libvirt for Xenial failing to build due to gnutls SHA1 restriction

Bug #1864918 reported by Guilherme G. Piccoli on 2020-02-26
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Undecided
Guilherme G. Piccoli
Xenial
Low
Guilherme G. Piccoli

Bug Description

[Impact]

* Since version 3.4.10-4ubuntu1.6 on Xenial, gnutls considers SHA1 certificates to be insecure - this affects libvirt tests "virnettlscontexttest" and "virnettlssessiontest", preventing the correct build of the package.

* The fix is available upstream since libvirt v3.7.0, as commit c666661bbc ("Fix TLS test suites with gnutls 3.6.0") [ libvirt.org/git/?p=libvirt.git;a=commit;h=c666661b ], which uses SHA256 for the certificates generated on tests.

[Test Case]

* Basic testing consists is spin-up a PPA builder and try to build libvirt - it'll fail in amd64 and i386 architectures. With the proposed patch, it succeeds. Both failure and success buildlogs are attached in the LP.

[Regression Potential]

* The regression potential in this case is minimal, since it only affects testing. Also, this patch is present in all subsequent releases and is hereby introduced only in Xenial after the gnutls change (from version 3.6) was backported to Xenial as well.

Changed in libvirt (Ubuntu Xenial):
status: New → Incomplete
status: Incomplete → Confirmed
Changed in libvirt (Ubuntu):
status: Confirmed → Fix Released
Changed in libvirt (Ubuntu Xenial):
assignee: nobody → Guilherme G. Piccoli (gpiccoli)
importance: Undecided → Medium
Guilherme G. Piccoli (gpiccoli) wrote :
Changed in libvirt (Ubuntu Xenial):
importance: Medium → Critical
Guilherme G. Piccoli (gpiccoli) wrote :
description: updated
Changed in libvirt (Ubuntu Xenial):
status: Confirmed → In Progress
Guilherme G. Piccoli (gpiccoli) wrote :

The fix for this LP will be uploaded/handled in LP #1844455.
Thanks,

Guilherme

Robie Basak (racb) wrote :

As you say, this only affects tests, so presumably Importance -> Critical was a mistake?

Changed in libvirt (Ubuntu Xenial):
importance: Critical → Low

Hello Guilherme, or anyone else affected,

Accepted libvirt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/1.3.1-1ubuntu10.30 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libvirt (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Guilherme G. Piccoli (gpiccoli) wrote :

Thanks Robie, I set Critical because it prevented PPA/LP build for the package, hence it blocked any other fix =)
But feel free to mark it as low.

Also, would be nice to understand why a security SRU to gnutls was released without running reverse tests, risking to break any number of packages!
Cheers,

Guilherme

Guilherme G. Piccoli (gpiccoli) wrote :

I just verified this LP by building on PPA the current libvirt on xenial-proposed (1.3.1-1ubuntu10.30) - it succeeded. Also, checked the code and the patch is there, hence I'll mark this LP as verified.
Thanks,

Guilherme

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

So it seems libvirt FTBFS on i386 in xenial-proposed right now:
https://launchpad.net/ubuntu/+source/libvirt/1.3.1-1ubuntu10.30

Does this mean the package is still broken? Should we mark this as verification-failed?

Changed in libvirt (Ubuntu Xenial):
status: Fix Committed → Incomplete
Changed in libvirt (Ubuntu Xenial):
status: Incomplete → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.30

---------------
libvirt (1.3.1-1ubuntu10.30) xenial; urgency=medium

  * d/p/lp-1844455-node_device_conf-Don-t-leak-physical_function.patch:
    fix memory-leak from PCI-related structure. (LP: #1844455)
  * d/p/lp-1864918-Fix-TLS-test-suites-with-gnutls-3.6.0.patch: fix failing TLS
    tests due to recent-introduced SHA1 restriction in gnutls. (LP: #1864918)

 -- <email address hidden> (Guilherme G. Piccoli) Wed, 26 Feb 2020 13:23:18 -0300

Changed in libvirt (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for libvirt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers