[Bug 1046330] Re: Incorrect crypt() function behavior
I have run Clint's test case (from the Debian bug) of: php -r echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL; on Trusty (php5-cli 5.5.3+dfsg-1ubuntu3). It returned: CRYPT_EXT_DES: 1 _.012saltIO.319ikKPU So I presume this issue is now been fixed in Ubuntu. ** Changed in: php5 (Ubuntu) Status: Triaged = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
As a temporary workaround, you can just strip salt to 9 characters. The fix is fairly simple, and I'll prepare a patch later today. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
** Changed in: php5 (Debian) Status: Unknown = New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
Can confirm that Ubuntu/Debian's behavior is different from CentOS 6: $ php --version PHP 5.3.3 (cli) (built: Jul 3 2012 16:53:21) Copyright (c) 1997-2010 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies $ php -r echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL; CRYPT_EXT_DES: 1 _.012saltIO.319ikKPU ** precise # php --version PHP 5.3.10-1ubuntu3.2 with Suhosin-Patch (cli) (built: Jun 13 2012 17:20:55) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies # php -r echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL; CRYPT_EXT_DES: 1 _.msUWmoj85W6 ** However, this is not a regression for Ubuntu. I tested this all the way back to hardy, which seemed to not have CRYPT_EXT_DES: ** # php --version PHP 5.2.4-2ubuntu5.25 with Suhosin-Patch 0.9.6.2 (cli) (built: Jun 13 2012 18:36:37) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies php -r echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL; CRYPT_EXT_DES: 0 _.msUWmoj85W6 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
The regression is not the absence of CRYPT_EXT_DES algorithm but the fact that it's declared available (CRYPT_EXT_DES = 1) but not used (result = _.msUWmoj85W6). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
Sergei, I agree, my comments were misleading. My point is that this has been broken since at least 10.04, and its not even necessarily a regression from one release of Ubuntu to another. I just tested this on Debian squeeze and wheezy and it is present there as well.I believe this was introduced by this change: php5 (5.3.2-1) unstable; urgency=high ... [ Ondřej Surý ] ... * New debian patch always_use_system_crypt.patch (Closes: #572601) * New debian patch php_crypt_revamped.patch (Closes: #572601) -- Raphael Geissert geiss...@debian.org Sat, 13 Mar 2010 15:11:48 -0600 I'm building test packages w/o those patches to see if the problem is resolved that way. ** Changed in: php5 (Ubuntu) Status: New = Confirmed ** Changed in: php5 (Ubuntu) Importance: Undecided = Medium ** Changed in: php5 (Ubuntu) Importance: Medium = High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
Setting to 'High' as this very quietly and subtly reduces the security of the system. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1046330] Re: Incorrect crypt() function behavior
Have tested with those patches dropped and the upstream behavior is in fact restored. I've forwarded this on to Debian, though I would consider carrying this as part of Ubuntu's delta if the Debian maintainers decide not to revert the patches, as this seems fairly serious to me. ** Bug watch added: Debian Bug tracker #687031 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687031 ** Also affects: php5 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687031 Importance: Unknown Status: Unknown ** Changed in: php5 (Ubuntu) Status: Confirmed = Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1046330 Title: Incorrect crypt() function behavior To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs