[Bug 627619] New: opensc and every dependent package that uses SC_TEST_RET is broken
http://bugzilla.novell.com/show_bug.cgi?id=627619 http://bugzilla.novell.com/show_bug.cgi?id=627619#c0 Summary: opensc and every dependent package that uses SC_TEST_RET is broken Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: Security AssignedTo: sbrabec@novell.com ReportedBy: cmorve69@yahoo.es QAContact: qa@suse.de CC: security-team@suse.de, puzel@novell.com Found By: Community User Blocker: --- We have a bad patch in the opensc package that breaks anything that uses the SC_TEST_RET macro: https://build.opensuse.org/package/view_file?file=opensc-fix-gcc-warnings.patch&package=opensc&project=openSUSE%3A11.3 These packages, *at least*, should be inspectioned (others could depend on it indirectly even if they use it): $ osc whatdependson openSUSE:11.3 opensc standard x86_64 opensc : gpg2 gtkcard installation-images libchipcard4 opensc-java openssh openssh-askpass-gnome The macro is #define SC_TEST_RET(ctx, r, text) do { \ int _ret = (r); \ if (_ret < 0) { \ sc_do_log(ctx, SC_LOG_TYPE_ERROR, __FILE__, __LINE__, __FUNCTION__, "%s: %s\n", (text), sc_strerror(_ret)); \ return _ret; \ } \ } while(0) It just checks if the return value of a function ('r') is < 0 and in such a case prints a log message and returns. The patch, changes that behavior so the log message is shown only if r < 0... but ALWAYS returns. That breaks the logic of any functions using this macro. At least it means a segmentation fault when using the spanish ID card (from opensc-tool, or from Firefox... whatever is using it). Up to where I know this is just a crash problem, not a security risk. But since multiple packages could be affected I CC the security-team. IMHO the package in the devel should be fixed, updates published for any affected 11.3 package... and the package in openSUSE:11.3 project be modified. I know that project is supposed to be static, but people will not build against openSUSE:11.3:Update if they don't know about the problem. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=627619 http://bugzilla.novell.com/show_bug.cgi?id=627619#c Cristian Morales Vega <cmorve69@yahoo.es> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.novell.com | |/show_bug.cgi?id=626765 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c1 Egbert König <e.kunig@home.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |e.kunig@home.nl --- Comment #1 from Egbert König <e.kunig@home.nl> 2010-08-16 21:12:57 UTC --- *** Bug 626765 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=626765 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c2 --- Comment #2 from Egbert König <e.kunig@home.nl> 2010-08-16 21:16:49 UTC --- Created an attachment (id=383300) --> (http://bugzilla.novell.com/attachment.cgi?id=383300) cleaned patch opensc-fix-gcc-warnings I have build opensc with this cleaned patch file. Now firefox can use my smartcard again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c4 --- Comment #4 from Stanislav Brabec <sbrabec@novell.com> 2010-08-19 16:36:47 CEST --- Well, I found yet another breakage: Install opensc and epiphany (and probably all webkit based browsers) will hang. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c5 --- Comment #5 from Cristian Morales Vega <cmorve69@yahoo.es> 2010-08-19 15:10:01 UTC --- Some time ago I also created a fixed package in my personal repo. I created a submitreq, more to rise the awareness than any other thing. Feel free to decline it, but notice I reported the other part of the opensc-fix-gcc-warnings patch to upstream and added the patch tags, you could use them. This could have been avoided if the patch had been submitted upstream to start with... Anyway, a copy&paste of the tags: # PATCH-FIX-UPSTREAM opensc-libassuan-2.patch http://www.opensc-project.org/opensc/ticket/217 puzel@novell.com -- allows to build with libassuan2 Patch0: opensc-libassuan-2.patch # PATCH-FIX-UPSTREAM opensc-fix-gcc-warnings.patch http://www.opensc-project.org/opensc/ticket/249 reddwarf@opensuse.org -- the card-myeid.c part has an equivalent fix in upstream's trunk Patch1: opensc-fix-gcc-warnings.patch And just tested your packages, works fine here. Still, I must insist in the fact that the broken macro is exported in a header file. So the problem could affect any package that depends on opensc (affected the opensc DNIe driver...). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c6 --- Comment #6 from Stanislav Brabec <sbrabec@novell.com> 2010-08-19 19:13:11 CEST --- Thanks for upstreaming this. I planned to do but I forgot. I will compare your and my packages and create final submit request. I also grepped the whole openSUSE source tree (just zgrep -l SC_TEST_RET, so zip files were skipped), and it seems that only the eID-belgium package from the main tree is broken. Packages outside openSUSE tree will get rebuilt automatically (but users will have to install it). I also debugged the WebKit freeze with opensc. It seems to have nothing with opensc, it freezes while expanding /usr/lib64/browser-plugins/opensc-signer.so. It loops forever in webkit-1.2.0/WebCore/plugins/gtk/PluginPackageGtk.cpp PluginPackage::load() (while (g_file_test(finalPath.get(), G_FILE_TEST_IS_SYMLINK))...) Debugging indicates that g_file_resolve_relative_path is never called. Surprisingly, it does not loop on javaplugin.so and npwrapper.so that are symlinks as well. 112 GOwnPtr<GFile> file(g_file_new_for_path(finalPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 112 GOwnPtr<GFile> file(g_file_new_for_path(finalPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) 116 finalPath.set(g_file_get_path(resolvedFile.get())); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) 116 finalPath.set(g_file_get_path(resolvedFile.get())); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 112 GOwnPtr<GFile> file(g_file_new_for_path(finalPath.get())); (gdb) 111 while (g_file_test(finalPath.get(), G_FILE_TEST_IS_SYMLINK)) { (gdb) 112 GOwnPtr<GFile> file(g_file_new_for_path(finalPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 112 GOwnPtr<GFile> file(g_file_new_for_path(finalPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) 116 finalPath.set(g_file_get_path(resolvedFile.get())); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) 116 finalPath.set(g_file_get_path(resolvedFile.get())); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 112 GOwnPtr<GFile> file(g_file_new_for_path(finalPath.get())); (gdb) 111 while (g_file_test(finalPath.get(), G_FILE_TEST_IS_SYMLINK)) { (gdb) 112 GOwnPtr<GFile> file(g_file_new_for_path(finalPath.get())); (gdb) print finalPath.get(); Invalid character ';' in expression. (gdb) print finalPath.get() Can't take address of "finalPath" which isn't an lvalue. (gdb) b g_file_resolve_relative_path Breakpoint 1 at 0x7ff4c0f797a0: file gfile.c, line 808. (gdb) n 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 112 GOwnPtr<GFile> file(g_file_new_for_path(finalPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); (gdb) 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); (gdb) .. WebCore::PluginPackage::load (this=0x7ff4a987ec00) at WebCore/plugins/gtk/PluginPackageGtk.cpp:115 115 GOwnPtr<GFile> resolvedFile(g_file_resolve_relative_path(file.get(), linkPath.get())); Value returned is $10 = (gchar *) 0x15a51d0 "../opensc-signer.so" (gdb) show breakpoint (gdb) info breakpoint Num Type Disp Enb Address What 1 breakpoint keep y 0x00007ff4c0f797a0 in IA__g_file_resolve_relative_path at gfile.c:808 breakpoint already hit 1 time 2 breakpoint keep y <MULTIPLE> breakpoint already hit 1 time 2.1 y 0x00007ff4c0f80380 in IA__g_file_new_for_path at gfile.c:5895 2.2 y 0x00007ff4c0f803a0 in IA__g_file_new_for_path at gfile.c:5895 3 breakpoint keep y 0x00007ff4c0643c00 in IA__g_file_read_link at gfileutils.c:1830 breakpoint already hit 1 time 4 breakpoint keep y 0x00007ff4c0f78e90 in IA__g_file_get_path at gfile.c:448 breakpoint already hit 1 time 5 breakpoint keep y 0x00007ff4c0642560 in IA__g_file_test at gfileutils.c:181 breakpoint already hit 1 time (gdb) n 113 GOwnPtr<gchar> linkPath(g_file_read_link(finalPath.get(), 0)); -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c7 --- Comment #7 from Stanislav Brabec <sbrabec@novell.com> 2010-08-20 14:35:09 CEST --- I just debugged webkit based browsers freeze with opensc installed. It is a bug in gio: https://bugzilla.gnome.org/show_bug.cgi?id=627491 => We can release opensc with just this fix. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c8 --- Comment #8 from Stanislav Brabec <sbrabec@novell.com> 2010-08-20 16:34:59 CEST --- I just checked card-myeid.c from trunk and it seems that the correct fix should be: --- opensc-0.11.13.orig/src/libopensc/card-myeid.c +++ opensc-0.11.13/src/libopensc/card-myeid.c @@ -394,7 +394,7 @@ static int myeid_create_file(struct sc_c SC_FUNC_RETURN(card->ctx, 1, SC_ERROR_FILE_ALREADY_EXISTS); r = sc_check_sw(card, apdu.sw1, apdu.sw2); - SC_TEST_RET(card->ctx, r, "Card returned error"); + SC_FUNC_RETURN(card->ctx, 1, r); } /* no record oriented file services */ Upstream provided a new driver from the vendor with many changes that include such fix. I have no myeid card to test. