[Bug 1046330] Re: Incorrect crypt() function behavior
I have run Clint's test case (from the Debian bug) of:
php -r echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my
passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL;
on Trusty (php5-cli 5.5.3+dfsg-1ubuntu3).
It returned:
CRYPT_EXT_DES: 1
_.012saltIO.319ikKPU
So I presume this issue is now been fixed in Ubuntu.
** Changed in: php5 (Ubuntu)
Status: Triaged = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/1046330
Title:
Incorrect crypt() function behavior
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
As a temporary workaround, you can just strip salt to 9 characters. The fix is fairly simple, and I'll prepare a patch later today. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
** Changed in: php5 (Debian) Status: Unknown = New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
Can confirm that Ubuntu/Debian's behavior is different from CentOS 6:
$ php --version
PHP 5.3.3 (cli) (built: Jul 3 2012 16:53:21)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
$ php -r echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my
passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL;
CRYPT_EXT_DES: 1
_.012saltIO.319ikKPU
**
precise
# php --version
PHP 5.3.10-1ubuntu3.2 with Suhosin-Patch (cli) (built: Jun 13 2012 17:20:55)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
# php -r echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my
passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL;
CRYPT_EXT_DES: 1
_.msUWmoj85W6
**
However, this is not a regression for Ubuntu.
I tested this all the way back to hardy, which seemed to not have CRYPT_EXT_DES:
**
# php --version
PHP 5.2.4-2ubuntu5.25 with Suhosin-Patch 0.9.6.2 (cli) (built: Jun 13 2012
18:36:37)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
php -r echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my
passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL;
CRYPT_EXT_DES: 0
_.msUWmoj85W6
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/1046330
Title:
Incorrect crypt() function behavior
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
The regression is not the absence of CRYPT_EXT_DES algorithm but the fact that it's declared available (CRYPT_EXT_DES = 1) but not used (result = _.msUWmoj85W6). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
Sergei, I agree, my comments were misleading. My point is that this has been broken since at least 10.04, and its not even necessarily a regression from one release of Ubuntu to another. I just tested this on Debian squeeze and wheezy and it is present there as well.I believe this was introduced by this change: php5 (5.3.2-1) unstable; urgency=high ... [ Ondřej Surý ] ... * New debian patch always_use_system_crypt.patch (Closes: #572601) * New debian patch php_crypt_revamped.patch (Closes: #572601) -- Raphael Geissert geiss...@debian.org Sat, 13 Mar 2010 15:11:48 -0600 I'm building test packages w/o those patches to see if the problem is resolved that way. ** Changed in: php5 (Ubuntu) Status: New = Confirmed ** Changed in: php5 (Ubuntu) Importance: Undecided = Medium ** Changed in: php5 (Ubuntu) Importance: Medium = High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
Setting to 'High' as this very quietly and subtly reduces the security of the system. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
Have tested with those patches dropped and the upstream behavior is in fact restored. I've forwarded this on to Debian, though I would consider carrying this as part of Ubuntu's delta if the Debian maintainers decide not to revert the patches, as this seems fairly serious to me. ** Bug watch added: Debian Bug tracker #687031 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687031 ** Also affects: php5 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687031 Importance: Unknown Status: Unknown ** Changed in: php5 (Ubuntu) Status: Confirmed = Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
