Bug#1014517: marked as done (apt - Fails in FIPS mode in libgcrypt)

To: Julian Andres Klode <jak@debian.org>
Subject: Bug#1014517: marked as done (apt - Fails in FIPS mode in libgcrypt)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 26 Jul 2023 14:51:10 +0000
Message-id: <[🔎] handler.1014517.D1014517.16903829591347501.ackdone@bugs.debian.org>
Reply-to: 1014517@bugs.debian.org
References: <20230726164901.GA420105@debian.org> <165719870806.77907.5567624636549932250.reportbug@softhammer.credativ.lan>

Your message dated Wed, 26 Jul 2023 16:49:12 +0200
with message-id <20230726164901.GA420105@debian.org>
and subject line Re: Bug#1014517: apt - Fails in FIPS mode in libgcrypt
has caused the Debian Bug report #1014517,
regarding apt - Fails in FIPS mode in libgcrypt
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1014517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014517
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt - Fails in FIPS mode in libgcrypt
From: Bastian Blank <waldi@debian.org>
Date: Thu, 07 Jul 2022 14:58:28 +0200
Message-id: <165719870806.77907.5567624636549932250.reportbug@softhammer.credativ.lan>

Package: apt
Version: 2.5.1
Severity: normal

"apt update" fails if the system runs in FIPS mode:

| # apt update
| Hit:2 http://deb.debian.org/debian-debug sid InRelease
| fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context
| 
| Fatal error: requested algo not in md context
| Aborted

The backtrace is:

| #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
| #1  0x0000fffff78a630c in __GI_abort () at abort.c:79
| #2  0x0000fffff75ce110 in _gcry_fatal_error (rc=rc@entry=5, text=text@entry=0xfffff765cb80 "requested algo not in md context") at ../../src/misc.c:97
| #3  0x0000fffff75e65b0 in md_read (algo=<optimized out>, a=<optimized out>, a=<optimized out>) at ../../cipher/md.c:1095
| #4  0x0000fffff7e435ac in HexDigest (hd=<optimized out>, algo=<optimized out>) at ./apt-pkg/contrib/hashes.cc:429
| #5  0x0000fffff7e44a18 in Hashes::GetHashString (this=this@entry=0xffffffffe6d8, hash=hash@entry=Hashes::MD5SUM) at ./apt-pkg/contrib/hashes.cc:457
| #6  0x0000fffff7e5bfd4 in debListParser::Description_md5 (this=0xaaaaaad9cf10) at ./apt-pkg/deb/deblistparser.cc:295
| #7  0x0000fffff7ecc020 in pkgCacheGenerator::MergeListVersion (this=this@entry=0xaaaaaab31470, List=..., Pkg=..., Version=..., OutVer=@0xffffffffe8c8: 0x0) at ./apt-pkg/pkgcachegen.cc:490
| #8  0x0000fffff7ecdb0c in pkgCacheGenerator::MergeList (this=this@entry=0xaaaaaab31470, List=..., OutVer=<optimized out>, OutVer@entry=0x0) at ./apt-pkg/pkgcachegen.cc:286
| #9  0x0000fffff7eb030c in pkgDebianIndexFile::Merge (this=<optimized out>, Gen=..., Prog=<optimized out>) at ./apt-pkg/indexfile.cc:348
| #10 0x0000fffff7ec8ef4 in operator() (__closure=__closure@entry=0xffffffffebc0, I=0xaaaaaab0a340) at ./apt-pkg/pkgcachegen.cc:1557
| #11 0x0000fffff7ecedb4 in std::for_each<__gnu_cxx::__normal_iterator<pkgIndexFile**, std::vector<pkgIndexFile*> >, BuildCache(pkgCacheGenerator&, OpProgress*, map_filesize_t&, map_filesize_t, const pkgSourceList*, FileIterator, FileIterator)::<lambda(pkgIndexFile*)> > (__f=..., __last=0x0, __first=0xaaaaaab0a340) at /usr/include/c++/11/bits/stl_algo.h:3820
| #12 BuildCache (Gen=..., Progress=<optimized out>, Progress@entry=0xfffffffff280, CurrentSize=@0xffffffffecf0: 100043188, TotalSize=<optimized out>, TotalSize@entry=100043188, 
|     List=List@entry=0x0, Start=..., End=...) at ./apt-pkg/pkgcachegen.cc:1586
| #13 0x0000fffff7ed0994 in pkgCacheGenerator::MakeStatusCache (List=..., Progress=Progress@entry=0xfffffffff280, OutMap=OutMap@entry=0xffffffffef18, OutCache=OutCache@entry=0xffffffffef20)
|     at /usr/include/c++/11/bits/stl_iterator.h:1026
| #14 0x0000fffff7e0b2dc in pkgCacheFile::BuildCaches (this=0xfffffffff0c0, Progress=0xfffffffff280, WithLock=<optimized out>) at ./apt-pkg/cachefile.cc:127
| #15 0x0000fffff7f9e6fc in DoUpdate(CommandLine&) () from /lib/aarch64-linux-gnu/libapt-private.so.0.0
| #16 0x0000fffff7e27d20 in CommandLine::DispatchArg (this=0xfffffffff448, Map=<optimized out>, NoMatch=true) at ./apt-pkg/contrib/cmndline.cc:369
| #17 0x0000fffff7f633f4 in DispatchCommandLine(CommandLine&, std::vector<CommandLine::Dispatch, std::allocator<CommandLine::Dispatch> > const&) ()
|    from /lib/aarch64-linux-gnu/libapt-private.so.0.0
| #18 0x0000aaaaaaaa1898 in ?? ()
| #19 0x0000fffff78a6614 in __libc_start_main (main=0xaaaaaaaa17c0, argc=2, argv=0xfffffffff5d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
|     stack_end=<optimized out>) at ../csu/libc-start.c:332
| #20 0x0000aaaaaaaa19b8 in ?? ()