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c9 --- Comment #9 from Stanislav Brabec <sbrabec@novell.com> 2010-08-20 17:29:11 CEST --- Created request id 45910 to openSUSE:11:3 that is equal to your request except the card-myeid.c chunk, which is equal to comment 8. Package will rebuild for test in the repository referred in comment 3. To maintenance: The update must release opensc and eID-belgium. As new upstream version is not yet release, I plan to submit the same fix to security:chipcard and Factory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c10 --- Comment #10 from Marcus Meissner <meissner@novell.com> 2010-08-23 07:32:37 UTC --- sounds like an idea to update. +1 does this require other rebuilt packages to update, or just opensc? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c11 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:35340:moderat | |e --- Comment #11 from Swamp Workflow Management <swamp@suse.com> 2010-08-23 10:14:18 UTC --- The SWAMPID for this issue is 35340. This issue was rated as moderate. Please submit fixed packages until 2010-09-06. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/35340 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c12 Christian Dengler <cdengler@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |cdengler@novell.com InfoProvider|maintenance@opensuse.org | --- Comment #12 from Christian Dengler <cdengler@novell.com> 2010-08-23 10:15:07 UTC --- ok, update started. Be so kind and submit a patchinfo -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c13 Stanislav Brabec <sbrabec@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |RESOLVED Resolution| |FIXED --- Comment #13 from Stanislav Brabec <sbrabec@novell.com> 2010-08-23 14:42:04 CEST --- I just created a trivial clean-up that also works around the epiphany deadlock: Install plugin directly to browser-plugins instead of linking from libdir. https://www.opensc-project.org/opensc/ticket/251 It is just a cosmetic change. Package re-submitted to openSUSE:11:3 with both fixes and request id 45994. Package was also submitted to security:chipcard and openSUSE:Factory with request id 45999. Update should be available later today in my test branch and security:chipcard, in few days in openSUSE:11.3:Update:Test and it should appear as online update in a week or so. To maintenance: Feel free to release the update whenever any of reporters confirm that the fix works with their smart cards and that web browser accepts the smart card as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c14 --- Comment #14 from Stanislav Brabec <sbrabec@novell.com> 2010-08-23 17:59:20 CEST --- Note for testers: I linked eID-belgium package to home:sbrabec:branches:openSUSE:11.3:Update:Test repository to allow testing for people who use this package.home:sbrabec:branches:openSUSE:11.3:Update:Test You may need to update of all opensc, libopensc2, opensc-devel, eID-belgium if you have them installed. Also third party drivers may require recompilation if you find any reference to SC_TEST_RET there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c15 --- Comment #15 from Christian Dengler <cdengler@novell.com> 2010-08-25 10:35:54 UTC --- Available for testing in the update-test repo. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c16 Willem Herremans <whpgf@scarlet.be> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |whpgf@scarlet.be --- Comment #16 from Willem Herremans <whpgf@scarlet.be> 2010-08-25 13:39:37 UTC --- I can confirm that the opensc version 0.11.13-2.1.1 from update-test works as expected now. No more segmentation faults and it also works with Mozilla Firefox now. I did not report this bug, but I was about to report it when I found that it had already been reported and fixed in update-test. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c17 --- Comment #17 from Christian Dengler <cdengler@novell.com> 2010-08-25 14:47:26 UTC --- Willem, thanks for the feedback. I think we can release it at the middle of the next week into the "normal" update channel. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c18 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:35340:moderat |maint:running:35340:moderat |e |e maint:released:11.3:35350 --- Comment #18 from Swamp Workflow Management <swamp@suse.com> 2010-08-30 13:56:27 UTC --- Update released for: eID-belgium, eID-belgium-debuginfo, eID-belgium-debugsource, libopensc2, libopensc2-debuginfo, opensc, opensc-debuginfo, opensc-debugsource, opensc-devel Products: openSUSE 11.3 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=627619 https://bugzilla.novell.com/show_bug.cgi?id=627619#c Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:35340:moderat |. |e maint:released:11.3:35350 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=627619 http://bugzilla.novell.com/show_bug.cgi?id=627619#c19 --- Comment #19 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (627619) was mentioned in https://build.opensuse.org/request/show/45994 11.3:Test / opensc https://build.opensuse.org/request/show/45999 Factory / opensc -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com