Your message dated Mon, 17 Sep 2012 04:32:46 +0000 with message-id <e1tdt0o-00018t...@franck.debian.org> and subject line Bug#679628: fixed in libxcrypt 1:2.4-1.1 has caused the Debian Bug report #679628, regarding libxcrypt1: crypt_blowfish doesn't properly handle 8-bit characters (CVE-2011-2483) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 679628: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679628 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libxcrypt1 Version: 1:2.4-1 Severity: normal I think the crypt_blowfish implementation in libxcrypt 2.4-1 has the sign extension bug detailed in CVE-2011-2483. Full details of this bug are at: http://seclists.org/oss-sec/2011/q2/632 crypt_blowfish.c in the libxcrypt source package contains the following code, which indicates that it's affected by this bug: for (j = 0; j < 4; j++) { tmp <<= 8; tmp |= *ptr; if (!*ptr) ptr = key; else ptr++; } The problem is in the statement "tmp |= *ptr", where ptr is a plain char. This should be cast to an unsigned char, e.g. tmp |= (unsigned char)*ptr Upgrading to the latest upstream source should fix this bug. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.2.0-3-686-pae (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libxcrypt1 depends on: ii libc6 2.13-33 libxcrypt1 recommends no packages. libxcrypt1 suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libxcrypt Source-Version: 1:2.4-1.1 We believe that the bug you reported is fixed in the latest version of libxcrypt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 679...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Kai Lüke <kailu...@riseup.net> (supplier of updated libxcrypt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 17 Sep 2012 03:52:06 +0200 Source: libxcrypt Binary: libxcrypt-dev libxcrypt1 Architecture: source amd64 Version: 1:2.4-1.1 Distribution: unstable Urgency: low Maintainer: Ivan Kohler <ivan-deb...@420.am> Changed-By: Kai Lüke <kailu...@riseup.net> Description: libxcrypt-dev - Development files for Crypt library libxcrypt1 - Crypt library for DES, MD5, and blowfish Closes: 679628 Changes: libxcrypt (1:2.4-1.1) unstable; urgency=low . * Non-Maintainer Upload to fix RC security bug * Added patch (casting to unsigned) in order to prevent weak password hashes.See http://security-tracker.debian.org/tracker/CVE-2011-2483 (closes: #679628) * debian/rules: #commented out two cp commands to preserve the config.guess and config.sub versions already in 1:2.4-1. Checksums-Sha1: d37527c02345c930a940aa96ca1bbf865a550f1d 1705 libxcrypt_2.4-1.1.dsc 060397641f1e07993531fa7aa6567e522535072d 19553 libxcrypt_2.4-1.1.diff.gz 9604a464899c65f663a20fb483b6dab0459a6801 39418 libxcrypt-dev_2.4-1.1_amd64.deb 2c4f6571bf46c1b1c8ad0001d9a6f60f160c328f 34980 libxcrypt1_2.4-1.1_amd64.deb Checksums-Sha256: 3b5d4785f649b8f7e8bf725047490b4b46414500e2243591561a254a41f062f0 1705 libxcrypt_2.4-1.1.dsc 770d404c716c8fab7e2a08cadbefe296d4ff6a0d2ee34e2402f95028bf39493b 19553 libxcrypt_2.4-1.1.diff.gz c798a6a0cb3e3b9b87bc21ce3603f7a407a65bd630b1ddb957a11e4f46273340 39418 libxcrypt-dev_2.4-1.1_amd64.deb 1c8baac26597e52299ce54bb1dd58aa9c83a2cafe3130ada05f225c178cde25b 34980 libxcrypt1_2.4-1.1_amd64.deb Files: a2b1a0d080f2398e7ae6ab37f10a5c87 1705 libs optional libxcrypt_2.4-1.1.dsc e1a2f3c83d6411a292b23bccdc11cbdc 19553 libs optional libxcrypt_2.4-1.1.diff.gz f622d038fdafc6bc476fe6de650b2986 39418 libdevel optional libxcrypt-dev_2.4-1.1_amd64.deb d54b2b81b0b2ab14dde7a322410a1d9d 34980 libs optional libxcrypt1_2.4-1.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJQVqaVAAoJEDNV9NY7WCHM4wUQAKHCF7xvWLD+Lk73O+8NdcG3 pl91g2AVDw3tRev6ZCpP47tHhPFaoqIh6WlsDsBHz7Wnk7L+UM50z9N9CwP2JjQt mt4FQY0DhWv+ybvMTeZ6SsYDDN+6E81X1Tz1VqixkON4Q/oLRdmG0P7/NsyifgGs z7dWRkrfWLCkZln+5nts2AjYp6phUxMB8br9lEV2HpArAwOZ5KZatC3sRquGcBI1 WR/NKiYwkbR+cO1oQvRk0bRM4Dbgt8C5nkflzanlxwBHg8eKiP57yGIS3uWteUcg J4YVqHNl9I3FsuoupclJgdvau8fElPWWKRGzjwhYvXggFM+VM+grcenDZPCMztE2 Z+f80ZwaSecBsLNPndxOWPYQUtX0PVKFzlbXUan+sONl+4eoya0suZ1qGCIFYhKA ZUvLiOx4V8OuyyzKSRmI3fTD6fbF529XNdSAL9bfGGPh4V959CnAY8QnlhoaPkEo 6+FDRT/dUcgBJqR0rr1k7SyNaBS3hx5c1GuSj490WlwwCM8tIBj47guMVQz9IefV yFMiAXzRGBwiK9xbGPkiDf6kMhxonWmSDg+bxHKF100onMdaApKLTzsf63ArMJC1 5Abxr0VUJn421AmiW6o1kpnWN8cWhgcrP4jJt878bzDaZTfVLIRleE4RPk1UKPp/ Bpv7fVNvJ/dGFwpQQdO9 =DeiH -----END PGP SIGNATURE-----
--- End Message ---
