[Bug 1942489] Re: no wired network option in ubuntu 20.10
Thank You -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942489 Title: no wired network option in ubuntu 20.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1942489/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942489] [NEW] no wired network option in ubuntu 20.10
Public bug reported: I am new to Ubuntu. I have recently installed ubuntu 20.10. I get wireles network but there is no option to connect to wired LAN network connection. ** Affects: ubuntu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942489 Title: no wired network option in ubuntu 20.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1942489/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] acpidump.txt
apport information ** Attachment added: "acpidump.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494541/+files/acpidump.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] UdevDb.txt
apport information ** Attachment added: "UdevDb.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494539/+files/UdevDb.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] WifiSyslog.txt
apport information ** Attachment added: "WifiSyslog.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494540/+files/WifiSyslog.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] RfKill.txt
apport information ** Attachment added: "RfKill.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494538/+files/RfKill.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] PulseList.txt
apport information ** Attachment added: "PulseList.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494537/+files/PulseList.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] ProcModules.txt
apport information ** Attachment added: "ProcModules.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494536/+files/ProcModules.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] ProcInterrupts.txt
apport information ** Attachment added: "ProcInterrupts.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494535/+files/ProcInterrupts.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] ProcEnviron.txt
apport information ** Attachment added: "ProcEnviron.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494534/+files/ProcEnviron.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] ProcCpuinfoMinimal.txt
apport information ** Attachment added: "ProcCpuinfoMinimal.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494533/+files/ProcCpuinfoMinimal.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] ProcCpuinfo.txt
apport information ** Attachment added: "ProcCpuinfo.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494532/+files/ProcCpuinfo.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] Lsusb-v.txt
apport information ** Attachment added: "Lsusb-v.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494531/+files/Lsusb-v.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] Lsusb-t.txt
apport information ** Attachment added: "Lsusb-t.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494530/+files/Lsusb-t.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] Lspci-vt.txt
apport information ** Attachment added: "Lspci-vt.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494529/+files/Lspci-vt.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] Lspci.txt
apport information ** Attachment added: "Lspci.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494528/+files/Lspci.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] IwConfig.txt
apport information ** Attachment added: "IwConfig.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494527/+files/IwConfig.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] CRDA.txt
apport information ** Attachment added: "CRDA.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494525/+files/CRDA.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] CurrentDmesg.txt
apport information ** Attachment added: "CurrentDmesg.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494526/+files/CurrentDmesg.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] Re: apagado inesperado
apport information ** Tags added: apport-collected ** Description changed: uso mi noterbook y de repente se apaga, al intentar prenderla tarda unos min. con la imagen negra despues un destello blanco y se repite 3 veces luego aparece la imagen violeta se queda unos minutos y hay recien aparece el usuario y demas al iniciar lo hace pero despues aparece la pantalla negra o se vuelve a apagar y si quiero ver un video se repite el proceso seguido ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: ubiquity (not installed) ProcVersionSignature: Ubuntu 5.4.0-73.82-generic 5.4.106 Uname: Linux 5.4.0-73-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Wed Apr 28 00:40:04 2021 InstallCmdLine: file=/cdrom/preseed/ubuntu.seed boot=casper initrd=/casper/initrd quiet splash --- maybe-ubiquity InstallationDate: Installed on 2020-03-02 (422 days ago) InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) SourcePackage: ubiquity Symptom: installation UpgradeStatus: Upgraded to focal on 2021-04-27 (0 days ago) + --- + ProblemType: Bug + ApportVersion: 2.20.11-0ubuntu27.17 + Architecture: amd64 + AudioDevicesInUse: + USERPID ACCESS COMMAND + /dev/snd/controlC0: joy1439 F pulseaudio + CasperMD5CheckResult: skip + CurrentDesktop: ubuntu:GNOME + DistroRelease: Ubuntu 20.04 + InstallationDate: Installed on 2020-03-02 (427 days ago) + InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) + Lsusb: + Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub + Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub + Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub + Bus 003 Device 002: ID 0458:0185 KYE Systems Corp. (Mouse Systems) Wireless Mouse + Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub + MachineType: LENOVO PAWGC_GD + Package: linux (not installed) + ProcFB: 0 radeondrmfb + ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-73-generic root=UUID=c603edbf-0151-4041-8a4a-fa02e43ad0f2 ro quiet splash vt.handoff=7 + ProcVersionSignature: Ubuntu 5.4.0-73.82-generic 5.4.106 + RelatedPackageVersions: + linux-restricted-modules-5.4.0-73-generic N/A + linux-backports-modules-5.4.0-73-generic N/A + linux-firmware1.187.12 + Tags: focal + Uname: Linux 5.4.0-73-generic x86_64 + UpgradeStatus: Upgraded to focal on 2021-04-27 (6 days ago) + UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo + _MarkForUpload: True + dmi.bios.date: 05/03/2012 + dmi.bios.vendor: LENOVO + dmi.bios.version: 41CN28WW(V2.04) + dmi.board.asset.tag: Base Board Asset Tag + dmi.board.name: Inagua + dmi.board.vendor: LENOVO + dmi.board.version: Base Board Version + dmi.chassis.asset.tag: Chassis Asset Tag + dmi.chassis.type: 10 + dmi.chassis.vendor: Chassis Manufacturer + dmi.chassis.version: Chassis Version + dmi.modalias: dmi:bvnLENOVO:bvr41CN28WW(V2.04):bd05/03/2012:svnLENOVO:pnPAWGC_GD:pvrINVALID:rvnLENOVO:rnInagua:rvrBaseBoardVersion:cvnChassisManufacturer:ct10:cvrChassisVersion: + dmi.product.family: IDEAPAD + dmi.product.name: PAWGC_GD + dmi.product.sku: 123456789 + dmi.product.version: INVALID + dmi.sys.vendor: LENOVO ** Attachment added: "AlsaInfo.txt" https://bugs.launchpad.net/bugs/1926395/+attachment/5494524/+files/AlsaInfo.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926395] [NEW] apagado inesperado
Public bug reported: uso mi noterbook y de repente se apaga, al intentar prenderla tarda unos min. con la imagen negra despues un destello blanco y se repite 3 veces luego aparece la imagen violeta se queda unos minutos y hay recien aparece el usuario y demas al iniciar lo hace pero despues aparece la pantalla negra o se vuelve a apagar y si quiero ver un video se repite el proceso seguido ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: ubiquity (not installed) ProcVersionSignature: Ubuntu 5.4.0-73.82-generic 5.4.106 Uname: Linux 5.4.0-73-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Wed Apr 28 00:40:04 2021 InstallCmdLine: file=/cdrom/preseed/ubuntu.seed boot=casper initrd=/casper/initrd quiet splash --- maybe-ubiquity InstallationDate: Installed on 2020-03-02 (422 days ago) InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) SourcePackage: ubiquity Symptom: installation UpgradeStatus: Upgraded to focal on 2021-04-27 (0 days ago) ** Affects: ubuntu Importance: Undecided Status: New ** Tags: amd64 apport-bug focal ubiquity-18.04.14.14 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926395 Title: apagado inesperado To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1926395/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802533] Re: [MIR] pipewire
This second review will only document the areas that some difference was found from the first review. I reviewed pipewire 0.3.15-1 as checked into hirsute. This shouldn't be considered a full audit but rather a quick gauge of maintainability. - Build-Depends: debhelper-compat (= 13), libasound2-dev, libbluetooth-dev, libdbus-1-dev, libglib2.0-dev (>= 2.32.0), libgstreamer-plugins-base1.0-dev, libgstreamer1.0-dev, libjack-jackd2-dev (>= 1.9.10), libpulse-dev (>= 11.1), libsbc-dev, libsdl2-dev, libsndfile1-dev (>= 1.0.20), libsystemd-dev, libudev-dev, libv4l-dev, meson (>= 0.50.0), pkg-config (>= 0.22), systemd, xmltoman, doxygen, graphviz - pre/post inst/rm scripts: dh_installsystemduser automatically adds postinst scripts to enable the pipewire.service and pipewire.socket units. dh_installsystemduser automatically adds a postrm that removes or purges the pipewire.socket and pipewire.service. - udev rules : 90-pipewire-alsa.rules - autopkgtests - 3 bash scripts to test interaction with gnome,gstreamer and libpipewire. There are also tests integrated into the source code. They are run during the build cycle. There are also examples and tests packaged in pipewire.test pkg. - Build logs: Built successfully. However, because the code contains unusual characters in comments, there were many "bogus" warnings during the build. i.e., /** \class pw_filter * * \brief PipeWire filter object class * * The filter object provides a convenient way to implement * processing filters. * * See also \ref page_filters and \ref page_core_api */ - LINTIAN ran successfully with some errors and warnings: E: pipewire changes: bad-distribution-in-changes-file unstable E: pipewire-audio-client-libraries: custom-library-search-path usr/lib/x86_64-linux-gnu/pipewire-0.3/pulse/libpulse-mainloop-glib.so.0.315.0 /usr/${LIB}/pipewire-0.3/pulse E: pipewire-audio-client-libraries: custom-library-search-path usr/lib/x86_64-linux-gnu/pipewire-0.3/pulse/libpulse-simple.so.0.315.0 /usr/${LIB}/pipewire-0.3/pulse E: pipewire-audio-client-libraries: library-not-linked-against-libc usr/lib/x86_64-linux-gnu/pipewire-0.3/jack/libjacknet.so.0.315.0 E: pipewire-audio-client-libraries: library-not-linked-against-libc usr/lib/x86_64-linux-gnu/pipewire-0.3/jack/libjackserver.so.0.315.0 W: pipewire-bin: no-manual-page usr/bin/pipewire-media-session W: pipewire-bin: no-manual-page usr/bin/pw-reserve W: pipewire-bin: no-manual-page usr/bin/spa-acp-tool W: pipewire-bin: no-manual-page usr/bin/spa-inspect W: pipewire-bin: no-manual-page usr/bin/spa-monitor W: pipewire-bin: no-manual-page usr/bin/spa-resample N: 7 tags overridden (7 errors) - spawns a daemon, code looks ok. - Memory management: Quite a bit of malloc|calloc|realloc used without checking return value before use. Especially in spa/plugins. - A lot of environment variables. Looking at a random sampling, code-wise looks ok, but use of them in some places may be questionable. i.e. 1. - pw-pulse.in and pw-jack.in shell scripts use and modify LD_LIBRARY_PATH so applications load pipewire's pulseaudio or jack instead of Jack's and PulseAudio's. 2. The pipewire daemon uses env vars to set alternative name and config ile for the daemon. The name can also be set with a cmdline option to the daemon. So can change the name in 2 different places. 3. pw_init() contains env vars when the daemon initializes to change defaults such as the spa plugin directory. Wonder why not use a config file for some of these? - cppcheck reports a lot of uninitialized variables. Conclusions: Significant source code growth and changes since first security MIR review. Code base seems to be transitioning from new development to stability. Security team ACK for promoting pipewire to main. ** Changed in: pipewire (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802533] Re: [MIR] pipewire
** Changed in: pipewire (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5
This has been fixed in bionic. Already fixed in xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1731410] Re: package pcscd 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: подпроцесс установлен сценарий post-installation возвратил код ошибки 1
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1731410 Title: package pcscd 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: подпроцесс установлен сценарий post-installation возвратил код ошибки 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1731410/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1683378] Re: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1683378 Title: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1683378/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1690543] Re: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente de outras
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1690543 Title: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente de outras instâncias do pacote libpcsclite1:amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1690543/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1570359] Re: pcscd crashed with SIGSEGV in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__()
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1570359 Title: pcscd crashed with SIGSEGV in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1570359/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1539999] Re: Omnikey Cardreader not working
Is this still an issue? Changing to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/153 Title: Omnikey Cardreader not working To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/153/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1366152] Re: System crash when Vasco-card-reader is plugged in at powerup
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1366152 Title: System crash when Vasco-card-reader is plugged in at powerup To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1366152/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700104] Re: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Fixed in subsequent release. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700104 Title: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1700104/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1161882] Re: ACR38U Does not work on 12.10
This bug was not applicable to pcsc-lite package. Closing since no activity and eol. ** Changed in: pcsc-lite (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1161882 Title: ACR38U Does not work on 12.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1161882/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1090238] Re: pcscd hangs after ejecting Rutoken ECP making some comunication with token
This was fixed in subsequent release. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1090238 Title: pcscd hangs after ejecting Rutoken ECP making some comunication with token To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1090238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1061947] Re: pcscd (auto)starting and permission troubles
This is most likely fixed via pcscd starting from systemd in current releases. Closing this since it has had no activity and has eol. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1061947 Title: pcscd (auto)starting and permission troubles To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1061947/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1004683] Re: pcscd fails to access Reiner SCT CyberJack card reader
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1004683 Title: pcscd fails to access Reiner SCT CyberJack card reader To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1004683/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 796893] Re: Rutoken Magistra init fails in natty
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/796893 Title: Rutoken Magistra init fails in natty To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/796893/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 795540] Re: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/795540 Title: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/795540/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 790502] Re: If OS has started the pcscd service won'n start up
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/790502 Title: If OS has started the pcscd service won'n start up To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/790502/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 776082] Re: pcscd spams syslog whenever mozilla is running and CAC card is not inserted/present
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/776082 Title: pcscd spams syslog whenever mozilla is running and CAC card is not inserted/present To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/776082/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 336815] Re: Aladdin etoken pro not supported anymore with pcscd
This bug appears to have been fixed in an update. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/336815 Title: Aladdin etoken pro not supported anymore with pcscd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/336815/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5
** Description changed: - The fix for #1835135 was not included into the python2.7 update. This - bug has been opened to include it. + The fix for #1835135 was included into a python2.7 ver when python2.7 + was updated, the fix was not included. It needs to be put pack into the + latest version pf python2.7 to prevent FIPS issues when using fips + openssl with python's hashlib. This is only a problem in latest + python2.7 versions in xenial, bionic, focal, and groovy. python3 + versions do not have this problem on the above releases. + + The fix was a backport of + https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae ** Description changed: - The fix for #1835135 was included into a python2.7 ver when python2.7 - was updated, the fix was not included. It needs to be put pack into the - latest version pf python2.7 to prevent FIPS issues when using fips - openssl with python's hashlib. This is only a problem in latest - python2.7 versions in xenial, bionic, focal, and groovy. python3 - versions do not have this problem on the above releases. + LP #1835135 was fixed in python2.7. However, when python2.7 was updated + to current verion, the fix was not included. It needs to be included + again into current version of python2.7 to prevent FIPS issues when + using fips openssl with python's hashlib. This is only a problem in + latest python2.7 versions in xenial, bionic, focal, and groovy. python3 + versions do not have this problem in these releases. The fix was a backport of https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5
** Also affects: python2.7 (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1898078] [NEW] FIPS OpenSSL crashes Python2.7 hashlib when using MD5
Public bug reported: The fix for #1835135 was not included into the python2.7 update. This bug has been opened to include it. ** Affects: python2.7 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
pcsc-lite source package provides pcscd and libpcsclite1 and thus is needed for smartcard deployment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
pcscd is required. When removed, I am not able to get any info from the driver about the reader or the smartcard. pcscd loads the smartcard driver and coordinates communications. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
Hi Seth and Christian, I did a smartcard setup and confirmed I did not have to use anything from pcsc-tools. And pcsc-tools seem to depend on libpcsc-perl, so won't need pcsc-perl either. My "sudo apt install opensc" pulled in libccid, libpcslite1, opensc- pkcs11 and pcscd binary packages. I only needed one additional install of "libpam-pkcs11". Next, I am looking into the pcscd requirement. Will comment shortly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802533] Re: [MIR] pipewire
Reassigning so that necessary work is done to get pipewire updated, building and working in groovy. ** Changed in: pipewire (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802533] Re: [MIR] pipewire
Hi, security team is wanting to do a MIR audit on pipewire for groovy. Unfortunately, the current pipewire source downloaded from groovy does not appear to have been updated nor does it build. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1851682] Re: oscap is broken in ubuntu 19.10
Verified this on both bionic and focal. Testcase: (focal) $ dpkg -l | grep libopenscap8 ii libopenscap8 1.2.16-2ubuntu3.1 amd64Set of libraries enabling integration of the SCAP line of standards $ oscap oval eval --report cve-report.html com.ubuntu.focal.cve.oval.xml The scan was successful and generated a report. Testcase: (bionic) $ dpkg -l | grep libopenscap8 ii libopenscap8 1.2.15-1ubuntu0.2 amd64Set of libraries enabling integration of the SCAP line of standards $oscap oval eval --report cve-report.html com.ubuntu.bionic.cve.oval.xml The scan was successful and generate a report. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851682 Title: oscap is broken in ubuntu 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1851682] Re: oscap is broken in ubuntu 19.10
** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851682 Title: oscap is broken in ubuntu 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.
** Description changed: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. + + This issue is only applicable in bionic when using fips-openssl. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] I don't think this should regress ntpq + openssl from the Ubuntu archive. Current archive ntpq + openssl behaviour: - openssl includes all message digests and hands ntpq a sorted digest-list. + openssl includes all message digests and hands ntpq a sorted digest-list. ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all digests into its list regardless if it is working or not. - i.e. + i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: - MD4, MD5, RIPEMD160, SHA1, SHAKE128 + MD4, MD5, RIPEMD160, SHA1, SHAKE128 If somehow openssl library is corrupted and sends back erroneous results, its possible the authentication will just not ever work. Newly fixed archive ntpq + oenssl beahviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq checks each one and includes each working digest. With a non-corrupted openssl, everything works fine and ntpq includes each into its list. Ends up with a list identical to the one above. - - If somehow opensll library is corrupted and sends back erroneous results, ntpq will hopefully catch it by checking return code and include only those algos that appear to be working. Its possible authentication will work for ntpq. + + If somehow opensll library is corrupted and sends back erroneous + results, ntpq will hopefully catch it by checking return code and + include only those algos that appear to be working. Its possible + authentication will work for ntpq. The difference will be seen in ntpq + fips-openssl. ntpq will check return, and for fips-not-approved algos, return will indicate an error. So these algos will be skipped and ntpq will not include into its digest list. Resulting in a much shorter list of only fips-approved algos. i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: - SHA1, SHAKE128 + SHA1, SHAKE128 - Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. + Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. But I think it is somewhat understood that MD5 is bad in a FIPS environment. ** Description changed: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. - This issue is only applicable in bionic when using fips-openssl. + This issue is only applicable in bionic and when using fips-openssl. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually
[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.
** Summary changed: - [fips] Not fully initialized digest segfaulting some client applications + [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Changed in: openssl (Ubuntu) Assignee: (unassigned) => Joy Latten (j-latten) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Additional testing for ntpq authentication to ensure MD5 still works for ntpq in archive NOTE: The shown testing is ntpq(with patch) + openssl from archive. To ensure all still works. Testing with ntpq + fips-openssl was also done successfully. VM-A (ntp server) 1. Edit /etc/ntp.keys to include, 1 SHA1 austintexas 2 MD5 cedarpark 2. Edit /etc/ntp.conf to include. keys /etc/ntp.keys trustedkey 2 controlkey 2 requestkey 2 3. restart ntp sudo service ntp restart VM-B (ntp client) $ dpkg -l | grep ntp ii ntp1:4.2.8p10+dfsg-5ubuntu7.1+ppa1 amd64Network Time Protocol daemon and utility programs 1. Edit /etc/ntp.keys to include, 1 SHA1 austintexas 2 MD5 cedarpark 2. Edit /etc/ntp.conf to include, keys /etc/ntp.keys server key 2 trustedkey 2 controlkey 2 requestkey 2 3. I commented out all the "pool" entries in /etc/ntp.conf 4. restart ntp sudo service ntp restart On the client, $ ntpq -c as ind assid status conf reach auth condition last_event cnt === 1 46728 f014 yes yes ok reject reachable 1 Notice that "auth" is ok. $ ntpq ntpq> keytype keytype is MD5 with 16 octet digests ntpq> keyid 2 ntpq> ifstats MD5 Password: interface namesend # address/broadcast drop flag ttl mc received sent failed peers uptime == 0 v6wildcard D 81 0 0 0 0 0 0 96 [::]:123 1 v4wildcard D 89 0 0 0 0 0 0 96 0.0.0.0:123 2 lo .5 0 0 2 1 0 0 96 127.0.0.1:123 3 ens3 . 19 0 0 2 2 0 1 96 192.168.122.105:123 4 lo .5 0 0 0 0 0 0 96 [::1]:123 5 ens3 . 11 0 0 0 0 0 0 96 [fe80::5054:ff:fefe:b092%2]:123 ntpq> Note: issuing "ifstats" requires authentication. I also tested with SHA1 and it worked as well. And last test on client, ntpq -p remote refid st t when poll reach delay offset jitter == 192.168.122.106 204.11.201.123 u 56 6471.5412.723 0.826 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Testing: There are no autopkgtests for ntp pkg and we do not run "make check" in the tests dir as part of the build. So, just in case it is applicable, I ran make check on my local build to ensure everything passes. ** Attachment added: "Results of running make check in ../tests directory" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5392383/+files/ntp-test-results -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Description changed: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. - ntpq uses crypto hashes to authenticate its requests. By default it appears to use an internal md5 implementation. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. - + ntpq uses crypto hashes to authenticate its requests. By default it uses + md5. However, when compiled with openssl it creates a lists of + acceptable hashes from openssl that can be used. + [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] - I believe the resolution to check the return code and if unsuccessful, do not include the hash algorithm in the internal ntpq digest list, should not introduce any regression. - It will simply not add md5 and md5_sha1 to its lists of digests when compiled with openssl. Instead it will add the others like sha1, sha2, and sha3. + I don't think this should regress ntpq + openssl from the Ubuntu + archive. + + Current archive ntpq + openssl behaviour: + openssl includes all message digests and hands ntpq a sorted digest-list. + ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all digests into its list regardless if it is working or not. + + i.e. + ntpq> help keytype + function: set key type to use for authenticated requests, one of: + MD4, MD5, RIPEMD160, SHA1, SHAKE128 + + If somehow openssl library is corrupted and sends back erroneous + results, its possible the authentication will just not ever work. + + Newly fixed archive ntpq + oenssl beahviour: + openssl includes all message digests and hands ntpq a sorted digest-list. + ntpq checks each one and includes each working digest. With a non-corrupted openssl, everything works fine and ntpq includes each into its list. Ends up with a list identical to the one above. + + If somehow opensll library is corrupted and sends back erroneous results, ntpq will hopefully catch it by checking return code and include only those algos that appear to be working. Its possible authentication will work for ntpq. + + The difference will be seen in ntpq + fips-openssl. ntpq will check + return, and for fips-not-approved algos, return will indicate an error. + So these algos will be skipped and ntpq will not include into its digest + list. Resulting in a much shorter list of only fips-approved algos. + + i.e. + ntpq> help keytype + function: set key type to use for authenticated requests, one of: + SHA1, SHAKE128 + + Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. + But I think it is somewhat understood that MD5 is bad in a FIPS environment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Description changed: - In FIPS mode on Bionic MD5 is semi-disabled causing some applications to - segfault. + [Impact] + In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. + ntpq uses crypto hashes to authenticate its requests. By default it appears to use an internal md5 implementation. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. + + [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. + + [Regression Potential] + + I believe the resolution to check the return code and if unsuccessful, do not include the hash algorithm in the internal ntpq digest list, should not introduce any regression. + It will simply not add md5 and md5_sha1 to its lists of digests when compiled with openssl. Instead it will add the others like sha1, sha2, and sha3. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Build log: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/19570468 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
debdiff for bionic ** Attachment added: "debdiff.bionic" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5391374/+files/debdiff.bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
I added return checks to ntpq code and this appears to solve the problem. Is it ok to make this an SRU? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Also, this is only applicable in bionic. Neither xenial nor focal experience this issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
It seems 2 things are happening to generate this issue 1.fips-openssl in bionic has md5 and md5_sha1 in fips digest list with explicit purpose of accommodating PRF use only in fips mode. But you must pass the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW to successfully use them. 2. ntpq does not check return codes from EVP_ calls. It has, ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); EVP_MD_CTX_free(ctx); if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t))) return; EVP_DigestInit() would have returned 0 in this case indicating a failure. Possible fixes: 1. in fips-libcrypto library remove md5 from fips digest list and keep md5_sha1 for PRF and mark as fips-allowed. Can still use md5 with EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag, but its just not in fips digest list. Note: this fix can be put in fips-update ppa for availability. But, it may be a while before it is re-certified. 2. ntpq should check its return codes and do appropriate thing on error. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Investigating. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Tags added: verification-done-eoan ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
Successful verification on amd64 for bionic $ dpkg -l | grep util-linux ii util-linux2.31.1-0.4ubuntu3.6 amd64miscellaneous system utilities $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS" type=USYS_CONFIG msg=audit(1584464596.658:106): pid=13437 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname =bionic-fips addr=? terminal=pts/0 res=success' type=USYS_CONFIG msg=audit(1584464615.494:117): pid=13441 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname =bionic-fips addr=? terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
Successful verification on amd64 for eaon $ dpkg -l | grep util-linux ii util-linux 2.34-0.1ubuntu2.4 amd64miscellaneous system utilities Audit records found in /var/log/audit/audit.log, type=USYS_CONFIG msg=audit(1584463433.533:68): pid=4263 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon- server addr=? terminal=pts/0 res=success' type=USYS_CONFIG msg=audit(1584463480.497:81): pid=4268 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon- server addr=? terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
Mauricio, Thank you so much for handling. Much appreciated. I took a quick look at the above #15 and #16 and perhaps a retry may be beneficial... there were some timeouts... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Also affects: util-linux (Ubuntu Eoan) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Also affects: util-linux (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
The debdiff for focal ** Attachment removed: "debdiff for focal" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal ** Attachment added: "debdiff.focal" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333895/+files/debdiff.focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
Build log https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/18795481 ** Bug watch added: Debian Bug tracker #953065 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065 ** Also affects: util-linux (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Attachment added: "debdiff for focal" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Description changed: + [IMPACT] + hwclock reports incrorect status in audit message + + hwclock calls audit_log_user_message(3) to create an audit entry. audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse - status. Thus reports status incorrectly in audit message. This has been fixed upstream in https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a + status. Thus reports it's status incorrectly in audit message. + + It is a requirement for Common Criteria Certification that hwclock + reports correct status in audit message. + + This has been fixed upstream in https://github.com/karelzak/util- + linux/commit/189edf1fe501ea39b35911337eab1740888fae7a + + [TEST] + + Steps to test: + 1. Install auditd + 2. Run following testcase, + + # hwclock + 2020-03-02 15:03:03.280351+ + # hwclock --set --date "1/1/2000 00:00:00" + # echo $? + 0 + # hwclock + 2000-01-01 00:00:05.413924+ + # hwclock --utc --systohc + # echo $? + 0 + # hwclock + 2020-03-02 15:07:00.264331+ + + Following audit messages from /var/log/audit/audit.log, + + type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' + type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' + + Note that last entry in each audit record produced when hardware clock + was modified has, "res=failed". Although, testcase shows no failure + occurred. + + [Regression Potential] + There should not be any regression to fix the status given to auditd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] [NEW] hwclock reports incorrect status in audit message
Public bug reported: audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports status incorrectly in audit message. This has been fixed upstream in https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a ** Affects: util-linux (Ubuntu) Importance: High Assignee: Joy Latten (j-latten) Status: New ** Changed in: util-linux (Ubuntu) Importance: Undecided => Medium ** Changed in: util-linux (Ubuntu) Importance: Medium => High ** Changed in: util-linux (Ubuntu) Assignee: (unassigned) => Joy Latten (j-latten) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853506] Re: [MIR] ndctl
I reviewed ndctl as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. ndctl is comprised of utilities and libraries for managing the libnvdimm (non-volatile memory device) sub-system in the Linux kernel - No CVEs readily found. Gleaned the git repository, https://github.com/pmem/ndctl. Appears to be actively maintained. Security-wise, noted fixes for a memory leak and non-null terminated strings. - Build-Depends: debhelper-compat (= 12), pkg-config, libkmod-dev, libudev-dev, uuid-dev, libjson-c-dev, bash-completion, systemd, libkeyutils-dev, asciidoctor - No pre/post inst/rm scripts. - There is an init script, debian/ndctl.init that is is installed as /etc/init.d/ndctl-monitor. All actions are circumvented to systemctl. - There is a systemd unit file, ndctl-monitor.service, for the ndctl monitor daemon. The daemon catches smart events notify from firmware and outputs the notifications (in json format) to a logfile. - No dbus services. - No setuid binaries. - 2 binaries, ndctl and daxctl in /usr/bin - No sudo fragments. - No udev rules. - There are unit-tests and autopkgtests. The unit tests were skipped. There has been considerable discussion in this bugreport about providing regression testing. - No cron jobs. - Build reported following... - configure: WARNING: unrecognized options: --disable-maintainer-mode - quite a few alignment warnings for "address-of-packed-member", i.e., nfit.c: In function ‘ndctl_bus_cmd_new_translate_spa’: nfit.c:65:25: warning: taking address of packed member of ‘struct nd_cmd_translate_spa’ may result in an unaligned pointer value [-Waddress-of-packed-member] 65 | cmd->firmware_status = _spa->status; | ^~ - following lintian warnings, - malformed-deb-archive newer compressed control.tar.xz - init.d-script-uses-usr-interpreter etc/init.d/ndctl-monitor /usr/bin/env E: ndctl: init.d-script-does-not-implement-required-option etc/init.d/ndctl-monitor start E: ndctl: init.d-script-does-not-implement-required-option etc/init.d/ndctl-monitor stop E: ndctl: init.d-script-does-not-implement-required-option etc/init.d/ndctl-monitor restart E: ndctl: init.d-script-does-not-implement-required-option etc/init.d/ndctl-monitor force-reload W: ndctl: unusual-interpreter etc/init.d/ndctl-monitor #!/lib/init/init-d-script W: ndctl: init.d-script-does-not-source-init-functions etc/init.d/ndctl-monitor - following dpkg warnings dpkg-shlibdeps: warning: package could avoid a useless dependency if debian/daxctl/usr/bin/daxctl was not linked against libndctl.so.6 (it uses none of the library's symbols) dpkg-shlibdeps: warning: package could avoid a useless dependency if debian/daxctl/usr/bin/daxctl was not linked against libuuid.so.1 (it uses none of the library's symbols) - execlp() called without an absolute path to bring up help pages. A call to "kfmclient" and once to call "man". - Inspecting a random sampling of memory mgmt routines, the memory allocation looked good; memcpy() ok; none of the sprintf() nor asprintf() checked return value. - File IO looked ok. - Logging looked ok. We do not --enable-debug so limited debugging available. -daxctl_set_log_fn allows user to write custom function to override default! -There are several environment vars. Could not readily find documentation on any of them. - log_env overrides log priority set in config file but uses secure_logenv so probably ok. - code does getenv("MANPATH"); then calls setenv("MANPATH") with gotten value. Seems bad idea. - ioctls looked ok. - Cryptography: looks ok. ndctl-setup|update|remove-passphrase uses the kernel keyring to enable a security passphrase for NVDIMM(s). binary blobs of the encrypted masterkey and NVDIMM passphrase(s) are stored in /etc/ndctl/keys directory and loaded into memory and compared (in a way validated) with kernel keyring with ndctl command. - a single testcase uses hard-coded tmp file but this testcase is skipped. - No WebKit. - No PolicyKit. - There were some cppcheck results, upon closer examination they seem ok. [ndctl/check.c:1150]: (error) Signed integer overflow for expression '(549755813888)-4096'. [ndctl/dimm.c:1216]: (error) Memory leak: actx.f_out [util/json.c:871]: (error) Uninitialized variable: raw_uuid [ndctl/lib/libndctl.c:5577]: (error) Uninitialized variable: uuid [ndctl/lib/libndctl.c:5578]: (error) Uninitialized variable: uuid - Quite a few scripts in test directory reported following warning, "Double quote to prevent globbing and word splitting" GENERAL COMMENTS - There are other licenses besides GPL licences. - Note: opened an issue upstream about the unaligned pointer warning from compiler, https://github.com/pmem/ndctl/issues/131 Security team ACK only on condition that regression tests are available. ** Bug watch added: github.com/pmem/ndctl/issues #131
[Bug 1853506] Re: [MIR] ndctl
** Changed in: ndctl (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853506 Title: [MIR] ndctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ndctl/+bug/1853506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802533] Re: [MIR] pipewire
I reviewed pipewire 0.2.5-1 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. pipewire is a multimedia sharing and processing engine. It is comprised of a server and userspace API to handle multimedia pipelines. The pipewire package contains a library, utilities, a daemon and several plugins. pipewire seems to be relatively new and indications are that while usable, it is still being developed (https://github.com/PipeWire/pipewire/wiki/FAQ). It is meant to overhaul audit/video processing by doing what pulseaudio and Jack do and leveraging Wayland remote screen capabilities. - No CVEs. Also examined git repository in github, https://github.com/PipeWire/pipewire. Seems to be a lot of active development and bugfixing. - Build-Depends: debhelper (>= 11), libasound2-dev, libavcodec-dev, libavfilter-dev, libavformat-dev, libdbus-1-dev, libglib2.0-dev, libgstreamer1.0-dev, libgstreamer-plugins-base1.0-dev, libsbc-dev, libsdl2-dev, libudev-dev, libva-dev, libv4l-dev, libx11-dev, meson (>= 0.47), pkg-config (>= 0.22), systemd, xmltoman, doxygen, graphviz **Note: Uses meson build system - There are no pre/post inst/rm scripts. - No init scripts - There are systemd unit files - There is pipewire.socket, a systemd socket unit for automatic socket activation. Appears to be a AF_Unix socket - There is pipewire.service, a system unit file for the daemon. It requires the pipewire.socket to be active first. - dbus services are used - the rtkit (realtimekit) module uses dbus to talk to RealtimeKit to be allowed permission to take on realtime property. - the flatpak module uses dbus in similar manner to acquire permission to record screen or audio. - the Simple plugin API provides dbus services via D-Bus low-level public API to plugins. - No setuid binaries - Several binaries installed in /usr/bin/ and /usr/lib/x86_64-linux-gnu/ dirs. - No sudo fragments. - No udev rules. However, the ALSA (advanced linux sound architecture) and V4l2 (video) plugins do make udev calls to acquire device info. - No autopkgtests. There are a few tests in spa/test dir but they do not seem to have run. - No cron jobs. - Build logs indicated a successful build. However there was a compile error and many compile warnings pertaining to -Wdepracated-declarations and -Wunused-result. There also appeared to be many failures while generating docs. - No processes spawned. - Quite a bit of memory mgmt. Inspecting a random sampling of memory mgmt routines, the memcpy() seem ok, the return value not checked for any of the asprintf() and a number of calloc()|realloc() did not check the return value for failure. - No File IO issues readily found. Noticed v4l2 plugin open() the playback(video capture) device. The default is /dev/video0. The alsa plugin opens an audio device using snd_pcm_open. The default device is hw:0. - Logging: both pipewire and spa (simple plugin api) define their own logging facilities. Use of vsnprintf seems ok. Noted that except for pw_log_trace, logging appears to go to stderr... pw_log_trace writes to a lockfree ringbuffer which seems to be written out from main thread. - There are environment variables. They appear to be ok. - No File IO issues. The v4l2 plugin uses ioctl cnd xioctl calls on VIDIOC_*, the videocapture device. Look ok. - pipewire uses a random number to generate a random cookie that identifies the instance of pipewire - No temp file issues. - Networking: pipewire seem to use "nodes" which are physical playback and recording points for audio. Nodes can be separate processes that use sockets and filedescriptors to communicate and pass around multimedia data. pipewire opens local sockets and pass around file descriptors to do this. - Does not use WebKit. - Does not use PolicyKit. - cppcheck results: [spa/tests/test-props4.c:147]: (error) va_list 'args' was opened but not closed by va_end(). [spa/tests/test-props4.c:427]: (error) va_list 'args' was opened but not closed by va_end(). - Coverity not run. Misc Notes: Entry from https://github.com/PipeWire/pipewire/wiki/FAQ, "Is PipeWire ready yet? No, it is under heavy development It is currently reasonably safe to use the remote API to connect to a PipeWire daemon and the stream API (stream.h) to send and retrieve data. I do not expect this API to change in incompatible ways. The protocol is not fixed yet; it is not safe to assume I will make backward compatible changes in the future. This means that it is not safe to assume that older versions of the library will be able to communicate with newer versions of the daemon (or vice versa). This is usually not a problem because both client and server share the same version of the library. It can be a problem when dealing with sandboxes that have their own (old) copy of PipeWire." The security team will NAK this for now. The above FAQ entry indicates pipewire is still under heavy development
[Bug 1802533] Re: [MIR] pipewire
** Changed in: pipewire (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
The 2.7 and 3.5 python packages in the security proposed PPA have been successfully tested in a fips and non-fips xenial environment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802614] Re: [MIR] gnome-remote-desktop
** Changed in: gnome-remote-desktop (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802614 Title: [MIR] gnome-remote-desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802614] Re: [MIR] gnome-remote-desktop
I would like to add an additional condition to the security team ACK. The pipewire MIR must also be ACK'd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802614 Title: [MIR] gnome-remote-desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802614] Re: [MIR] gnome-remote-desktop
I reviewed gnome-remote-desktop 0.1.7-1 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. gnome-remote-desktop is a remote desktop daemon for GNOME using VNC with pipewire. It is suppose to work with both X and Wayland. - No CVEs. Also Examined the git histories at both * https://gitlab.gnome.org/jadahl/gnome-remote-desktop * https://salsa.debian.org/gnome-team/gnome-remote-desktop - Build-Depends: debhelper (>= 11), gnome-pkg-tools, libglib2.0-dev, libnotify-dev, libpipewire-0.2-dev, libsecret-1-dev, libvncserver-dev, meson (>= 0.36.0) **Note: Uses meson build system - No Debian pre/post inst/rm scripts. However, there is a meson_post_install.py script that appears to compile gsettings schemas. - No init scripts. - There is a systemd service unit file installed in /usr/lib/systemd/user directory. It is used to start the daemon. - Appears to use glib bindings for dbus. Uses introspection data format and is used for both screen casting and remote desktop. The remote desktop uses dbus to, create, start, and stop remote desktop sessions. Notifications for pointer button motions and whether pressed. Notification if a key identified by a keysym was pressed. - Remote desktop driven screen casts are started and stopped by the remote desktop session using dbus. Also uses dbus to record a monitor during the screen cast. - No setuid/setgid binaries nor in the code. - Nothing added to PATH. - No sudo fragments. - No udev rules. - No testcases. However, when I looked upstream, a few have been added. https://gitlab.gnome.org/jadahl/gnome-remote-desktop/tree/master/tests - No cron jobs. - Build logs showed a successful build, but there were following warnings: Binary packages built successfully but there was the following warning(s): dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:NextVersion} unused, but is defined dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:Version} unused, but is defined dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:NextVersion} unused, but is defined dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:Version} unused, but is defined -Error during source build: dh clean --with gnome --buildsystem=meson dh: Sorry, but 10 is the highest compatibility level supported by this debhelper. debian/rules:7: recipe for target 'clean' failed make: *** [clean] Error 25 dpkg-buildpackage: error: fakeroot debian/rules clean gave error exit status 2 debuild: fatal error at line 1376: dpkg-buildpackage -rfakeroot -d -us -uc -S failed FAIL - No spawned processes. - Memory management uses quite a bit of glib memory mgmt calls. They all seen to be used ok. - No File IO issues. - Logging uses glib logging and looks ok. - Environment variable usage looks ok and only one is used to enable debugging. - No privileged functions. - This app uses libsecret for password storage and lookup. Calls into libsecret to get and store encrypted passwords. Uses libvncserver to encrypt keys for storage. Uses 3DES encryption algo. encrypts user password and then compares it with the stored one to validate. - No temp files. - For networking, uses libpipewire for data transfer when doing screen casting. Using glib calls, vnc server listens on a socket|port for all interfaces. It seems to handle only one session an on the listening socket. Could not get it to work to test that out. The socket handling seems ok. - Does not use WebKit - Does not seem to use PolicyKit - Clean cppcheck MISC NOTES Authentication seems to be permitted in 1 of 2 ways: 1. password authentication 2. prompting - that is user is alerted that someone wants to connect and whether they will give permission or not. The hardening-check tool reported, Fortify Source functions: no, only unprotected functions found! The old Free Software Foundation address is used in many of the source files. A lintian warning about debian/control W: gnome-remote-desktop source: newer-standards-version 4.3.0 (current is 3.9.7) (but googling reported latest version is 4.3.0.3) The debian/control has following sentence in it, "This feature will not work on Ubuntu until mutter is recompiled with the remote desktop option enabled." Security team ACK only on condition that it works, and help preparing updates and testing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802614 Title: [MIR] gnome-remote-desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
Upon looking at the source for both python2.7 and python3.5 in xenial, neither checks the return value from EVP_DigestInit in Modules/_hashopenssl.c file. However, python3.6 (in bionic, cosmic and disco) does have the check. So the check will need to be backported to python 2.7 and python 3.5 in xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
Like python3, python2 should check the return value of EVP_DigestInit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
The assessment is accurate. FIPS 140-2 does not allow MD5 except for use in PRF. Thus the OpenSSL_add_all_digests in fips openssl does not include MD5. However, SSL_library_init() does include MD5 but only for use in calculating the PRF. Notice in tls1_P_hash() in ssl/t1_enc.c the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is set in the context to permit this use of MD5. Apps wishing to calculate their own PRF can do the same. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
Investigating -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
verification done on following: xenial: openvpn-2.3.10-1ubuntu2.2 bionic: openvpn-2.4.4-2ubuntu1.2 cosmic: openvpn-2.4.6-1ubuntu2.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Verified using same test data allowing for interoperability testing between the various releases and with fips for xenial and bionic. ** Tags removed: verification-needed-bionic verification-needed-cosmic verification-needed-xenial ** Tags added: verification-done-bionic verification-done-cosmic verification-done-xenial ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Successfully verified xenial, bionic, and cosmic. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Testing in progress... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
This bug has been reported: 1.Upstream Bug: https://community.openvpn.net/openvpn/ticket/725 2.Suse Bug report: https://build.opensuse.org/package/view_file/network:vpn/openvpn/openvpn-fips140-2.3.2.patch ** Description changed: [IMPACT] + openvpn segfaults when using fips-mode openssl because of MD5. + + xenial has version 2.3.x and subsequent releases have 2.4.x. + MD5 is used in 2 places in 2.3.x and one place in 2.4.x. + + First place: openvpn when estabishing a tls connection will segfault when used with Ubuntu's FIPS 140-2 libcrypto.so (openssl). openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys. MD5 is used as the hash in this computation. FIPS 140-2 does not permit MD5 use except when used for pseudorandom function (PRF). When openvpn requests MD5 operation to FIPS-mode libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so goes into an error state. - openvpn needs to set and pass a flag that FIPS-mode libcrypto.so - recognizes and that indicates it is using MD5 for PRF, thereby FIPS-mode - libcrypto.so will grant the request instead of entering an error state. - In non-FIPS libcrypto.so the flag has no meaning. + The context flag value, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is defined in + both FIPS and non-FIPS libcrypto.so. However, the MD5 check for it is + only in FIPS-mode libcrypto.so to permit MD5. In non-FIPS libcrypto.so + this check does not exist since it always permits MD5. openvpn should + use this flag when it makes its MD5 request. - **NOTE: The openvpn 2.3 version in xenial has the above issue and an - additional one. It also use MD5 internally for configuration status - verification. It is not communicated externally. However, this - particular use of MD5 is not allowed by FIPS and thus when openvpn tries - to use FIPS-mode libcrypto.so to compute MD5, it results in openvpn - segfaulting. This 2nd issue was fixed by upstream openvpn community in - subsequent versions(2.4) to not use MD5 and use SHA(256) instead and - thus why bionic and disco do not require any change for this 2nd issue. + Second place (only in 2.3.x): + **NOTE: The openvpn 2.3 version in xenial has the above issue and an additional one. It also use MD5 internally for configuration status verification. It is not communicated externally. However, this particular use of MD5 is not allowed by FIPS and thus when openvpn tries to use FIPS-mode libcrypto.so to compute MD5, it results in openvpn segfaulting. This 2nd issue was fixed by upstream openvpn community in subsequent versions(2.4) to not use MD5 and use SHA(256) instead and thus why bionic, cosmic, and disco do not require any change for this 2nd issue. [TEST] Test data including commands and parameters are included below. Testing comprised establishing a tls connection between an openvpn client and server. Once the connection was successfully established, a ping thru the established vpn tunnel was done from the client for assurance. Interoperability testing was done to ensure no regression. Test data reflects testing was done between openvpn server and client with and without the patch and between various releases (xenial, bionic, and disco). Test was also done with FIPS-enabled libcrypto.so to ensure everything worked in FIPS mode. [REGRESSION] - The FIPS-mode libcrypto.so flag passed by openvpn has no meaning in non-FIPS libcrypto.so. Thus nothing changes for openvpn behaviour in non-FIPS mode in regards to this. + The context flag value, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is defined in both FIPS-mode openssl and non-FIPS openssl. However, the MD5-permit check against this flag-value does not occur in non-FIPS libcrypto.so, so there should be no change in behaviour. non-FIPS libcrypto.so should continue to service all MD5 requests. - xenial has additional change of using SHA instead of MD5 for - configuration status verification. This is an internal hash that is not - communicated externally. Thus it should not regress interoperability or - ability to establish connections. + xenial with version 2.3.x, has additional change of using SHA instead of + MD5 for configuration status verification. This is an internal hash that + is not communicated externally. Thus it should not regress + interoperability or ability to establish connections. ** Bug watch added: community.openvpn.net/openvpn/ #725 https://community.openvpn.net/openvpn/ticket/725 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Applied fixes for above comments. After some team discussion, decided to use sha256 for internal hash rather than sha1 in xenial as well. Internal hash is never communicated externally. Performed additional interoperability testing successfully using same test parameters as previously. cosmic(with patch) <--> xenial (with patch) cosmic(with patch) <--> xenial (with patch and in fips mode) xenial(without patch) <--> xenial(with patch) xenial(without patch) <--> xenial (with patch and fips mode) xenial(with patch) <--> xenial (with patch) xenial (with patch) <--> xenial (with patch and fips mode) xenial (with patch and fips mode) <--> xenial(with patch and fips mode) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
** Changed in: openvpn (Ubuntu Bionic) Status: Incomplete => New ** Changed in: openvpn (Ubuntu Xenial) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
** Description changed: [IMPACT] openvpn when estabishing a tls connection will segfault when used with Ubuntu's FIPS 140-2 libcrypto.so (openssl). - openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys. - MD5 is used as the hash in this computation. + openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys. + MD5 is used as the hash in this computation. FIPS 140-2 does not permit MD5 use except when used for pseudorandom function (PRF). When openvpn requests MD5 operation to FIPS-mode libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so goes into an error state. openvpn needs to set and pass a flag that FIPS-mode libcrypto.so recognizes and that indicates it is using MD5 for PRF, thereby FIPS-mode libcrypto.so will grant the request instead of entering an error state. In non-FIPS libcrypto.so the flag has no meaning. + **NOTE: The openvpn 2.3 version in xenial has the above issue and an + additional one. It also use MD5 internally for configuration status + verification. It is not communicated externally. However, this + particular use of MD5 is not allowed by FIPS and thus when openvpn tries + to use FIPS-mode libcrypto.so to compute MD5, it results in openvpn + segfaulting. This 2nd issue was fixed by upstream openvpn community in + subsequent versions(2.4) to not use MD5 and use SHA(256) instead and + thus why bionic and disco do not require any change for this 2nd issue. + [TEST] - Testing comprised establishing a tls connection between an openvpn client and server. Once the connection was successfully established, a ping thru the established vpn tunnel was done from the client for assurance. - - Because this flag has no meaning in non-FIPS libcrypto.so, nothing changes for openvpn behaviour in disco. Interoperability testing was done to ensure no regression. Test data reflects testing was done between openvpn server and client with and without the patch and between various releases (xenial, bionic, and disco). + Test data including commands and parameters are included below. - Test Data will be attached below. + Testing comprised establishing a tls connection between an openvpn + client and server. Once the connection was successfully established, a + ping thru the established vpn tunnel was done from the client for + assurance. - Note: a test was also done with a FIPS-enabled system to ensure - everything worked and no regression. + Interoperability testing was done to ensure no regression. Test data + reflects testing was done between openvpn server and client with and + without the patch and between various releases (xenial, bionic, and + disco). + + Test was also done with FIPS-enabled libcrypto.so to ensure everything + worked in FIPS mode. + + [REGRESSION] + The FIPS-mode libcrypto.so flag passed by openvpn has no meaning in non-FIPS libcrypto.so. Thus nothing changes for openvpn behaviour in non-FIPS mode in regards to this. + + xenial has additional change of using SHA instead of MD5 for + configuration status verification. This is an internal hash that is not + communicated externally. Thus it should not regress interoperability or + ability to establish connections. ** Changed in: openvpn (Ubuntu Disco) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
2 testcases using same parameters for prior testcases, except that installed FIPS-mode libcrypto.so to test and ensure FIPS-mode libcrypto.so honors the flag to allow MD5 in PRF and does not cause openvpn to segfault because MD5 is missing. ** Attachment added: "testcase-data-fips" https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222137/+files/testcase-data-fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
The xenial patch has additional code. In version 2.3.10, openvpn uses MD5 for PRF and internally for configuration status verification. FIPS 140-2 permits MD5 for PRF, but not as a hash for internal verification. Subsequent versions of openvpn (2.4) was changed upstream to not use MD5, instead uses SHA256. The attached patch provided by atsec uses SHA1 instead of MD5. ** Attachment added: "debdiff.xenial" https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222055/+files/debdiff.xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
** Attachment added: "debdiff.bionic" https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222054/+files/debdiff.bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
build log for xenial: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743720 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
build log for bionic: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743676 ** Also affects: openvpn (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openvpn (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: openvpn (Ubuntu Xenial) Status: New => Incomplete ** Changed in: openvpn (Ubuntu Bionic) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Hi Christian, Hopefully the testcase-data file follows what you described. If not, let me know and I can reorganize it for improved readability. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs