Bug#1014517:
On Wed, Jul 26, 2023 at 01:21:58PM -0400, Dillon Amburgey wrote: > I understand and agree the behavior doesn't quite make sense. > While I know this code has not recently changed inside apt, I believe > it must have recently started expressing itself when combined with > some other change on the mirrors or in the release process. > > I do think this is a regression in a practical sense compared to > oldstable. I'm currently unable to create new containers for stable > but am able to for oldstable: Debian is not a FIPS certified platform, nor has it been tested on kernels with the FIPS flag enabled. As such, there will be plenty of bugs like that in a stable release. If you want to work on a Debian that runs on FIPS kernels, by all means, you are free to work on that for future versions. I do not think however that people will be very agreeable to NSA cryptoscams. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Bug#1014517:
I understand and agree the behavior doesn't quite make sense. While I know this code has not recently changed inside apt, I believe it must have recently started expressing itself when combined with some other change on the mirrors or in the release process. I do think this is a regression in a practical sense compared to oldstable. I'm currently unable to create new containers for stable but am able to for oldstable: ➜ ~ docker run -it --rm debian:oldstable apt update Unable to find image 'debian:oldstable' locally oldstable: Pulling from library/debian 70705a13f194: Pull complete Digest: sha256:2053cf94aadec2cc167488183a928165313c281b954d042d45ba65cb84459fde Status: Downloaded newer image for debian:oldstable Get:1 http://deb.debian.org/debian oldstable InRelease [116 kB] Get:2 http://deb.debian.org/debian-security oldstable-security InRelease [48.4 kB] Get:3 http://deb.debian.org/debian oldstable-updates InRelease [44.1 kB] Get:4 http://deb.debian.org/debian oldstable/main amd64 Packages [8183 kB] Get:5 http://deb.debian.org/debian-security oldstable-security/main amd64 Packages [252 kB] Get:6 http://deb.debian.org/debian oldstable-updates/main amd64 Packages [14.8 kB] Fetched 8658 kB in 2s (3764 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. ➜ ~ docker run -it --rm debian:stable apt update Get:1 http://deb.debian.org/debian stable InRelease [151 kB] Get:2 http://deb.debian.org/debian stable-updates InRelease [52.1 kB] Get:3 http://deb.debian.org/debian-security stable-security InRelease [48.0 kB] Get:4 http://deb.debian.org/debian stable/main amd64 Packages [8906 kB] Get:5 http://deb.debian.org/debian stable-updates/main amd64 Packages [4732 B] Get:6 http://deb.debian.org/debian-security stable-security/main amd64 Packages [48.0 kB] Fetched 9210 kB in 2s (4051 kB/s) fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context Fatal error: requested algo not in md context I was able to reproduce this behavior on a fresh EC2 instance with AMI ID ami-0f2bfd15cb2cab7e0, so I don't think it should have anything to do with our particular environment. Is there any other information I can provide? On Wed, Jul 26, 2023 at 10:55 AM Julian Andres Klode wrote: > > On Mon, Jul 24, 2023 at 10:35:35PM -0400, Dillon Amburgey wrote: > > I have seen this as well. This has recently started breaking apt > > update on bookworm docker images as well as images built off bookworm > > (e.g. python:3.8) > > > > This can be easily reproduced on FIPS-enabled hosts: > > docker run -it --rm debian:bookworm apt update > > Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB] > > Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB] > > Get:3 http://deb.debian.org/debian-security bookworm-security > > InRelease [48.0 kB] > > Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8906 kB] > > Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages > > [4732 B] > > Get:6 http://deb.debian.org/debian-security bookworm-security/main > > amd64 Packages [48.0 kB] > > Fetched 9210 kB in 2s (4169 kB/s) > > fatal error in libgcrypt, file ../../src/misc.c, line 92, function > > _gcry_fatal_error: requested algo not in md context > > > > Fatal error: requested algo not in md context > > > > I also was able to use snapshot.debian.org to isolate when the > > failures started. 20230722T085252Z was the last good snapshot with > > 20230722T110049Z being the first failing snapshot. > > docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt > > update > > Get:1 http://snapshot.debian.org/archive/debian/20230722T110049Z > > bookworm InRelease [151 kB] > > Get:2 http://snapshot.debian.org/archive/debian/20230722T110049Z > > bookworm-updates InRelease [52.1 kB] > > Get:3 http://snapshot.debian.org/archive/debian-security/20230722T110049Z > > bookworm-security InRelease [48.0 kB] > > Get:4 http://snapshot.debian.org/archive/debian/20230722T110049Z > > bookworm/main amd64 Packages [8906 kB] > > Get:5 http://snapshot.debian.org/archive/debian/20230722T110049Z > > bookworm-updates/main amd64 Packages [4732 B] > > Get:6 http://snapshot.debian.org/archive/debian-security/20230722T110049Z > > bookworm-security/main amd64 Packages [48.0 kB] > > Fetched 9210 kB in 1min 8s (136 kB/s) > > fatal error in libgcrypt, file ../../src/misc.c, line 92, function > > _gcry_fatal_error: requested algo not in md context > > > > Fatal error: requested algo not in md context > > > > docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt > > update > > Get:1 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm InRelease [147 kB] > > Get:2 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm-updates InRelease [52.1 kB] > > Get:3 http://snapshot.debian.org/archive/debian-security/20230722T085252Z > >
Bug#1014517:
On Mon, Jul 24, 2023 at 10:35:35PM -0400, Dillon Amburgey wrote: > I have seen this as well. This has recently started breaking apt > update on bookworm docker images as well as images built off bookworm > (e.g. python:3.8) > > This can be easily reproduced on FIPS-enabled hosts: > docker run -it --rm debian:bookworm apt update > Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB] > Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB] > Get:3 http://deb.debian.org/debian-security bookworm-security > InRelease [48.0 kB] > Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8906 kB] > Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [4732 > B] > Get:6 http://deb.debian.org/debian-security bookworm-security/main > amd64 Packages [48.0 kB] > Fetched 9210 kB in 2s (4169 kB/s) > fatal error in libgcrypt, file ../../src/misc.c, line 92, function > _gcry_fatal_error: requested algo not in md context > > Fatal error: requested algo not in md context > > I also was able to use snapshot.debian.org to isolate when the > failures started. 20230722T085252Z was the last good snapshot with > 20230722T110049Z being the first failing snapshot. > docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt > update > Get:1 http://snapshot.debian.org/archive/debian/20230722T110049Z > bookworm InRelease [151 kB] > Get:2 http://snapshot.debian.org/archive/debian/20230722T110049Z > bookworm-updates InRelease [52.1 kB] > Get:3 http://snapshot.debian.org/archive/debian-security/20230722T110049Z > bookworm-security InRelease [48.0 kB] > Get:4 http://snapshot.debian.org/archive/debian/20230722T110049Z > bookworm/main amd64 Packages [8906 kB] > Get:5 http://snapshot.debian.org/archive/debian/20230722T110049Z > bookworm-updates/main amd64 Packages [4732 B] > Get:6 http://snapshot.debian.org/archive/debian-security/20230722T110049Z > bookworm-security/main amd64 Packages [48.0 kB] > Fetched 9210 kB in 1min 8s (136 kB/s) > fatal error in libgcrypt, file ../../src/misc.c, line 92, function > _gcry_fatal_error: requested algo not in md context > > Fatal error: requested algo not in md context > > docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt > update > Get:1 http://snapshot.debian.org/archive/debian/20230722T085252Z > bookworm InRelease [147 kB] > Get:2 http://snapshot.debian.org/archive/debian/20230722T085252Z > bookworm-updates InRelease [52.1 kB] > Get:3 http://snapshot.debian.org/archive/debian-security/20230722T085252Z > bookworm-security InRelease [48.0 kB] > Get:4 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z > bookworm-debug InRelease [49.8 kB] > Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > bookworm/main amd64 Packages [8904 kB] > Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > bookworm/main amd64 Packages > Get:6 http://snapshot.debian.org/archive/debian/20230722T085252Z > bookworm-updates/main amd64 Packages [4732 B] > Get:7 http://snapshot.debian.org/archive/debian-security/20230722T085252Z > bookworm-security/main amd64 Packages [48.0 kB] > Get:8 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z > bookworm-debug/main amd64 Packages [3564 kB] > Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > bookworm/main amd64 Packages [8904 kB] > Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > bookworm/main amd64 Packages > Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > bookworm/main amd64 Packages [8904 kB] > Fetched 11.2 MB in 5min 13s (35.9 kB/s) > Reading package lists... Done > Building dependency tree... Done > Reading state information... Done > All packages are up to date. > This doesn't make sense, let's be clear about this. MD5 is an integral part of the archive, it doesn't suddenly pop up, and APT uses any MD5 it can find as an additional (untrusted) hash. And APT itself has been using libgcrypt for hashing since 1.9.6; oldstable is shipping 2.2.4. This is fixed in 2.7.2, fsvo of fixed. I do believe that this is bullshit and libgcrypt's FIPS mode should be entirely disabled, as in Ubuntu, as Debian's libgcrypt is not FIPS certified. As this is not a regression vs oldstable, and we realistically may be preempting configuration of libgcrypt by applications using the apt-pkg library, I do not think this is a change that should be released to a stable update. I did pick it for unstable and testing, but ultimately we need to replace libgcrypt with nettle. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Bug#1014517:
I have seen this as well. This has recently started breaking apt update on bookworm docker images as well as images built off bookworm (e.g. python:3.8) This can be easily reproduced on FIPS-enabled hosts: docker run -it --rm debian:bookworm apt update Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB] Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB] Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB] Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8906 kB] Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [4732 B] Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [48.0 kB] Fetched 9210 kB in 2s (4169 kB/s) fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context Fatal error: requested algo not in md context I also was able to use snapshot.debian.org to isolate when the failures started. 20230722T085252Z was the last good snapshot with 20230722T110049Z being the first failing snapshot. docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt update Get:1 http://snapshot.debian.org/archive/debian/20230722T110049Z bookworm InRelease [151 kB] Get:2 http://snapshot.debian.org/archive/debian/20230722T110049Z bookworm-updates InRelease [52.1 kB] Get:3 http://snapshot.debian.org/archive/debian-security/20230722T110049Z bookworm-security InRelease [48.0 kB] Get:4 http://snapshot.debian.org/archive/debian/20230722T110049Z bookworm/main amd64 Packages [8906 kB] Get:5 http://snapshot.debian.org/archive/debian/20230722T110049Z bookworm-updates/main amd64 Packages [4732 B] Get:6 http://snapshot.debian.org/archive/debian-security/20230722T110049Z bookworm-security/main amd64 Packages [48.0 kB] Fetched 9210 kB in 1min 8s (136 kB/s) fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context Fatal error: requested algo not in md context docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt update Get:1 http://snapshot.debian.org/archive/debian/20230722T085252Z bookworm InRelease [147 kB] Get:2 http://snapshot.debian.org/archive/debian/20230722T085252Z bookworm-updates InRelease [52.1 kB] Get:3 http://snapshot.debian.org/archive/debian-security/20230722T085252Z bookworm-security InRelease [48.0 kB] Get:4 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z bookworm-debug InRelease [49.8 kB] Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z bookworm/main amd64 Packages [8904 kB] Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z bookworm/main amd64 Packages Get:6 http://snapshot.debian.org/archive/debian/20230722T085252Z bookworm-updates/main amd64 Packages [4732 B] Get:7 http://snapshot.debian.org/archive/debian-security/20230722T085252Z bookworm-security/main amd64 Packages [48.0 kB] Get:8 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z bookworm-debug/main amd64 Packages [3564 kB] Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z bookworm/main amd64 Packages [8904 kB] Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z bookworm/main amd64 Packages Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z bookworm/main amd64 Packages [8904 kB] Fetched 11.2 MB in 5min 13s (35.9 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date.
Bug#1014517: apt - Fails in FIPS mode in libgcrypt
So I see in the changes to libgcrypt since bullseye that there have been some changes in the initialization on systems where FIPS is enabled. The attached patch has "works for me" status, and I feel that it is the correct way to continue to have apt function as expected on a FIPS enabled system. I added a GCRYCTL_NO_FIPS_MODE setting in maybeInit() in apt-pkg/contrib/hashes.cc And, since the value of the enum GCRYCTL_NO_FIPS_MODE appeared just before the release of libgcrypt 1.10.0, I added that version dependency to the debian/control file. Control: tag -1 patch -Maitland enc: 0001-Do-not-fail-on-systems-running-in-FIPSmode.patch From 4df25d8781f56036e921792fdd48abd5f2084d98 Mon Sep 17 00:00:00 2001 From: "A. Maitland Bottoms" Date: Sun, 28 May 2023 15:12:36 -0400 Subject: [PATCH] Do not fail on systems running in FIPSmode. Initialize using gcrypt's GCRYCTL_NO_FIPS_MODE, available since gcrypt version 1.10.0, otherwise apt aborts on FIPS enabled systems. --- apt-pkg/contrib/hashes.cc | 3 +++ debian/changelog | 6 ++ debian/control| 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/apt-pkg/contrib/hashes.cc b/apt-pkg/contrib/hashes.cc index 313b1d37d..80b9bbf3f 100644 --- a/apt-pkg/contrib/hashes.cc +++ b/apt-pkg/contrib/hashes.cc @@ -330,6 +330,9 @@ public: exit(2); } + // It is OK for apt to use MD5. + gcry_control(GCRYCTL_NO_FIPS_MODE, 0); + gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); } } diff --git a/debian/changelog b/debian/changelog index 5961148d2..e279ad0d5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apt (2.6.2) unstable; urgency=medium + + * Do not fail on systems running in FIPSmode. (Closes: #1014517) + + -- A. Maitland Bottoms Sun, 28 May 2023 11:28:37 -0400 + apt (2.6.1) unstable; urgency=medium * Restore adduser dependency for bookworm. diff --git a/debian/control b/debian/control index 58c6be15e..6f3ceb81e 100644 --- a/debian/control +++ b/debian/control @@ -17,7 +17,7 @@ Build-Depends: cmake (>= 3.4), libbz2-dev, libdb-dev, libgnutls28-dev (>= 3.4.6), - libgcrypt20-dev, + libgcrypt20-dev (>=1.10.0), liblz4-dev (>= 0.0~r126), liblzma-dev, libseccomp-dev (>= 2.4.2) [amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x hppa powerpc powerpcspe ppc64 x32], -- 2.39.2
Bug#1014517: apt - Fails in FIPS mode in libgcrypt
Package: apt Version: 2.5.1 Severity: normal "apt update" fails if the system runs in FIPS mode: | # apt update | Hit:2 http://deb.debian.org/debian-debug sid InRelease | fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context | | Fatal error: requested algo not in md context | Aborted The backtrace is: | #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49 | #1 0xf78a630c in __GI_abort () at abort.c:79 | #2 0xf75ce110 in _gcry_fatal_error (rc=rc@entry=5, text=text@entry=0xf765cb80 "requested algo not in md context") at ../../src/misc.c:97 | #3 0xf75e65b0 in md_read (algo=, a=, a=) at ../../cipher/md.c:1095 | #4 0xf7e435ac in HexDigest (hd=, algo=) at ./apt-pkg/contrib/hashes.cc:429 | #5 0xf7e44a18 in Hashes::GetHashString (this=this@entry=0xe6d8, hash=hash@entry=Hashes::MD5SUM) at ./apt-pkg/contrib/hashes.cc:457 | #6 0xf7e5bfd4 in debListParser::Description_md5 (this=0xaad9cf10) at ./apt-pkg/deb/deblistparser.cc:295 | #7 0xf7ecc020 in pkgCacheGenerator::MergeListVersion (this=this@entry=0xaab31470, List=..., Pkg=..., Version=..., OutVer=@0xe8c8: 0x0) at ./apt-pkg/pkgcachegen.cc:490 | #8 0xf7ecdb0c in pkgCacheGenerator::MergeList (this=this@entry=0xaab31470, List=..., OutVer=, OutVer@entry=0x0) at ./apt-pkg/pkgcachegen.cc:286 | #9 0xf7eb030c in pkgDebianIndexFile::Merge (this=, Gen=..., Prog=) at ./apt-pkg/indexfile.cc:348 | #10 0xf7ec8ef4 in operator() (__closure=__closure@entry=0xebc0, I=0xaab0a340) at ./apt-pkg/pkgcachegen.cc:1557 | #11 0xf7ecedb4 in std::for_each<__gnu_cxx::__normal_iterator >, BuildCache(pkgCacheGenerator&, OpProgress*, map_filesize_t&, map_filesize_t, const pkgSourceList*, FileIterator, FileIterator):: > (__f=..., __last=0x0, __first=0xaab0a340) at /usr/include/c++/11/bits/stl_algo.h:3820 | #12 BuildCache (Gen=..., Progress=, Progress@entry=0xf280, CurrentSize=@0xecf0: 100043188, TotalSize=, TotalSize@entry=100043188, | List=List@entry=0x0, Start=..., End=...) at ./apt-pkg/pkgcachegen.cc:1586 | #13 0xf7ed0994 in pkgCacheGenerator::MakeStatusCache (List=..., Progress=Progress@entry=0xf280, OutMap=OutMap@entry=0xef18, OutCache=OutCache@entry=0xef20) | at /usr/include/c++/11/bits/stl_iterator.h:1026 | #14 0xf7e0b2dc in pkgCacheFile::BuildCaches (this=0xf0c0, Progress=0xf280, WithLock=) at ./apt-pkg/cachefile.cc:127 | #15 0xf7f9e6fc in DoUpdate(CommandLine&) () from /lib/aarch64-linux-gnu/libapt-private.so.0.0 | #16 0xf7e27d20 in CommandLine::DispatchArg (this=0xf448, Map=, NoMatch=true) at ./apt-pkg/contrib/cmndline.cc:369 | #17 0xf7f633f4 in DispatchCommandLine(CommandLine&, std::vector > const&) () |from /lib/aarch64-linux-gnu/libapt-private.so.0.0 | #18 0x1898 in ?? () | #19 0xf78a6614 in __libc_start_main (main=0x17c0, argc=2, argv=0xf5d8, init=, fini=, rtld_fini=, | stack_end=) at ../csu/libc-start.c:332 | #20 0x19b8 in ?? () In FIPS mode MD5 is not allowed, so every usage results in a fatal error. One workarounds would be: Check for FIPS mode with gcry_fips_mode_active and don't try to use it then. Bastian -- Package-specific info: -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.18.0-2-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -- no debconf information