Bug 1747490

Summary: python-ply is not FIPS compatible: local variable 'sig' referenced before assignment
Product: Red Hat Enterprise Linux 8 Reporter: Christian Heimes <cheimes>
Component: python-plyAssignee: Christian Heimes <cheimes>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact: David Voženílek <dvozenil>
Priority: unspecified    
Version: 8.1CC: cheimes, kresss, ksiddiqu, mkosek, myusuf, pcech, pvoborni, slaznick
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-ply-3.9-8.el8 Doc Type: Known Issue
Doc Text:
.`python-ply` is not FIPS compatible The YACC module of the `python-ply` package uses the MD5 hashing algorithm to generate the fingerprint of a YACC signature. However, FIPS mode blocks the use of MD5, which is only allowed in non-security contexts. As a consequence, python-ply is not FIPS compatible. On a system in FIPS mode, all calls to `ply.yacc.yacc()` fail with the error message: ---- UnboundLocalError: local variable 'sig' referenced before assignment ---- The problem affects `python-pycparser` and some use cases of `python-cffi`. To work around this problem, modify the line 2966 of the file `/usr/lib/python3.6/site-packages/ply/yacc.py`, replacing `sig = md5()` with `sig = md5(usedforsecurity=False)`. As a result, `python-ply` can be used in FIPS mode.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:52:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1759827, 1760850    

Description Christian Heimes 2019-08-30 14:51:34 UTC 
Description of problem:
python3-ply uses MD5 to calculate a signature. FIPS enforcing mode prohibits MD5. Any application that uses python-ply3 directly or indirectly through python3-pycparser and python3-cffi is affected

Version-Release number of selected component (if applicable):
python3-pycparser-2.14-14.el8.noarch
python3-cffi-1.11.5-5.el8.x86_64
python3-ply-3.9-7.el8.noarch

How reproducible:
always

Steps to Reproduce:
# python3
>>> from cffi import FFI
>>> ffi = FFI()
>>> ffi.cdef("")


Actual results:
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.6/site-packages/cffi/api.py", line 107, in cdef
    self._cdef(csource, override=override, packed=packed)
  File "/usr/lib64/python3.6/site-packages/cffi/api.py", line 121, in _cdef
    self._parser.parse(csource, override=override, **options)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 315, in parse
    self._internal_parse(csource)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 320, in _internal_parse
    ast, macros, csource = self._parse(csource)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 276, in _parse
    ast = _get_parser().parse(fullcsource)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 45, in _get_parser
    _parser_cache = pycparser.CParser()
  File "/usr/lib/python3.6/site-packages/pycparser/c_parser.py", line 111, in __init__
    outputdir=taboutputdir)
  File "/usr/lib/python3.6/site-packages/ply/yacc.py", line 3277, in yacc
    signature = pinfo.signature()
  File "/usr/lib/python3.6/site-packages/ply/yacc.py", line 2979, in signature
    digest = base64.b16encode(sig.digest())
UnboundLocalError: local variable 'sig' referenced before assignment


Expected results:
No exception

Additional info:
Upstream changed the offending code to use a different approach to calculate the signature, https://github.com/dabeaz/ply/commit/3335be2931e42803ddc64ce2df61f7b0aad1f30c
Comment 1 Christian Heimes 2019-10-08 16:15:37 UTC 
After updating the signature algorithm to not use MD5, all packages with a yacc / parser table must be updated and regenerate the table. The update affects all packages with a module level variable "_lr_signature". Known packages are 

* python3-pycparser-2.14-14.el8
* python3-bind-9.11.4-26.P2.el8
Comment 9 Christian Heimes 2019-11-11 13:29:14 UTC 
We have two options to address this problem

1) Rebase the package to a newer version that does not use MD5.
2) Patch the package and add "usedforsecurity=False" to MD5 call.

Option (1) is a clean solution but it requires also to rebuild two other packages, e.g. python-pycparser #1759827. There is a also a small risk that updating will interfere with customer code.

Option (2) is a simpler solution and has no risk to customer code. python-yacc uses MD5 to create a finger print of the YACC table. It's not security relevant as it's only used to detect changes and to trigger a rebuild of pre-cached files.
Comment 12 Christian Heimes 2019-11-12 08:11:57 UTC 
FIPS compatibility issue fixed in python-ply-3.9-8.el8.
Comment 15 Christian Heimes 2020-01-13 14:10:02 UTC 
Yes, that's sufficient to verify the fix.
Comment 18 Mohammad Rizwan 2020-01-20 12:26:26 UTC 
IPA installation succeed in FIPS mode. Hence marking the bug as verified.
Comment 21 errata-xmlrpc 2020-04-28 16:52:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1842