When in FIPS mode there some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped
in the libnss3 package as *.chk files installed in
/usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so
libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The client binaries are linked against the symlinks, so when the verification
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the
symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is
in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures
and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk
where the symlinks lead to.
** Affects: nss (Ubuntu)
Importance: Undecided
Status: New
** Affects: nss (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: nss (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: nss (Ubuntu Bionic)
Importance: Undecided
Status: New
** No longer affects: nss (Ubuntu Xenial)
** Description changed:
When in FIPS mode there some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped
in the libnss3 package as *.chk files installed in
/usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so
libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
- The binaries are linked against the symlinks, so when the verification
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the
symlink to the shlib and replaces the .so extension with .chk.
+ The client binaries are linked against the symlinks, so when the verification
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the
symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file
is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures
and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for
*.chk where the symlinks lead to.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562
Title:
freebl_fipsSoftwareIntegrityTest fails in FIPS mode
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
