Bug 1497342
| Summary: | hashlib: TypeError: object supporting the buffer API required | |||
|---|---|---|---|---|
| Product: | Red Hat Software Collections | Reporter: | Jon Dufresne <jon.dufresne> | |
| Component: | python | Assignee: | Charalampos Stratakis <cstratak> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rh-python36 | CC: | atodorov, baptiste.agasse, bgollahe, bhicks, cheimes, clewis, cstratak, gdumplet, generalpenguin89, hhorak, jkejda, jon.dufresne, jorton, jstanek, lkuprova, nagy.martin, plazonic, primeroznl, pviktori, torsava | |
| Target Milestone: | --- | |||
| Target Release: | 3.1 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | python-3.6.3-3.el7 python-3.6.3-3.el6 | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, conditional logic in the FIPS compliance patch for Python was incorrect. Consequently, when the Python hashlib module was utilised, for example, when creating a super user account for Django, the following error message was shown:
TypeError: object supporting the buffer API required.
This bug has been fixed, and the hashlib module no longer fails in this scenario.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1532663 (view as bug list) | Environment: | ||
| Last Closed: | 2018-09-05 12:34:07 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1532663 | |||
Hello and thanks for the bug report. Would you be able to provide some more information such as which system you are using, as well as the output of "rpm -qa rh-python36-python" ? OS: CentOS Linux release 7.4.1708 (Core) $ rpm -qa rh-python36\* rh-python36-python-devel-3.6.2-3.el7.x86_64 rh-python36-runtime-2.0-1.el7.x86_64 rh-python36-python-setuptools-36.2.7-1.el7.noarch rh-python36-2.0-1.el7.x86_64 rh-python36-python-3.6.2-3.el7.x86_64 rh-python36-python-virtualenv-15.1.0-2.el7.noarch rh-python36-python-libs-3.6.2-3.el7.x86_64 rh-python36-python-pip-9.0.1-2.el7.noarch Please let me know if I can provide any other information. > . /opt/rh/rh-python36/enable
The supported way to enable SCLs is `scl enable rh-python36 bash`, does that affect the outcome?
Same behavior. Full output below. When you run the test script, do you receive the error?
$ scl enable rh-python36 -- bash test.sh
+ python3 --version
Python 3.6.2
+ rm -rf venv
+ python3 -m venv venv
+ venv/bin/pip install django
Collecting django
Using cached Django-1.11.5-py2.py3-none-any.whl
Collecting pytz (from django)
Using cached pytz-2017.2-py2.py3-none-any.whl
Installing collected packages: pytz, django
Successfully installed django-1.11.5 pytz-2017.2
+ venv/bin/python -c 'from django.contrib.auth.hashers import PBKDF2PasswordHasher; h = PBKDF2PasswordHasher(); h.digest()'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/opt/rh/rh-python36/root/usr/lib64/python3.6/hashlib.py", line 90, in inner
return func(*args, **kwargs)
TypeError: object supporting the buffer API required
Thanks! I have indeed verified this issue, it reproduces on rh-python36 but works fine on rh-python35. Versions of Django and pytz are the same in both cases. It seems that the call to digest is basically a call to hashlib.sha256() [0]. I wonder if it's somehow related to the crypto changes at RHEL/CentOS 7.4 (and more specifically to the openssl which python is linked against), since some algorithms were removed and other deprecated (not sha256 though) [1]. Will have to dig a bit more. [0] https://github.com/django/django/blob/stable/1.11.x/django/contrib/auth/hashers.py#L251 [1] https://access.redhat.com/blogs/766093/posts/3050871 Unfortunately, we had to defer this bug to the next release of Software Collections. If you want this prioritized, please go through the official Red Hat support channels. Good morning,
in the meantime, for those that need it fixed now, this is the diff:
--- /opt/rh/rh-python36/root/usr/lib64/python3.6/hashlib.py.original 2017-10-25 06:48:31.000000000 -0400
+++ /opt/rh/rh-python36/root/usr/lib64/python3.6/hashlib.py 2017-12-15 10:41:56.890950130 -0500
@@ -272,7 +272,7 @@
# version not supporting that algorithm.
try:
func = __get_hash(__func_name)
- if 'sha3_' or 'blake2' or 'shake_' in __func_name:
+ if ('sha3_' in __func_name) or ('blake2' in __func_name) or ('shake_' in __func_name):
func = __ignore_usedforsecurity(func)
globals()[__func_name] = func
except ValueError:
+1 from me. Seeing this with rh-python36-2.0-1.el7.x86_64 on a RHEL 7.4 system. (In reply to Josko Plazonic from comment #12) > Good morning, > > in the meantime, for those that need it fixed now, this is the diff: > > --- /opt/rh/rh-python36/root/usr/lib64/python3.6/hashlib.py.original > 2017-10-25 06:48:31.000000000 -0400 > +++ /opt/rh/rh-python36/root/usr/lib64/python3.6/hashlib.py 2017-12-15 > 10:41:56.890950130 -0500 > @@ -272,7 +272,7 @@ > # version not supporting that algorithm. > try: > func = __get_hash(__func_name) > - if 'sha3_' or 'blake2' or 'shake_' in __func_name: > + if ('sha3_' in __func_name) or ('blake2' in __func_name) or > ('shake_' in __func_name): > func = __ignore_usedforsecurity(func) > globals()[__func_name] = func > except ValueError: Indeed that is the issue right here. with if 'sha3_' or 'blake2' or 'shake_' in __func_name: only the shake algorithm is tested if it exists within the __func_name. This can be fixed be either using the solution mentioned in your comment or changing that line to something like: if ('sha3_' or 'blake2' or 'shake_') in __func_name: Already tested some builds and the reproducer verifies the fix. > if ('sha3_' or 'blake2' or 'shake_') in __func_name: I think the order of operations are incorrect with this form. The parenthesis will reduce the first part to simply 'sha3_'. Then only sha3 will be checked correctly. Observe: >>> ('sha3_' or 'blake2' or 'shake_') 'sha3_' So I think the long form is necessary: if ('sha3_' in __func_name) or ('blake2' in __func_name) or ('shake_' in __func_name): startswith() is simpler, faster and easier to understand,
__func_name.startswith(('sha3_', 'blake2', 'shake_'))
*** Bug 1528775 has been marked as a duplicate of this bug. *** I have tested with rh-python36-python-3.6.3-3.el7.x86_64. This now looks to be fixed. Thanks! Hi, I can see that is listed as Fixed in version python-3.6.3-3.el6 for Centos6 but i can't seem to find that package in SCL http://mirror.centos.org/centos/6/sclo/x86_64/rh/rh-python36/ Last built is 3.6.3-1.el6 Has this been built for El6 already ? Thanks Any update on the EL6 build for this fix ? Hi Charalampos Can you let me know the status on the EL6 build of 3.6.3-3? I can see it has reached candidate https://cbs.centos.org/koji/buildinfo?buildID=21337 but not full release https://cbs.centos.org/koji/buildinfo?buildID=20502 Do you have an ETA when this will be released to repos? Thanks (In reply to Chris Lewis from comment #24) > Hi Charalampos > > Can you let me know the status on the EL6 build of 3.6.3-3? I can see it > has reached candidate https://cbs.centos.org/koji/buildinfo?buildID=21337 > but not full release https://cbs.centos.org/koji/buildinfo?buildID=20502 > > Do you have an ETA when this will be released to repos? > > Thanks Hello Chris. As I am not directly involved with the CentOS release processes I am cc'ing one of the people working on that. (In reply to Chris Lewis from comment #24) > Hi Charalampos > > Can you let me know the status on the EL6 build of 3.6.3-3? I can see it > has reached candidate https://cbs.centos.org/koji/buildinfo?buildID=21337 > but not full release https://cbs.centos.org/koji/buildinfo?buildID=20502 > > Do you have an ETA when this will be released to repos? > > Thanks Hi Chris, the package should be now tagged to testing and available in the testing repos once the sync script runs. Barring any unforeseen complications, the package should be tagged to release during next week. Hi Jan, Many thanks for the update, I really appreciate the work put in to get this released for EL6. Thanks Chris |
Minimal bash script: . /opt/rh/rh-python36/enable python3 --version rm -rf venv python3 -m venv venv venv/bin/pip install django venv/bin/python -c 'from django.contrib.auth.hashers import PBKDF2PasswordHasher; h = PBKDF2PasswordHasher(); h.digest()' The script runs without an error on a local Fedora installation as well as with rh-python35. Running this with rh-python36 results in the error "TypeError: object supporting the buffer API required". Full output below: $ bash test.sh + . /opt/rh/rh-python36/enable ++ export PATH=/opt/rh/rh-python36/root/usr/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/centos/.composer/vendor/bin:/home/centos/.local/bin:/home/centos/bin ++ PATH=/opt/rh/rh-python36/root/usr/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/centos/.composer/vendor/bin:/home/centos/.local/bin:/home/centos/bin ++ export LD_LIBRARY_PATH=/opt/rh/rh-python36/root/usr/lib64 ++ LD_LIBRARY_PATH=/opt/rh/rh-python36/root/usr/lib64 ++ export MANPATH=/opt/rh/rh-python36/root/usr/share/man: ++ MANPATH=/opt/rh/rh-python36/root/usr/share/man: ++ export PKG_CONFIG_PATH=/opt/rh/rh-python36/root/usr/lib64/pkgconfig ++ PKG_CONFIG_PATH=/opt/rh/rh-python36/root/usr/lib64/pkgconfig ++ export XDG_DATA_DIRS=/opt/rh/rh-python36/root/usr/share:/usr/local/share:/usr/share ++ XDG_DATA_DIRS=/opt/rh/rh-python36/root/usr/share:/usr/local/share:/usr/share + python3 --version Python 3.6.2 + rm -rf venv + python3 -m venv venv + venv/bin/pip install django Collecting django Using cached Django-1.11.5-py2.py3-none-any.whl Collecting pytz (from django) Using cached pytz-2017.2-py2.py3-none-any.whl Installing collected packages: pytz, django Successfully installed django-1.11.5 pytz-2017.2 + venv/bin/python -c 'from django.contrib.auth.hashers import PBKDF2PasswordHasher; h = PBKDF2PasswordHasher(); h.digest()' Traceback (most recent call last): File "<string>", line 1, in <module> File "/opt/rh/rh-python36/root/usr/lib64/python3.6/hashlib.py", line 90, in inner return func(*args, **kwargs) TypeError: object supporting the buffer API required