7.4. RHEA-2013:1626 — new packages: p11-kit

New p11-kit packages are now available for Red Hat Enterprise Linux 6.

The p11-kit package provides a mechanism to manage PKCS#11 modules. The p11-kit-trust subpackage includes a PKCS#11 trust module that provides certificate anchors and black lists based on configuration files.

This enhancement update adds the p11-kit packages to Red Hat Enterprise Linux 6. (BZ#915798)

* Red Hat Enterprise Linux 6.5 provides the p11-kit package to implement the Shared System Certificates feature. If enabled by the administrator, it ensures system-wide trust store of static data that is used by crypto toolkits as input for certificate trust decisions. (BZ#977886)

These new packages had several bugs fixed during testing:

* Support for using the freebl3 library for the SHA1 and MD5 cryptographic hash functions has been added even though the hashing is done in a strictly non-cryptographic context. (BZ#983384)

* All file handles opened by p11-kit are created with the O_CLOEXEC flag, so that they are automatically closed on the execve() function and do not leak to subprocesses. (BZ#984986)

* When expanding the "$HOME" variable or the "~/" path for SUID and SGID programs, the expand_home() function returns NULL. This change allows for avoiding vulnerabilities that could occur if SUID or SGID programs accidentally trusted this environment. Also, documentation concerning the fact that user directories are not read for SUID/SGID programs has been added. (BZ#985014)

* Users need to use the standard environment $TMPDIR variable for locating the temp directory. (BZ#985017)

* If a critical module fails to initialize, module initialization stops and the user is informed about the failure. (BZ#985023)

* The p11_kit_space_strlen() function returns a "0" value for empty strings. (BZ#985416)

* Arguments of the size_t variable are correctly passed to the "p11_hash_xxx" functions. (BZ#985421)

* Changes in the code ensures that the memdup() function is not called with a zero length or NULL pointers. (BZ#985433)

All users who require the Shared System Certificates feature are advised to install these new packages.