On Wed, Aug 8, 2012 at 11:19:47 +0200, Julien Cristau wrote: > Package: libaprutil1 > Version: 1.3.9+dfsg-5 > Severity: important > Tags: patch > > When using sha512_crypt passwords (ie with salt string starting with > $6$), apache can't seem to validate correctly. This is likely due to > the following bug in apr_password_validate: > - the "sample" buffer is 120 bytes > - strlen(salt) is 119, e.g. > > '$6$rounds=40000$YmXFoXtqoZApKtDc$1WLYWpQyHlKTDTrMR5r5hxmPwpcxrZ8cZIMokKZ.F5EEuRijS03DU2yI77sXAWpEtsl/yHzLkAHSeffMGVaZ00' > for 'foo' > - apr_password_validate calls apr_cpystrn(sample, crypt_pw, sizeof(sample) - > 1); > - apr_cpystrn NUL-terminates sample. Which means sample[sizeof(sample) - 2] > == '\0', > i.e. the last character of the hash is overwritten > > I believe this should be fixed by making all apr_cpystrn in > apr_password_validate calls take sizeof(sample) instead of > sizeof(sample) - 1 as third argument. By the looks of it this also > affects the sid version. > Looks like this got fixed upstream in http://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_passwd.c?r1=1358480&r2=1361811
And I have now successfully tested the attached patch. Cheers, Julien -- Julien Cristau <[email protected]> Logilab http://www.logilab.fr/ Informatique scientifique & gestion de connaissances
diff -u apr-util-1.3.9+dfsg/debian/changelog apr-util-1.3.9+dfsg/debian/changelog --- apr-util-1.3.9+dfsg/debian/changelog +++ apr-util-1.3.9+dfsg/debian/changelog @@ -1,3 +1,9 @@ +apr-util (1.3.9+dfsg-5.1) UNRELEASED; urgency=low + + * Fix apr_password_validate for sha512 crypt (closes: #684268) + + -- Julien Cristau <[email protected]> Wed, 08 Aug 2012 11:59:54 +0200 + apr-util (1.3.9+dfsg-5) unstable; urgency=low * Backports from 1.3.10: diff -u apr-util-1.3.9+dfsg/debian/patches/099_alternate_md4_md5_impl.dpatch apr-util-1.3.9+dfsg/debian/patches/099_alternate_md4_md5_impl.dpatch --- apr-util-1.3.9+dfsg/debian/patches/099_alternate_md4_md5_impl.dpatch +++ apr-util-1.3.9+dfsg/debian/patches/099_alternate_md4_md5_impl.dpatch @@ -5,9 +5,9 @@ ## DP: No description. @DPATCH@ -diff -urNad apr-util-1.2.7~/crypto/apr_md4.c apr-util-1.2.7/crypto/apr_md4.c ---- apr-util-1.2.7~/crypto/apr_md4.c 1970-01-01 01:00:00.000000000 +0100 -+++ apr-util-1.2.7/crypto/apr_md4.c 2006-08-18 14:21:41.000000000 +0200 +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apr-util-1.3.9+dfsg~/crypto/apr_md4.c apr-util-1.3.9+dfsg/crypto/apr_md4.c +--- apr-util-1.3.9+dfsg~/crypto/apr_md4.c 1970-01-01 01:00:00.000000000 +0100 ++++ apr-util-1.3.9+dfsg/crypto/apr_md4.c 2012-08-08 11:11:22.362626389 +0200 @@ -0,0 +1,389 @@ +/* Adopted for apr-util by Tollef Fog Heen <[email protected]> */ + @@ -398,9 +398,9 @@ + return APR_SUCCESS; +} +#endif -diff -urNad apr-util-1.2.7~/crypto/apr_md5.c apr-util-1.2.7/crypto/apr_md5.c ---- apr-util-1.2.7~/crypto/apr_md5.c 1970-01-01 01:00:00.000000000 +0100 -+++ apr-util-1.2.7/crypto/apr_md5.c 2006-08-18 14:21:41.000000000 +0200 +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apr-util-1.3.9+dfsg~/crypto/apr_md5.c apr-util-1.3.9+dfsg/crypto/apr_md5.c +--- apr-util-1.3.9+dfsg~/crypto/apr_md5.c 1970-01-01 01:00:00.000000000 +0100 ++++ apr-util-1.3.9+dfsg/crypto/apr_md5.c 2012-08-08 11:11:55.030701880 +0200 @@ -0,0 +1,686 @@ +/* FIXME: body must handle xlate */ + @@ -1050,12 +1050,12 @@ + * It's not our algorithm, so feed it to crypt() if possible. + */ +#if defined(WIN32) || defined(BEOS) || defined(NETWARE) -+ apr_cpystrn(sample, passwd, sizeof(sample) - 1); ++ apr_cpystrn(sample, passwd, sizeof(sample)); +#elif defined(CRYPT_R_CRYPTD) + CRYPTD buffer; + + crypt_pw = crypt_r(passwd, hash, &buffer); -+ apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1); ++ apr_cpystrn(sample, crypt_pw, sizeof(sample)); +#elif defined(CRYPT_R_STRUCT_CRYPT_DATA) + struct crypt_data buffer; + @@ -1066,7 +1066,7 @@ + */ + memset(&buffer, 0, sizeof(buffer)); + crypt_pw = crypt_r(passwd, hash, &buffer); -+ apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1); ++ apr_cpystrn(sample, crypt_pw, sizeof(sample)); +#else + /* Do a bit of sanity checking since we know that crypt_r() + * should always be used for threaded builds on AIX, and @@ -1082,15 +1082,15 @@ + */ + crypt_mutex_lock(); + crypt_pw = crypt(passwd, hash); -+ apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1); ++ apr_cpystrn(sample, crypt_pw, sizeof(sample)); + crypt_mutex_unlock(); +#endif + } + return (strcmp(sample, hash) == 0) ? APR_SUCCESS : APR_EMISMATCH; +} -diff -urNad apr-util-1.2.7~/include/apr_md4.h apr-util-1.2.7/include/apr_md4.h ---- apr-util-1.2.7~/include/apr_md4.h 1970-01-01 01:00:00.000000000 +0100 -+++ apr-util-1.2.7/include/apr_md4.h 2006-08-18 14:22:04.000000000 +0200 +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apr-util-1.3.9+dfsg~/include/apr_md4.h apr-util-1.3.9+dfsg/include/apr_md4.h +--- apr-util-1.3.9+dfsg~/include/apr_md4.h 1970-01-01 01:00:00.000000000 +0100 ++++ apr-util-1.3.9+dfsg/include/apr_md4.h 2012-08-08 11:11:22.366628549 +0200 @@ -0,0 +1,135 @@ +/* Copyright 2001-2005 The Apache Software Foundation or its licensors, as + * applicable. @@ -1227,9 +1227,9 @@ +#endif + +#endif /* !APR_MD4_H */ -diff -urNad apr-util-1.2.7~/include/apr_md5.h apr-util-1.2.7/include/apr_md5.h ---- apr-util-1.2.7~/include/apr_md5.h 1970-01-01 01:00:00.000000000 +0100 -+++ apr-util-1.2.7/include/apr_md5.h 2006-08-18 14:22:04.000000000 +0200 +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apr-util-1.3.9+dfsg~/include/apr_md5.h apr-util-1.3.9+dfsg/include/apr_md5.h +--- apr-util-1.3.9+dfsg~/include/apr_md5.h 1970-01-01 01:00:00.000000000 +0100 ++++ apr-util-1.3.9+dfsg/include/apr_md5.h 2012-08-08 11:11:22.366628549 +0200 @@ -0,0 +1,144 @@ +/* + * Adopted for apr-util by Tollef Fog Heen <[email protected]>
