RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1747490 - python-ply is not FIPS compatible: local variable 'sig' referenced before assignment
Summary: python-ply is not FIPS compatible: local variable 'sig' referenced before ass...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: python-ply
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.2
Assignee: Christian Heimes
QA Contact: Kaleem
David Voženílek
URL:
Whiteboard:
Depends On:
Blocks: 1759827 1760850
TreeView+ depends on / blocked
 
Reported: 2019-08-30 14:51 UTC by Christian Heimes
Modified: 2023-12-15 16:43 UTC (History)
8 users (show)

Fixed In Version: python-ply-3.9-8.el8
Doc Type: Known Issue
Doc Text:
.`python-ply` is not FIPS compatible The YACC module of the `python-ply` package uses the MD5 hashing algorithm to generate the fingerprint of a YACC signature. However, FIPS mode blocks the use of MD5, which is only allowed in non-security contexts. As a consequence, python-ply is not FIPS compatible. On a system in FIPS mode, all calls to `ply.yacc.yacc()` fail with the error message: ---- UnboundLocalError: local variable 'sig' referenced before assignment ---- The problem affects `python-pycparser` and some use cases of `python-cffi`. To work around this problem, modify the line 2966 of the file `/usr/lib/python3.6/site-packages/ply/yacc.py`, replacing `sig = md5()` with `sig = md5(usedforsecurity=False)`. As a result, `python-ply` can be used in FIPS mode.
Clone Of:
Environment:
Last Closed: 2020-04-28 16:52:09 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dabeaz ply issues 106 0 'None' closed [Bug] Remove cryptographic functions 2020-12-09 17:50:53 UTC
Red Hat Issue Tracker FREEIPA-10348 0 None None None 2023-09-07 20:34:31 UTC
Red Hat Issue Tracker RHELPLAN-29341 0 None None None 2023-09-07 20:34:25 UTC
Red Hat Product Errata RHBA-2020:1842 0 None None None 2020-04-28 16:52:12 UTC

Internal Links: 1759827 1759845

Description Christian Heimes 2019-08-30 14:51:34 UTC 
Description of problem:
python3-ply uses MD5 to calculate a signature. FIPS enforcing mode prohibits MD5. Any application that uses python-ply3 directly or indirectly through python3-pycparser and python3-cffi is affected

Version-Release number of selected component (if applicable):
python3-pycparser-2.14-14.el8.noarch
python3-cffi-1.11.5-5.el8.x86_64
python3-ply-3.9-7.el8.noarch

How reproducible:
always

Steps to Reproduce:
# python3
>>> from cffi import FFI
>>> ffi = FFI()
>>> ffi.cdef("")


Actual results:
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.6/site-packages/cffi/api.py", line 107, in cdef
    self._cdef(csource, override=override, packed=packed)
  File "/usr/lib64/python3.6/site-packages/cffi/api.py", line 121, in _cdef
    self._parser.parse(csource, override=override, **options)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 315, in parse
    self._internal_parse(csource)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 320, in _internal_parse
    ast, macros, csource = self._parse(csource)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 276, in _parse
    ast = _get_parser().parse(fullcsource)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 45, in _get_parser
    _parser_cache = pycparser.CParser()
  File "/usr/lib/python3.6/site-packages/pycparser/c_parser.py", line 111, in __init__
    outputdir=taboutputdir)
  File "/usr/lib/python3.6/site-packages/ply/yacc.py", line 3277, in yacc
    signature = pinfo.signature()
  File "/usr/lib/python3.6/site-packages/ply/yacc.py", line 2979, in signature
    digest = base64.b16encode(sig.digest())
UnboundLocalError: local variable 'sig' referenced before assignment


Expected results:
No exception

Additional info:
Upstream changed the offending code to use a different approach to calculate the signature, https://github.com/dabeaz/ply/commit/3335be2931e42803ddc64ce2df61f7b0aad1f30c
Comment 1 Christian Heimes 2019-10-08 16:15:37 UTC 
After updating the signature algorithm to not use MD5, all packages with a yacc / parser table must be updated and regenerate the table. The update affects all packages with a module level variable "_lr_signature". Known packages are 

* python3-pycparser-2.14-14.el8
* python3-bind-9.11.4-26.P2.el8
Comment 9 Christian Heimes 2019-11-11 13:29:14 UTC 
We have two options to address this problem

1) Rebase the package to a newer version that does not use MD5.
2) Patch the package and add "usedforsecurity=False" to MD5 call.

Option (1) is a clean solution but it requires also to rebuild two other packages, e.g. python-pycparser #1759827. There is a also a small risk that updating will interfere with customer code.

Option (2) is a simpler solution and has no risk to customer code. python-yacc uses MD5 to create a finger print of the YACC table. It's not security relevant as it's only used to detect changes and to trigger a rebuild of pre-cached files.
Comment 12 Christian Heimes 2019-11-12 08:11:57 UTC 
FIPS compatibility issue fixed in python-ply-3.9-8.el8.
Comment 15 Christian Heimes 2020-01-13 14:10:02 UTC 
Yes, that's sufficient to verify the fix.
Comment 18 Mohammad Rizwan 2020-01-20 12:26:26 UTC 
IPA installation succeed in FIPS mode. Hence marking the bug as verified.
Comment 21 errata-xmlrpc 2020-04-28 16:52:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1842
Note You need to log in before you can comment on or make changes to this bug.