debcrafters-packages team mailing list archive

Thread
Date
[Bug 2129676] Re: QPDF tries to use MD5 in FIPS mode

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Dariusz Gadomski <2129676@xxxxxxxxxxxxxxxxxx>
Date: Thu, 23 Oct 2025 09:46:01 -0000
Reply-to: Bug 2129676 <2129676@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
gdb backtrace of where the issue occurs:
```
#0  gnutls_hash_init (dig=0x5555555ad818, algorithm=GNUTLS_DIG_MD5) at ../../lib/crypto-api.c:839
#1  0x00007ffff75b0e83 in QPDFCrypto_gnutls::MD5_init (this=0x5555555ad810) at /usr/src/qpdf-11.9.0-1.1build1/libqpdf/QPDFCrypto_gnutls.cc:46
#2  0x00007ffff756f309 in MD5::MD5 (this=0x7fffffffb8e0) at /usr/src/qpdf-11.9.0-1.1build1/libqpdf/MD5.cc:11
#3  QPDF::compute_data_key (encryption_key=..., objid=<optimized out>, generation=0, use_aes=<optimized out>, encryption_V=<optimized out>, 
    encryption_R=0) at /usr/src/qpdf-11.9.0-1.1build1/libqpdf/QPDF_encryption.cc:352
#4  0x00007ffff7553509 in QPDFWriter::setDataKey (this=0x7fffffffbdb0, objid=<optimized out>)
    at /usr/src/qpdf-11.9.0-1.1build1/libqpdf/QPDFWriter.cc:845
#5  0x00007ffff755e683 in QPDFWriter::writeObject (this=this@entry=0x7fffffffbdb0, object=..., object_stream_index=object_stream_index@entry=-1)
    at /usr/src/qpdf-11.9.0-1.1build1/libqpdf/QPDFWriter.cc:1790
#6  0x00007ffff75603f2 in QPDFWriter::writeStandard (this=0x7fffffffbdb0) at /usr/src/qpdf-11.9.0-1.1build1/libqpdf/QPDFWriter.cc:3013
#7  QPDFWriter::write (this=0x7fffffffbdb0) at /usr/src/qpdf-11.9.0-1.1build1/libqpdf/QPDFWriter.cc:2200
#8  0x00007ffff7e8e12d in _cfPDFToPDFQPDFProcessor::emit_file (this=0x55555559b320, f=<optimized out>, doc=0x7fffffffbea0, take=<optimized out>)
    at cupsfilters/pdftopdf/qpdf-pdftopdf-processor.cxx:876
#9  0x00007ffff7e822a8 in cfFilterPDFToPDF (inputfd=<optimized out>, outputfd=<optimized out>, inputseekable=<optimized out>, data=<optimized out>, 
    parameters=<optimized out>) at cupsfilters/pdftopdf/pdftopdf.cxx:985
#10 0x00007ffff7f519bf in ppdFilterCUPSWrapper (argc=argc@entry=7, argv=argv@entry=0x7fffffffe398, 
    filter=0x7ffff7f4fce0 <ppdFilterPDFToPDF(int, int, int, cf_filter_data_t*, void*)>, parameters=parameters@entry=0x0, 
    JobCanceled=JobCanceled@entry=0x555555558014 <JobCanceled>) at ppd/ppd-filter.c:178
#11 0x00005555555550db in main (argc=7, argv=0x7fffffffe398) at filter/pdftopdf.c:66
```

** Also affects: qpdf (Ubuntu Questing)
   Importance: Undecided
       Status: New

** Also affects: qpdf (Ubuntu Resolute)
   Importance: High
       Status: New

** Also affects: qpdf (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Also affects: qpdf (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: qpdf (Ubuntu Plucky)
   Importance: Undecided
       Status: New

** Bug watch added: github.com/qpdf/qpdf/issues #1566
   https://github.com/qpdf/qpdf/issues/1566

** Also affects: qpdf via
   https://github.com/qpdf/qpdf/issues/1566
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to qpdf in Ubuntu.
https://bugs.launchpad.net/bugs/2129676

Title:
  QPDF tries to use MD5 in FIPS mode

Status in Qpdf:
  Unknown
Status in qpdf package in Ubuntu:
  New
Status in qpdf source package in Jammy:
  New
Status in qpdf source package in Noble:
  New
Status in qpdf source package in Plucky:
  New
Status in qpdf source package in Questing:
  New
Status in qpdf source package in Resolute:
  New

Bug description:
  After enabling fips/fips-updates it is impossible to print anymore.

  Requesting a print results in the following message in the cups logs:
  `ERROR: cfFilterPDFToPDF: Exception: gnutls: MD5 error: An algorithm that is not enabled was negotiated.`

  I have came up with a small reproducer:
  ```
  pro attach # to be able to enable FIPS mode
  pro enable fips-updates
  reboot # to boot the fips kernel
  # with FIPS mode enabled
  /usr/lib/cups/filter/pdftopdf 555 $USER title 1 "" /usr/share/cups/data/confidential.pdf
  ```

  The output ends with:
  ERROR: cfFilterPDFToPDF: Exception: gnutls: MD5 error: An algorithm that is not enabled was negotiated.
  ERROR: pdftopdf filter function failed.

  I have tracked the problematic code to:
  QPDF::compute_data_key in libqpdf/QPDF_encryption.cc

  It unconditionally uses MD5 (that in turn asks gnutls for MD5) and in
  FIPS mode it fails as MD5 is not fips-approved.

  The bottomline is: it is not possible to print with fips-mode enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qpdf/+bug/2129676/+subscriptions
References

[Bug 2129676] [NEW] QPDF tries to use MD5 in FIPS mode
From: Dariusz Gadomski, 2025-10-23