** Description changed:
+ [ Impact ]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+ explanation of how the upload fixes this bug.
+
+ [ Test Plan ]
+
+ * detailed instructions how to reproduce the bug
+
+ * these should allow someone who is not familiar with the affected
+ package to reproduce the bug and verify that the updated package fixes
+ the problem.
+
+ * if other testing is appropriate to perform before landing this update,
+ this should also be described here.
+
+ [ Where problems could occur ]
+
+ * Think about what the upload changes in the software. Imagine the change is
+ wrong or breaks something else: how would this show up?
+
+ * It is assumed that any SRU candidate patch is well-tested before
+ upload and has a low overall risk of regression, but it's important
+ to make the effort to think about what ''could'' happen in the
+ event of a regression.
+
+ * This must '''never''' be "None" or "Low", or entirely an argument as to why
+ your upload is low risk.
+
+ * This both shows the SRU team that the risks have been considered,
+ and provides guidance to testers in regression-testing the SRU.
+
+ [ Other Info ]
+
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
+ * and address these questions in advance
+
+ [Original Description]
+
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
-
The problematic computation:
- $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
- {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
+ $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
+ {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
- $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
- K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
+ $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
+ K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
+ We nailed the problem down to a bug in the gcc-optimizer for strict-
+ aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
+ reason. The workaround is to compile the sha2-Module with the flag
+ "-fno-strict-aliasing". Then the correct value is computed. An example
+ taken from a git-compiled version of OpenLDAP 2.5.13:
- We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
-
- $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
- {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
-
-
+ $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
+ {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
- Description: Ubuntu 22.10
- Release: 22.10
+ Description: Ubuntu 22.10
+ Release: 22.10
- OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
+ OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
In Progress
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
* and address these questions in advance
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description: Ubuntu 22.10
Release: 22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
