Description of problem:
python3-ply uses MD5 to calculate a signature. FIPS enforcing mode prohibits MD5. Any application that uses python-ply3 directly or indirectly through python3-pycparser and python3-cffi is affected
Version-Release number of selected component (if applicable):
Steps to Reproduce:
>>> from cffi import FFI
>>> ffi = FFI()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.6/site-packages/cffi/api.py", line 107, in cdef
self._cdef(csource, override=override, packed=packed)
File "/usr/lib64/python3.6/site-packages/cffi/api.py", line 121, in _cdef
self._parser.parse(csource, override=override, **options)
File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 315, in parse
File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 320, in _internal_parse
ast, macros, csource = self._parse(csource)
File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 276, in _parse
ast = _get_parser().parse(fullcsource)
File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 45, in _get_parser
_parser_cache = pycparser.CParser()
File "/usr/lib/python3.6/site-packages/pycparser/c_parser.py", line 111, in __init__
File "/usr/lib/python3.6/site-packages/ply/yacc.py", line 3277, in yacc
signature = pinfo.signature()
File "/usr/lib/python3.6/site-packages/ply/yacc.py", line 2979, in signature
digest = base64.b16encode(sig.digest())
UnboundLocalError: local variable 'sig' referenced before assignment
Upstream changed the offending code to use a different approach to calculate the signature, https://github.com/dabeaz/ply/commit/3335be2931e42803ddc64ce2df61f7b0aad1f30c
After updating the signature algorithm to not use MD5, all packages with a yacc / parser table must be updated and regenerate the table. The update affects all packages with a module level variable "_lr_signature". Known packages are
We have two options to address this problem
1) Rebase the package to a newer version that does not use MD5.
2) Patch the package and add "usedforsecurity=False" to MD5 call.
Option (1) is a clean solution but it requires also to rebuild two other packages, e.g. python-pycparser #1759827. There is a also a small risk that updating will interfere with customer code.
Option (2) is a simpler solution and has no risk to customer code. python-yacc uses MD5 to create a finger print of the YACC table. It's not security relevant as it's only used to detect changes and to trigger a rebuild of pre-cached files.
FIPS compatibility issue fixed in python-ply-3.9-8.el8.
Yes, that's sufficient to verify the fix.
IPA installation succeed in FIPS mode. Hence marking the bug as verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.