Bug#1014517:

To: Dillon Amburgey <dillon@zetier.com>, 1014517@bugs.debian.org
Subject: Bug#1014517:
From: Julian Andres Klode <jak@debian.org>
Date: Wed, 26 Jul 2023 16:55:29 +0200
Message-id: <[🔎] 20230726164938.GA420105@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 1014517@bugs.debian.org
In-reply-to: <[🔎] CAPVH+xGrxU17aLft_epbLVVTtbqPBXpLcxsuyqGuwCVn6EZaKg@mail.gmail.com>
References: <165719870806.77907.5567624636549932250.reportbug@softhammer.credativ.lan> <[🔎] CAPVH+xGrxU17aLft_epbLVVTtbqPBXpLcxsuyqGuwCVn6EZaKg@mail.gmail.com> <165719870806.77907.5567624636549932250.reportbug@softhammer.credativ.lan>

On Mon, Jul 24, 2023 at 10:35:35PM -0400, Dillon Amburgey wrote:
> I have seen this as well. This has recently started breaking apt
> update on bookworm docker images as well as images built off bookworm
> (e.g. python:3.8)
> 
> This can be easily reproduced on FIPS-enabled hosts:
> docker run  -it --rm debian:bookworm apt update
> Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
> Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
> Get:3 http://deb.debian.org/debian-security bookworm-security
> InRelease [48.0 kB]
> Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8906 kB]
> Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [4732 B]
> Get:6 http://deb.debian.org/debian-security bookworm-security/main
> amd64 Packages [48.0 kB]
> Fetched 9210 kB in 2s (4169 kB/s)
> fatal error in libgcrypt, file ../../src/misc.c, line 92, function
> _gcry_fatal_error: requested algo not in md context
> 
> Fatal error: requested algo not in md context
> 
> I also was able to use snapshot.debian.org to isolate when the
> failures started. 20230722T085252Z was the last good snapshot with
> 20230722T110049Z being the first failing snapshot.
> docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt update
> Get:1 http://snapshot.debian.org/archive/debian/20230722T110049Z
> bookworm InRelease [151 kB]
> Get:2 http://snapshot.debian.org/archive/debian/20230722T110049Z
> bookworm-updates InRelease [52.1 kB]
> Get:3 http://snapshot.debian.org/archive/debian-security/20230722T110049Z
> bookworm-security InRelease [48.0 kB]
> Get:4 http://snapshot.debian.org/archive/debian/20230722T110049Z
> bookworm/main amd64 Packages [8906 kB]
> Get:5 http://snapshot.debian.org/archive/debian/20230722T110049Z
> bookworm-updates/main amd64 Packages [4732 B]
> Get:6 http://snapshot.debian.org/archive/debian-security/20230722T110049Z
> bookworm-security/main amd64 Packages [48.0 kB]
> Fetched 9210 kB in 1min 8s (136 kB/s)
> fatal error in libgcrypt, file ../../src/misc.c, line 92, function
> _gcry_fatal_error: requested algo not in md context
> 
> Fatal error: requested algo not in md context
> 
> docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt update
> Get:1 http://snapshot.debian.org/archive/debian/20230722T085252Z
> bookworm InRelease [147 kB]
> Get:2 http://snapshot.debian.org/archive/debian/20230722T085252Z
> bookworm-updates InRelease [52.1 kB]
> Get:3 http://snapshot.debian.org/archive/debian-security/20230722T085252Z
> bookworm-security InRelease [48.0 kB]
> Get:4 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z
> bookworm-debug InRelease [49.8 kB]
> Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> bookworm/main amd64 Packages [8904 kB]
> Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> bookworm/main amd64 Packages
> Get:6 http://snapshot.debian.org/archive/debian/20230722T085252Z
> bookworm-updates/main amd64 Packages [4732 B]
> Get:7 http://snapshot.debian.org/archive/debian-security/20230722T085252Z
> bookworm-security/main amd64 Packages [48.0 kB]
> Get:8 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z
> bookworm-debug/main amd64 Packages [3564 kB]
> Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> bookworm/main amd64 Packages [8904 kB]
> Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> bookworm/main amd64 Packages
> Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> bookworm/main amd64 Packages [8904 kB]
> Fetched 11.2 MB in 5min 13s (35.9 kB/s)
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> All packages are up to date.
> 

This doesn't make sense, let's be clear about this. MD5 is an integral
part of the archive, it doesn't suddenly pop up, and APT uses any MD5
it can find as an additional (untrusted) hash.

And APT itself has been using libgcrypt for hashing since 1.9.6;
oldstable is shipping 2.2.4.

This is fixed in 2.7.2, fsvo of fixed. I do believe that this is
bullshit and libgcrypt's FIPS mode should be entirely disabled,
as in Ubuntu, as Debian's libgcrypt is not FIPS certified.

As this is not a regression vs oldstable, and we realistically
may be preempting configuration of libgcrypt by applications using
the apt-pkg library, I do not think this is a change that should
be released to a stable update.

I did pick it for unstable and testing, but ultimately we need
to replace libgcrypt with nettle.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply to:

Follow-Ups:
- Bug#1014517:
  - From: Dillon Amburgey <dillon@zetier.com>

References:
- Bug#1014517:
  - From: Dillon Amburgey <dillon@zetier.com>

Prev by Date: Re: First Packaging Con 2021
Next by Date: Re: First Packaging Con 2021
Previous by thread: Bug#1014517:
Next by thread: Bug#1014517:
Index(es):
- Date
- Thread