eDirectory 8.8.6.5 on RedHat 6.2 with current updates fails during verification with rpmReadSignature failed: sigh load: BAD

  • 7006535
  • 04-May-2012
  • 27-Jan-2014

Environment


NetIQ eDirectory 8.8.6.5
NetIQ eDirectory 8.8.7
RedHat 6.2
RedHat 5.8

Situation

Unable to patch eDir 8.8.6 on RedHat 6.2 after applying latest RedHat updates.

install.sh aborts with the following:

error: ./Linux64/novell-kerberos-base.x86_64.rpm: rpmReadSignature failed: sigh load: BAD
error: ./Linux64/novell-kerberos-base.x86_64.rpm: not an rpm package (or package manifest)
| ./Linux64/novell-kerberos-base.x86_64.rpm                                    ============================================ ERROR ===========================================
Internal Error:  isPackageInList() was not passed two parameters.

rpm package is version:  rpm.x86_64 0:4.8.0-19.el6_2.1

Attempting to use --nosignature or --force, does not install the novell-kerberos rpms

NOTE:  This problem also occurs on RedHat 5.8 fully patched.

The message is a little different.

Installing novell-kerberos-base... %%% Unable to install /software/edir887/eDirectory/setup/novell-kerberos-base-1.5-49.x86_64.rpm , Exiting...

RedHat 5.8 updated packages are:

rpm-4.4.2.3-28.el5_8
rpm-libs-4.4.2.3-28.el5_8



Resolution

This issue has been resolved by repackaging the kerberos rpms.  They are available on at https://dl.netiq.com by using patch finder to access patches to eDirectory 8.8.6 or 8.8.7.


Workaround:

Use the rpm libs from the rpm-libs-4.8.0-19.el6 package that applies to the RedHat particular platform being used. 

Steps:

1.  Create a temporary directory.
      EX:  mkdir /tmp/rpmlibs

2.  Copy the 4.8.0-19.el6 version of rpm-libs to the temporary directory.
      EX:  cp rpm-libs-4.8.0-19.el6.x86_64.rpm /tmp/rpmlibs

      NOTE:  For RedHat 5.8 use:  rpm-libs-4.4.2.3-27.el5


3.  Change directories to the temporary directory.
     EX:  cp /tmp/rpmlibs

4.  Extract the files in the rpm to the temporary directory.
     EX:  rpm2cpio rpm-libs-4.8.0-19.el6.x86_64.rpm | cpio -idmv

5.  Set the LD_LIBRARY_PATH to include the temporary directory as the first directory in the path
     EX:  export LD_LIBRARY_PATH=/tmp/rpmlibs/usr/lib64:$LD_LIBRARY_PATH

6.  Stop ndsd
      EX:  /etc/init.d/ndsd stop

7.  From the same terminal window used in step 5 (so that the modified LD_LIBRARY_PATH is being used), change directories to where the eDirectory 8.8.6.5 patch is extracted and run the install.sh from the eDirectory 8.8.6.5 patch with the --force switch.
     EX:  cd /software/edir8865
              ./install.sh --force



Possible messages In verify section:

warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| ./Linux64/novell-kerberos-base.x86_64.rpm            | 1.5.0.49              [     OK*     ]
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm | 1.5.0.49              [     OK*     ]

In Verifying versions installed section:

warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-base                                 | 1.5.0.41              [EQUAL VERSION]
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-ldap-extensions                      | 1.5.0.41              [EQUAL VERSION]

In the Removing installed packages section:

warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-base                                 | 1.5.0.41              [   SKIPPED   ]
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-ldap-extensions                      | 1.5.0.41              [   SKIPPED   ]

In order to have the novell-kerberos packages updated to the 1.5.0.49 version, use install.sh with the --force option.  This will force the removal the novell-kerberos packages and the install of the current version.

EX:  ./install.sh --force
 
Note: For additional installation requirements to ensure a smooth installation of eDirectory 8.8 SP7 on Red Hat servers please refer to:
https://www.netiq.com/documentation/imanager/imanager_install/?page=/documentation/imanager/imanager_install/data/hk42s9ot.html

Cause

These security changes went into rpm-4.8.0-19_2.1:

* Mon Feb 27 2012 Panu Matilainen <pmatilai@redhat.com> - 4.8.0-19.1
- Proper region tag validation on package/header read (CVE-2012-0060)
- Double-check region size against header size (CVE-2012-0061)
- Validate negated offsets too in headerVerifyInfo() (CVE-2012-0815)

It appears a change in one of these fixes is now considering the novell-kerberos rpms as BAD instead of NOKEY.