debcrafters-packages team mailing list archive

[Bug Watch Updater <2129676@xxxxxxxxxxxxxxxxxx>]

** Changed in: qpdf
       Status: Unknown => New

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to qpdf in Ubuntu.
https://bugs.launchpad.net/bugs/2129676

Title:
  QPDF tries to use MD5 in FIPS mode

Status in Qpdf:
  New
Status in qpdf package in Ubuntu:
  New
Status in qpdf source package in Jammy:
  New
Status in qpdf source package in Noble:
  New
Status in qpdf source package in Plucky:
  New
Status in qpdf source package in Questing:
  New
Status in qpdf source package in Resolute:
  New

Bug description:
  After enabling fips/fips-updates it is impossible to print anymore.

  Requesting a print results in the following message in the cups logs:
  `ERROR: cfFilterPDFToPDF: Exception: gnutls: MD5 error: An algorithm that is not enabled was negotiated.`

  I have came up with a small reproducer:
  ```
  pro attach # to be able to enable FIPS mode
  pro enable fips-updates
  reboot # to boot the fips kernel
  # with FIPS mode enabled
  /usr/lib/cups/filter/pdftopdf 555 $USER title 1 "" /usr/share/cups/data/confidential.pdf
  ```

  The output ends with:
  ERROR: cfFilterPDFToPDF: Exception: gnutls: MD5 error: An algorithm that is not enabled was negotiated.
  ERROR: pdftopdf filter function failed.

  I have tracked the problematic code to:
  QPDF::compute_data_key in libqpdf/QPDF_encryption.cc

  It unconditionally uses MD5 (that in turn asks gnutls for MD5) and in
  FIPS mode it fails as MD5 is not fips-approved.

  The bottomline is: it is not possible to print with fips-mode enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qpdf/+bug/2129676/+subscriptions