-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yara-4.3.0-rc1 test-pe fails on RHEL9 having OpenSSL with disabled SHA1 cert validation #1864
Comments
I have tried to reproduce this in DigitalOcean cloud machine with Centos9 and failed. The test-pe was not failing there. |
Fails on AMD EPYC 7302 16-Core Processor
Tested also on 2 Intel and 1 another AMD processor + Centos9 and the issue didn't demonstrate there. |
I managed to reproduce the issue in CentOS using your instructions. The problem seems related to the PE signature validation. I'll investigate further. |
More specifically, by removing the following 3 lines from this test case, the issue goes away.
@HoundThe you may be interesting in taking a look at this. I've reproduced the issue, so if you want me to do some specific test let me know. I'll keep investigating. |
I am bit worried it could be some compatibility hw bug in "AMD EPYC 7302 16-Core Processor" (as it works on other x64 platforms). I have tried to change build from march from x86-64-v2 to x86-64 in suspicion it could be related to the SSE4. 2, SSSE3 instruction sets (possibly used for code signing procedures). But even doing that didn't fix the problem.
It could be potentially in the openssl/libcrypto library (optimized with march=x86-64-v2). |
I can confirm that this call to
So, either it's a bug in YARA itself that is passing different information to this function, or it's some issue with specific versions of OpenSSL. Another option is that @HoundThe do you know if UPDATE: error message obtained by adding
|
I've found the root cause of this issue. Searching in Google for The issue above mentions that RHEL9/CentOS9 introduced a patch in OpenSSL that disables the validation of signatures based in SHA1: By reading the changes I've noticed the introduction of an environment variable
|
WOW ... OK ... seems you nailed it again. It really is like you said - thank you. Both Koji (Intel) and Copr (AMD EPYC) builds are OK now on x86-64-2 on RHEL9: |
Sorry for the delay, I see it solved, just to answer the question |
@plusvic, We have a RHEL 9 server with OpenSSL 3.0.7 and want to install Bacula-Community from its repo, but can't, as it needs a signed key that requires SHA-1. To sign that key, I need to run:
So, am I to understand I could use the command When I run that command, I get: Or how can an exception be made to install this repo? Thank you! |
Describe the bug
When building the yara-4.3.0-rc1 the test-pe fails on RHEL9/Centos9 on the x86-64-v2 platform.
The same test/file fails on the Fedora Rawhide + s390x platform so this might or might not be related.
#1855
To Reproduce
Steps to reproduce the behavior:
Issue demonstrates consistently on the FedoraProject Copr environment, building the yara from the https://copr.fedorainfracloud.org/coprs/rebus/infosec/package/yara/ respectively from https://github.com/xambroz/rpms-infosec/yara for the epel-9-x86_64 platform.
I guess it should be possible to reproduce it on RHEL9/Centos9 manually doing this.
Expected behavior
Test should pass (as it is passing on other platforms)
Full build log
https://download.copr.fedorainfracloud.org/results/rebus/infosec/epel-9-x86_64/05252025-yara/build.log.gz
If applicable, add screenshots to help explain your problem.
Please complete the following information:
Additional context
Hardening flags used for the compilation on the RHEL9
The text was updated successfully, but these errors were encountered: