Bug#1014517: apt - Fails in FIPS mode in libgcrypt

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1014517: apt - Fails in FIPS mode in libgcrypt
From: Bastian Blank <waldi@debian.org>
Date: Thu, 07 Jul 2022 14:58:28 +0200
Message-id: <[🔎] 165719870806.77907.5567624636549932250.reportbug@softhammer.credativ.lan>
Reply-to: Bastian Blank <waldi@debian.org>, 1014517@bugs.debian.org

Package: apt
Version: 2.5.1
Severity: normal

"apt update" fails if the system runs in FIPS mode:

| # apt update
| Hit:2 http://deb.debian.org/debian-debug sid InRelease
| fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context
| 
| Fatal error: requested algo not in md context
| Aborted

The backtrace is:

| #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
| #1  0x0000fffff78a630c in __GI_abort () at abort.c:79
| #2  0x0000fffff75ce110 in _gcry_fatal_error (rc=rc@entry=5, text=text@entry=0xfffff765cb80 "requested algo not in md context") at ../../src/misc.c:97
| #3  0x0000fffff75e65b0 in md_read (algo=<optimized out>, a=<optimized out>, a=<optimized out>) at ../../cipher/md.c:1095
| #4  0x0000fffff7e435ac in HexDigest (hd=<optimized out>, algo=<optimized out>) at ./apt-pkg/contrib/hashes.cc:429
| #5  0x0000fffff7e44a18 in Hashes::GetHashString (this=this@entry=0xffffffffe6d8, hash=hash@entry=Hashes::MD5SUM) at ./apt-pkg/contrib/hashes.cc:457
| #6  0x0000fffff7e5bfd4 in debListParser::Description_md5 (this=0xaaaaaad9cf10) at ./apt-pkg/deb/deblistparser.cc:295
| #7  0x0000fffff7ecc020 in pkgCacheGenerator::MergeListVersion (this=this@entry=0xaaaaaab31470, List=..., Pkg=..., Version=..., OutVer=@0xffffffffe8c8: 0x0) at ./apt-pkg/pkgcachegen.cc:490
| #8  0x0000fffff7ecdb0c in pkgCacheGenerator::MergeList (this=this@entry=0xaaaaaab31470, List=..., OutVer=<optimized out>, OutVer@entry=0x0) at ./apt-pkg/pkgcachegen.cc:286
| #9  0x0000fffff7eb030c in pkgDebianIndexFile::Merge (this=<optimized out>, Gen=..., Prog=<optimized out>) at ./apt-pkg/indexfile.cc:348
| #10 0x0000fffff7ec8ef4 in operator() (__closure=__closure@entry=0xffffffffebc0, I=0xaaaaaab0a340) at ./apt-pkg/pkgcachegen.cc:1557
| #11 0x0000fffff7ecedb4 in std::for_each<__gnu_cxx::__normal_iterator<pkgIndexFile**, std::vector<pkgIndexFile*> >, BuildCache(pkgCacheGenerator&, OpProgress*, map_filesize_t&, map_filesize_t, const pkgSourceList*, FileIterator, FileIterator)::<lambda(pkgIndexFile*)> > (__f=..., __last=0x0, __first=0xaaaaaab0a340) at /usr/include/c++/11/bits/stl_algo.h:3820
| #12 BuildCache (Gen=..., Progress=<optimized out>, Progress@entry=0xfffffffff280, CurrentSize=@0xffffffffecf0: 100043188, TotalSize=<optimized out>, TotalSize@entry=100043188, 
|     List=List@entry=0x0, Start=..., End=...) at ./apt-pkg/pkgcachegen.cc:1586
| #13 0x0000fffff7ed0994 in pkgCacheGenerator::MakeStatusCache (List=..., Progress=Progress@entry=0xfffffffff280, OutMap=OutMap@entry=0xffffffffef18, OutCache=OutCache@entry=0xffffffffef20)
|     at /usr/include/c++/11/bits/stl_iterator.h:1026
| #14 0x0000fffff7e0b2dc in pkgCacheFile::BuildCaches (this=0xfffffffff0c0, Progress=0xfffffffff280, WithLock=<optimized out>) at ./apt-pkg/cachefile.cc:127
| #15 0x0000fffff7f9e6fc in DoUpdate(CommandLine&) () from /lib/aarch64-linux-gnu/libapt-private.so.0.0
| #16 0x0000fffff7e27d20 in CommandLine::DispatchArg (this=0xfffffffff448, Map=<optimized out>, NoMatch=true) at ./apt-pkg/contrib/cmndline.cc:369
| #17 0x0000fffff7f633f4 in DispatchCommandLine(CommandLine&, std::vector<CommandLine::Dispatch, std::allocator<CommandLine::Dispatch> > const&) ()
|    from /lib/aarch64-linux-gnu/libapt-private.so.0.0
| #18 0x0000aaaaaaaa1898 in ?? ()
| #19 0x0000fffff78a6614 in __libc_start_main (main=0xaaaaaaaa17c0, argc=2, argv=0xfffffffff5d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
|     stack_end=<optimized out>) at ../csu/libc-start.c:332
| #20 0x0000aaaaaaaa19b8 in ?? ()

In FIPS mode MD5 is not allowed, so every usage results in a fatal error.

One workarounds would be:
Check for FIPS mode with gcry_fips_mode_active and don't try to use it
then.

Bastian

-- Package-specific info:

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.18.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information

Reply to:

Prev by Date: Bug#1014509: apt install lets me fill the filesystem
Next by Date: not a member of ‘pkgTagSection::Key’
Previous by thread: Bug#1014509: apt install lets me fill the filesystem
Next by thread: not a member of ‘pkgTagSection::Key’
Index(es):
- Date
- Thread