Package: php5 Version: 5.3.3-7+squeeze14 Severity: important This bug was originally reported against the Ubuntu php5 packages:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330 I have tested this in a squeeze chroot and a wheezy chroot. If I run this command: php -r "echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL;" On upstream PHP 5.4.6, and on the CentOS 6 PHP packages, I see this behavior: CRYPT_EXT_DES: 1 _.012saltIO.319ikKPU Which is correct. On squeeze and wheezy (and Ubuntu 10.04 and later) I see this: CRYPT_EXT_DES: 1 _.msUWmoj85W6 This means that standard DES is being used, even though CRYPT_EXT_DES == 1. Removing php_crypt_revamped.patch and use_system_crypt_fixes.patch from debian/patches/series produces the correct behavior. After reading this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572601 I do agree that the system's crypt() should be used when possible, however, since the system crypt does not seem to support extended DES (Forgive my ignorance in this area, but the tests seem to indicate it does not) then we should be using the PHP internal implementation. At that point, why bother with the special case of using crypt() from glibc only when somebody uses a standard DES salt? I don't really see a valid reason for such a large divergence from upstream behavior, so we should probably revert those patches and accept that upstream does not support the system library bahavior (or push them to improve their support). As an alternative, CRYPT_EXT_DES should be set to 0 since it is clearly not working. -- System Information: Debian Release: wheezy/sid APT prefers quantal-updates APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal'), (400, 'precise-proposed') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5.0-10-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages php5 depends on: pn libapache2-mod-php5 | libapache2-mod-php5filter | php5-cgi <none> ii php5-common 5.4.4-3ubuntu1 php5 recommends no packages. php5 suggests no packages. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
