Your message dated Sun, 5 Jan 2020 15:23:22 +0100
with message-id <20200105142322.ga1718...@aurel32.net>
and subject line Re: Bug#714219: libc6: crypt(3) returns NULL with EINVAL
instead of falling back to DES, breaking GNU software
has caused the Debian Bug report #714219,
regarding libc6: crypt(3) returns NULL with EINVAL instead of falling back to
DES, breaking lots of software
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
714219: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714219
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libc6
Version: 2.17-6
Severity: important
Hi,
GNU libc6 in sid is breaking GNU CVS; some operations can
cause a segfault. I’ve tracked it down to:
tglase@tglase:~ $ cat x.c
#define _GNU_SOURCE
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
void tst(const char *, const char *);
void tst(const char *x, const char *y) {
const char *z;
int e;
z = crypt(x, y);
e = errno;
printf("tst(\"%s\", \"%s\")\n -> %p %s\n -> %s\n",
x, y, z, z?z:"(null)", z?"(ok)":strerror(e));
}
int main(void) {
tst("foo", "xy7k69x/M/s7g");
tst("bar", "xy7k69x/M/s7g");
tst(" ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d");
return (0);
}
tglase@tglase:~ $ gcc -O2 -o x x.c -lcrypt
tglase@tglase:~ $ ./x
tst("foo", "xy7k69x/M/s7g")
-> 0xf77b7140 xy7k69x/M/s7g
-> (ok)
tst("bar", "xy7k69x/M/s7g")
-> 0xf77b7140 xy5FOaP3Hea0k
-> (ok)
tst(" ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d")
-> (nil) (null)
-> Invalid argument
tglase@tglase:~ $ scp x ${wheezysystem}:
x
100% 5707 5.6KB/s 00:00
tglase@tglase:~ $ ssh ${wheezysystem} ./x
tst("foo", "xy7k69x/M/s7g")
-> 0xb7742140 xy7k69x/M/s7g
-> (ok)
tst("bar", "xy7k69x/M/s7g")
-> 0xb7742140 xy5FOaP3Hea0k
-> (ok)
tst(" ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d")
-> 0xb7742140 %q7LLO/mNILqg
-> (ok)
POSIX says crypt(3) only fails with ENOSYS if it’s not supported
at all, but then it’d fail consistently:
ERRORS
The crypt() function shall fail if:
[ENOSYS]
The functionality is not supported on this implementation.
POSIX then goes on to use crypt() just like GNU CVS does:
if (strcmp(p->pw_passwd, crypt(oldpasswd, p->pw_passwd)) == 0) {
Other implementations (like BSD) also strongly suggest that,
unless a different algorithm is selected ($1$, $2a$, etc.)
DES is used, which the above example clearly states is supported,
and overlong salts are just cut off / their trail end ignored.
23:51⎜<dalias> in musl, we return "*" on error
If this is an error at all… on wheezy it was none, and BSD agrees:
tg@blau:~ $ uname -a; ./x
MirBSD blau.mirbsd.org 10 Kv#10uB2-20130517 GENERIC#1405 i386
tst("foo", "xy7k69x/M/s7g")
-> 0x23af3720 xy7k69x/M/s7g
-> (ok)
tst("bar", "xy7k69x/M/s7g")
-> 0x23af3720 xy5FOaP3Hea0k
-> (ok)
tst(" ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d")
-> 0x23af3720 %q3ge9F/nF3ec
-> (ok)
Although the output on wheezy differs (it shouldn’t).
Please fix this to at least never return NULL with something
else than an ENOSYS condition (crypt(3) not implemented at all),
because this *will* break unrelated software.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (100, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.9-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Versions of packages libc6 depends on:
ii libgcc1 1:4.8.1-4
Versions of packages libc6 recommends:
ii libc6-i686 2.17-6
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.50
ii glibc-doc 2.17-6
ii locales-all [locales] 2.17-6
-- debconf information:
* glibc/upgrade: true
glibc/disable-screensaver:
glibc/restart-failed:
* glibc/restart-services: postfix openbsd-inetd cups cron
* libraries/restart-without-asking: true
--- End Message ---
--- Begin Message ---
Version: 2.29-4
On 2013-06-27 00:06, Thorsten Glaser wrote:
> Package: libc6
> Version: 2.17-6
> Severity: important
>
> Hi,
>
> GNU libc6 in sid is breaking GNU CVS; some operations can
> cause a segfault. I’ve tracked it down to:
>
> tglase@tglase:~ $ cat x.c
> #define _GNU_SOURCE
> #include <errno.h>
> #include <stdio.h>
> #include <string.h>
> #include <unistd.h>
>
> void tst(const char *, const char *);
> void tst(const char *x, const char *y) {
> const char *z;
> int e;
>
> z = crypt(x, y);
> e = errno;
> printf("tst(\"%s\", \"%s\")\n -> %p %s\n -> %s\n",
> x, y, z, z?z:"(null)", z?"(ok)":strerror(e));
> }
>
> int main(void) {
> tst("foo", "xy7k69x/M/s7g");
> tst("bar", "xy7k69x/M/s7g");
> tst(" ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d");
> return (0);
> }
> tglase@tglase:~ $ gcc -O2 -o x x.c -lcrypt
> tglase@tglase:~ $ ./x
> tst("foo", "xy7k69x/M/s7g")
> -> 0xf77b7140 xy7k69x/M/s7g
> -> (ok)
> tst("bar", "xy7k69x/M/s7g")
> -> 0xf77b7140 xy5FOaP3Hea0k
> -> (ok)
> tst(" ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d")
> -> (nil) (null)
> -> Invalid argument
> tglase@tglase:~ $ scp x ${wheezysystem}:
> x
> 100% 5707 5.6KB/s 00:00
> tglase@tglase:~ $ ssh ${wheezysystem} ./x
> tst("foo", "xy7k69x/M/s7g")
> -> 0xb7742140 xy7k69x/M/s7g
> -> (ok)
> tst("bar", "xy7k69x/M/s7g")
> -> 0xb7742140 xy5FOaP3Hea0k
> -> (ok)
> tst(" ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d")
> -> 0xb7742140 %q7LLO/mNILqg
> -> (ok)
>
> POSIX says crypt(3) only fails with ENOSYS if it’s not supported
> at all, but then it’d fail consistently:
>
> ERRORS
>
>
>
> The crypt() function shall fail if:
>
> [ENOSYS]
>
> The functionality is not supported on this implementation.
>
>
> POSIX then goes on to use crypt() just like GNU CVS does:
>
> if (strcmp(p->pw_passwd, crypt(oldpasswd, p->pw_passwd)) == 0) {
>
>
> Other implementations (like BSD) also strongly suggest that,
> unless a different algorithm is selected ($1$, $2a$, etc.)
> DES is used, which the above example clearly states is supported,
> and overlong salts are just cut off / their trail end ignored.
>
> 23:51⎜<dalias> in musl, we return "*" on error
>
> If this is an error at all… on wheezy it was none, and BSD agrees:
>
> tg@blau:~ $ uname -a; ./x
>
> MirBSD blau.mirbsd.org 10 Kv#10uB2-20130517 GENERIC#1405 i386
> tst("foo", "xy7k69x/M/s7g")
> -> 0x23af3720 xy7k69x/M/s7g
> -> (ok)
> tst("bar", "xy7k69x/M/s7g")
> -> 0x23af3720 xy5FOaP3Hea0k
> -> (ok)
> tst(" ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d")
> -> 0x23af3720 %q3ge9F/nF3ec
> -> (ok)
>
> Although the output on wheezy differs (it shouldn’t).
>
>
> Please fix this to at least never return NULL with something
> else than an ENOSYS condition (crypt(3) not implemented at all),
> because this *will* break unrelated software.
Now that libcrypt.so.1 is provided by libxcrypt instead of glibc, this
bug is not reproducible. Closing.
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net
--- End Message ---