In FIPS mode MD5 is not allowed, so every usage results in a fatal error.

One workarounds would be:
Check for FIPS mode with gcry_fips_mode_active and don't try to use it
then.

Bastian

-- Package-specific info:

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.18.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information

--- End Message ---

--- Begin Message ---

To: Bastian Blank <waldi@debian.org>, 1014517-close@bugs.debian.org
Subject: Re: Bug#1014517: apt - Fails in FIPS mode in libgcrypt
From: Julian Andres Klode <jak@debian.org>
Date: Wed, 26 Jul 2023 16:49:12 +0200
Message-id: <20230726164901.GA420105@debian.org>
In-reply-to: <165719870806.77907.5567624636549932250.reportbug@softhammer.credativ.lan>
References: <165719870806.77907.5567624636549932250.reportbug@softhammer.credativ.lan>

Version: 2.7.2

On Thu, Jul 07, 2022 at 02:58:28PM +0200, Bastian Blank wrote:
> Package: apt
> Version: 2.5.1
> Severity: normal
> 
> "apt update" fails if the system runs in FIPS mode:
> 
> | # apt update
> | Hit:2 http://deb.debian.org/debian-debug sid InRelease
> | fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context
> | 
> | Fatal error: requested algo not in md context
> | Aborted
> 
> The backtrace is:
> 
> | #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
> | #1  0x0000fffff78a630c in __GI_abort () at abort.c:79
> | #2  0x0000fffff75ce110 in _gcry_fatal_error (rc=rc@entry=5, text=text@entry=0xfffff765cb80 "requested algo not in md context") at ../../src/misc.c:97
> | #3  0x0000fffff75e65b0 in md_read (algo=<optimized out>, a=<optimized out>, a=<optimized out>) at ../../cipher/md.c:1095
> | #4  0x0000fffff7e435ac in HexDigest (hd=<optimized out>, algo=<optimized out>) at ./apt-pkg/contrib/hashes.cc:429
> | #5  0x0000fffff7e44a18 in Hashes::GetHashString (this=this@entry=0xffffffffe6d8, hash=hash@entry=Hashes::MD5SUM) at ./apt-pkg/contrib/hashes.cc:457
> | #6  0x0000fffff7e5bfd4 in debListParser::Description_md5 (this=0xaaaaaad9cf10) at ./apt-pkg/deb/deblistparser.cc:295
> | #7  0x0000fffff7ecc020 in pkgCacheGenerator::MergeListVersion (this=this@entry=0xaaaaaab31470, List=..., Pkg=..., Version=..., OutVer=@0xffffffffe8c8: 0x0) at ./apt-pkg/pkgcachegen.cc:490
> | #8  0x0000fffff7ecdb0c in pkgCacheGenerator::MergeList (this=this@entry=0xaaaaaab31470, List=..., OutVer=<optimized out>, OutVer@entry=0x0) at ./apt-pkg/pkgcachegen.cc:286
> | #9  0x0000fffff7eb030c in pkgDebianIndexFile::Merge (this=<optimized out>, Gen=..., Prog=<optimized out>) at ./apt-pkg/indexfile.cc:348
> | #10 0x0000fffff7ec8ef4 in operator() (__closure=__closure@entry=0xffffffffebc0, I=0xaaaaaab0a340) at ./apt-pkg/pkgcachegen.cc:1557
> | #11 0x0000fffff7ecedb4 in std::for_each<__gnu_cxx::__normal_iterator<pkgIndexFile**, std::vector<pkgIndexFile*> >, BuildCache(pkgCacheGenerator&, OpProgress*, map_filesize_t&, map_filesize_t, const pkgSourceList*, FileIterator, FileIterator)::<lambda(pkgIndexFile*)> > (__f=..., __last=0x0, __first=0xaaaaaab0a340) at /usr/include/c++/11/bits/stl_algo.h:3820
> | #12 BuildCache (Gen=..., Progress=<optimized out>, Progress@entry=0xfffffffff280, CurrentSize=@0xffffffffecf0: 100043188, TotalSize=<optimized out>, TotalSize@entry=100043188, 
> |     List=List@entry=0x0, Start=..., End=...) at ./apt-pkg/pkgcachegen.cc:1586
> | #13 0x0000fffff7ed0994 in pkgCacheGenerator::MakeStatusCache (List=..., Progress=Progress@entry=0xfffffffff280, OutMap=OutMap@entry=0xffffffffef18, OutCache=OutCache@entry=0xffffffffef20)
> |     at /usr/include/c++/11/bits/stl_iterator.h:1026
> | #14 0x0000fffff7e0b2dc in pkgCacheFile::BuildCaches (this=0xfffffffff0c0, Progress=0xfffffffff280, WithLock=<optimized out>) at ./apt-pkg/cachefile.cc:127
> | #15 0x0000fffff7f9e6fc in DoUpdate(CommandLine&) () from /lib/aarch64-linux-gnu/libapt-private.so.0.0
> | #16 0x0000fffff7e27d20 in CommandLine::DispatchArg (this=0xfffffffff448, Map=<optimized out>, NoMatch=true) at ./apt-pkg/contrib/cmndline.cc:369
> | #17 0x0000fffff7f633f4 in DispatchCommandLine(CommandLine&, std::vector<CommandLine::Dispatch, std::allocator<CommandLine::Dispatch> > const&) ()
> |    from /lib/aarch64-linux-gnu/libapt-private.so.0.0
> | #18 0x0000aaaaaaaa1898 in ?? ()
> | #19 0x0000fffff78a6614 in __libc_start_main (main=0xaaaaaaaa17c0, argc=2, argv=0xfffffffff5d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
> |     stack_end=<optimized out>) at ../csu/libc-start.c:332
> | #20 0x0000aaaaaaaa19b8 in ?? ()
> 
> In FIPS mode MD5 is not allowed, so every usage results in a fatal error.
> 
> One workarounds would be:
> Check for FIPS mode with gcry_fips_mode_active and don't try to use it
> then.
> 
> Bastian
> 
> -- Package-specific info:
> 
> -- System Information:
> Debian Release: bookworm/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 5.18.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> 
> -- no debconf information
> 

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

--- End Message ---

Reply to:

Prev by Date: Bug#1041990: marked as done (please make source.list file names more clear)
Next by Date: Re: First Packaging Con 2021
Previous by thread: Bug#1041993: marked as done (is URIs supposed to be a list?)
Next by thread: Re: First Packaging Con 2021
Index(es):
- Date
- Thread