Bug 1747490 - python-ply is not FIPS compatible: local variable 'sig' referenced before assignment
Summary: python-ply is not FIPS compatible: local variable 'sig' referenced before ass...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: python-ply
Version: 8.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.2
Assignee: Christian Heimes
QA Contact: Kaleem
David Voženílek
Depends On:
Blocks: 1759827 1760850
TreeView+ depends on / blocked
Reported: 2019-08-30 14:51 UTC by Christian Heimes
Modified: 2020-04-28 16:52 UTC (History)
8 users (show)

Fixed In Version: python-ply-3.9-8.el8
Doc Type: Known Issue
Doc Text:
.`python-ply` is not FIPS compatible The YACC module of the `python-ply` package uses the MD5 hashing algorithm to generate the fingerprint of a YACC signature. However, FIPS mode blocks the use of MD5, which is only allowed in non-security contexts. As a consequence, python-ply is not FIPS compatible. On a system in FIPS mode, all calls to `ply.yacc.yacc()` fail with the error message: ---- UnboundLocalError: local variable 'sig' referenced before assignment ---- The problem affects `python-pycparser` and some use cases of `python-cffi`. To work around this problem, modify the line 2966 of the file `/usr/lib/python3.6/site-packages/ply/yacc.py`, replacing `sig = md5()` with `sig = md5(usedforsecurity=False)`. As a result, `python-ply` can be used in FIPS mode.
Clone Of:
Last Closed: 2020-04-28 16:52:09 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github dabeaz ply issues 106 0 'None' closed [Bug] Remove cryptographic functions 2020-12-09 17:50:53 UTC
Red Hat Product Errata RHBA-2020:1842 0 None None None 2020-04-28 16:52:12 UTC

Internal Links: 1759827 1759845

Description Christian Heimes 2019-08-30 14:51:34 UTC
Description of problem:
python3-ply uses MD5 to calculate a signature. FIPS enforcing mode prohibits MD5. Any application that uses python-ply3 directly or indirectly through python3-pycparser and python3-cffi is affected

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
# python3
>>> from cffi import FFI
>>> ffi = FFI()
>>> ffi.cdef("")

Actual results:
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.6/site-packages/cffi/api.py", line 107, in cdef
    self._cdef(csource, override=override, packed=packed)
  File "/usr/lib64/python3.6/site-packages/cffi/api.py", line 121, in _cdef
    self._parser.parse(csource, override=override, **options)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 315, in parse
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 320, in _internal_parse
    ast, macros, csource = self._parse(csource)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 276, in _parse
    ast = _get_parser().parse(fullcsource)
  File "/usr/lib64/python3.6/site-packages/cffi/cparser.py", line 45, in _get_parser
    _parser_cache = pycparser.CParser()
  File "/usr/lib/python3.6/site-packages/pycparser/c_parser.py", line 111, in __init__
  File "/usr/lib/python3.6/site-packages/ply/yacc.py", line 3277, in yacc
    signature = pinfo.signature()
  File "/usr/lib/python3.6/site-packages/ply/yacc.py", line 2979, in signature
    digest = base64.b16encode(sig.digest())
UnboundLocalError: local variable 'sig' referenced before assignment

Expected results:
No exception

Additional info:
Upstream changed the offending code to use a different approach to calculate the signature, https://github.com/dabeaz/ply/commit/3335be2931e42803ddc64ce2df61f7b0aad1f30c

Comment 1 Christian Heimes 2019-10-08 16:15:37 UTC
After updating the signature algorithm to not use MD5, all packages with a yacc / parser table must be updated and regenerate the table. The update affects all packages with a module level variable "_lr_signature". Known packages are 

* python3-pycparser-2.14-14.el8
* python3-bind-9.11.4-26.P2.el8

Comment 9 Christian Heimes 2019-11-11 13:29:14 UTC
We have two options to address this problem

1) Rebase the package to a newer version that does not use MD5.
2) Patch the package and add "usedforsecurity=False" to MD5 call.

Option (1) is a clean solution but it requires also to rebuild two other packages, e.g. python-pycparser #1759827. There is a also a small risk that updating will interfere with customer code.

Option (2) is a simpler solution and has no risk to customer code. python-yacc uses MD5 to create a finger print of the YACC table. It's not security relevant as it's only used to detect changes and to trigger a rebuild of pre-cached files.

Comment 12 Christian Heimes 2019-11-12 08:11:57 UTC
FIPS compatibility issue fixed in python-ply-3.9-8.el8.

Comment 15 Christian Heimes 2020-01-13 14:10:02 UTC
Yes, that's sufficient to verify the fix.

Comment 18 Mohammad Rizwan 2020-01-20 12:26:26 UTC
IPA installation succeed in FIPS mode. Hence marking the bug as verified.

Comment 21 errata-xmlrpc 2020-04-28 16:52:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.