The 2.7 and 3.5 python packages in the security proposed PPA have been successfully tested in a fips and non-fips xenial environment.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib Status in python2.7 package in Ubuntu: Triaged Status in python3.5 package in Ubuntu: Invalid Status in python2.7 source package in Xenial: In Progress Status in python3.5 source package in Xenial: In Progress Status in python2.7 source package in Bionic: In Progress Status in python3.5 source package in Bionic: Invalid Status in python2.7 source package in Cosmic: Won't Fix Status in python3.5 source package in Cosmic: Invalid Status in python2.7 source package in Disco: In Progress Status in python3.5 source package in Disco: Invalid Status in python2.7 source package in Eoan: Triaged Status in python3.5 source package in Eoan: Invalid Bug description: If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with SSL_library_init, then Python2's hashlib bindings for MD5 can trigger a SIGSEGV via a NULL pointer dereference (if calling the .update method) or a SIGABRT (if passing input to the constructor or passing no input and invoking the .final method). This happens if, for example, PyOpenSSL is imported before hashlib. Canonical's FIPS patches for OpenSSL introduce some odd behavior that arguably should be revisited, but the (TL;DR) core bug is that Python2 hashlib doesn't properly check the return value of EVP_DigestInit, preventing hashlib from falling back to it's internal MD5 implementation and instead setting things up for use of the MD5 context to trigger SIGSEGV or SIGABRT. Python3 correctly checks the return value, so the fix is to backport the relevant code into Python2 (see python2.7-2.7.12/Modules/_hashopenssl.c). See attached good.py and bad.py files which exhibit the import order- dependent crashing issue. See attached fips-md5-python-init-bug.c which shows the FIPS OpenSSL behaviors that conditionally tickle the Python2 bug. The C file also contains a much more detailed description of the Python2 bug and other behavior which I'd rather not repeat here. I discovered this bug investigating an issue with the third-party apt- boto-s3 package. See https://github.com/boto/boto3/issues/2021 Note that this bug effects Splunk, Inc, which has a corporate Ubuntu Advantage license. My login account is attached to a different, single-seat license. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
