group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #31171
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
** Also affects: python2.7 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: python2.7 (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: python2.7 (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: python2.7 (Ubuntu Eoan)
Importance: High
Status: Triaged
** Also affects: python2.7 (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: python3.5 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: python3.5 (Ubuntu Bionic)
Status: New => Invalid
** Changed in: python3.5 (Ubuntu Cosmic)
Status: New => Invalid
** Changed in: python3.5 (Ubuntu Disco)
Status: New => Invalid
** Changed in: python3.5 (Ubuntu Eoan)
Status: New => Invalid
** Changed in: python3.5 (Ubuntu Xenial)
Importance: Undecided => Medium
** Changed in: python3.5 (Ubuntu Xenial)
Status: New => In Progress
** Changed in: python3.5 (Ubuntu Xenial)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: python2.7 (Ubuntu Xenial)
Importance: Undecided => Medium
** Changed in: python2.7 (Ubuntu Xenial)
Status: New => In Progress
** Changed in: python2.7 (Ubuntu Xenial)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: python2.7 (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: python2.7 (Ubuntu Bionic)
Status: New => In Progress
** Changed in: python2.7 (Ubuntu Bionic)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: python2.7 (Ubuntu Cosmic)
Status: New => Won't Fix
** Changed in: python2.7 (Ubuntu Disco)
Importance: Undecided => Medium
** Changed in: python2.7 (Ubuntu Disco)
Status: New => In Progress
** Changed in: python2.7 (Ubuntu Disco)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1835135
Title:
FIPS OpenSSL crashes Python2 hashlib
Status in python2.7 package in Ubuntu:
Triaged
Status in python3.5 package in Ubuntu:
Invalid
Status in python2.7 source package in Xenial:
In Progress
Status in python3.5 source package in Xenial:
In Progress
Status in python2.7 source package in Bionic:
In Progress
Status in python3.5 source package in Bionic:
Invalid
Status in python2.7 source package in Cosmic:
Won't Fix
Status in python3.5 source package in Cosmic:
Invalid
Status in python2.7 source package in Disco:
In Progress
Status in python3.5 source package in Disco:
Invalid
Status in python2.7 source package in Eoan:
Triaged
Status in python3.5 source package in Eoan:
Invalid
Bug description:
If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with
SSL_library_init, then Python2's hashlib bindings for MD5 can trigger
a SIGSEGV via a NULL pointer dereference (if calling the .update
method) or a SIGABRT (if passing input to the constructor or passing
no input and invoking the .final method). This happens if, for
example, PyOpenSSL is imported before hashlib.
Canonical's FIPS patches for OpenSSL introduce some odd behavior that
arguably should be revisited, but the (TL;DR) core bug is that Python2
hashlib doesn't properly check the return value of EVP_DigestInit,
preventing hashlib from falling back to it's internal MD5
implementation and instead setting things up for use of the MD5
context to trigger SIGSEGV or SIGABRT.
Python3 correctly checks the return value, so the fix is to backport
the relevant code into Python2 (see
python2.7-2.7.12/Modules/_hashopenssl.c).
See attached good.py and bad.py files which exhibit the import order-
dependent crashing issue. See attached fips-md5-python-init-bug.c
which shows the FIPS OpenSSL behaviors that conditionally tickle the
Python2 bug. The C file also contains a much more detailed description
of the Python2 bug and other behavior which I'd rather not repeat
here.
I discovered this bug investigating an issue with the third-party apt-
boto-s3 package. See https://github.com/boto/boto3/issues/2021
Note that this bug effects Splunk, Inc, which has a corporate Ubuntu
Advantage license. My login account is attached to a different,
single-seat license.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions