[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic

Andreas Hasenack Sun, 12 Mar 2023 10:20:39 -0700

** Description changed:

+ [ Impact ]
+ 
+  * An explanation of the effects of the bug on users and
+ 
+  * justification for backporting the fix to the stable release.
+ 
+  * In addition, it is helpful, but not required, to include an
+    explanation of how the upload fixes this bug.
+ 
+ [ Test Plan ]
+ 
+  * detailed instructions how to reproduce the bug
+ 
+  * these should allow someone who is not familiar with the affected
+    package to reproduce the bug and verify that the updated package fixes
+    the problem.
+ 
+  * if other testing is appropriate to perform before landing this update,
+    this should also be described here.
+ 
+ [ Where problems could occur ]
+ 
+  * Think about what the upload changes in the software. Imagine the change is
+    wrong or breaks something else: how would this show up?
+ 
+  * It is assumed that any SRU candidate patch is well-tested before
+    upload and has a low overall risk of regression, but it's important
+    to make the effort to think about what ''could'' happen in the
+    event of a regression.
+ 
+  * This must '''never''' be "None" or "Low", or entirely an argument as to why
+    your upload is low risk.
+ 
+  * This both shows the SRU team that the risks have been considered,
+    and provides guidance to testers in regression-testing the SRU.
+ 
+ [ Other Info ]
+  
+  * Anything else you think is useful to include
+  * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
+  * and address these questions in advance
+ 
+ [Original Description]
+ 
  The OpenLDAP-contrib module sha2 (located in contrib/slapd-
  modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
  kinetic. This breaks our current password-authentication in ldap.
  
- 
  The problematic computation:
  
-     $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
-     {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
+     $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
+     {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
  
  The (correct) reference-value on the same system (or older ubuntu
  Versions):
  
-     $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
-     K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
+     $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
+     K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
  
+ We nailed the problem down to a bug in the gcc-optimizer for strict-
+ aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
+ reason. The workaround is to compile the sha2-Module with the flag
+ "-fno-strict-aliasing". Then the correct value is computed. An example
+ taken from a git-compiled version of OpenLDAP 2.5.13:
  
- We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. 
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The 
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". 
Then the correct value is computed. An example taken from a git-compiled 
version of OpenLDAP 2.5.13:
- 
-     $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o 
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
-     {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
- 
- 
+     $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o 
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
+     {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
  
  Ubuntu:
  
-     Description:    Ubuntu 22.10
-     Release:        22.10
+     Description:    Ubuntu 22.10
+     Release:        22.10
  
-     OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
+     OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1


-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817

Title:
  Wrong SHA256-value computed on kinetic

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Jammy:
  In Progress
Status in openldap source package in Kinetic:
  In Progress
Status in openldap source package in Lunar:
  Fix Released
Status in openldap package in Debian:
  Unknown

Bug description:
  [ Impact ]

   * An explanation of the effects of the bug on users and

   * justification for backporting the fix to the stable release.

   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.

  [ Test Plan ]

   * detailed instructions how to reproduce the bug

   * these should allow someone who is not familiar with the affected
     package to reproduce the bug and verify that the updated package fixes
     the problem.

   * if other testing is appropriate to perform before landing this update,
     this should also be described here.

  [ Where problems could occur ]

   * Think about what the upload changes in the software. Imagine the change is
     wrong or breaks something else: how would this show up?

   * It is assumed that any SRU candidate patch is well-tested before
     upload and has a low overall risk of regression, but it's important
     to make the effort to think about what ''could'' happen in the
     event of a regression.

   * This must '''never''' be "None" or "Low", or entirely an argument as to why
     your upload is low risk.

   * This both shows the SRU team that the risks have been considered,
     and provides guidance to testers in regression-testing the SRU.

  [ Other Info ]
   
   * Anything else you think is useful to include
   * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
   * and address these questions in advance

  [Original Description]

  The OpenLDAP-contrib module sha2 (located in contrib/slapd-
  modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
  kinetic. This breaks our current password-authentication in ldap.

  The problematic computation:

      $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
      {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=

  The (correct) reference-value on the same system (or older ubuntu
  Versions):

      $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
      K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=

  We nailed the problem down to a bug in the gcc-optimizer for strict-
  aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
  reason. The workaround is to compile the sha2-Module with the flag
  "-fno-strict-aliasing". Then the correct value is computed. An example
  taken from a git-compiled version of OpenLDAP 2.5.13:

      $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o 
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
      {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=

  Ubuntu:

      Description:    Ubuntu 22.10
      Release:        22.10

      OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic

Reply via email to