Your message dated Fri, 20 Apr 2007 21:47:03 +0300
with message-id <[EMAIL PROTECTED]>
and subject line libcrypt-cbc-perl still broken (behaviour changed)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libcrypt-cbc-perl
Version: 2.12-1sarge1
Severity: grave
Justification: renders package unusable
I've detected 4 problems with the security update of libcrypt-cbc-perl;
1. I'm using Crypt::CBC between several systems; the one system encrypts
data and the other decrypts data. In this security update, you've
changed the header from 'RandomIV' to 'Salted__'. Unfortunately, when
using Crypt::CBC on both sides (one old version of the package, and the
other this new libcrypt-cbc-perl version), the older one cannot decrypt
the messages from the new debian package anymore. I don't think you
would like to have this in a stable release. (at least.. not as default
without a compatibility fallback)
2. The prepend_iv option (default ON) sets the 'my $prepend_header'
variable, but the encrypt function expects this to be
$self->{prepend_header}. Result: $self->{prepend_header} is always
undef, and no header is prepended.
3. On decrypting, the salt and/or iv option is retrieved from the
data-stream. The Salted__ option doesn't work:
$self->{salt} = $salt; # Replace manually-specified salt
undef $self->{key}; # reset the key and iv
undef $self->{iv};
and after that:
my $salt = $self->_get_random_bytes(8);
my ($key,$iv) = $self->_salted_key_and_iv($self->{key},$salt);
$self->{key} ||= $key; # don't replace manually-specified key
$self->{iv} ||= $iv; # don't replace manually-specified IV
Why is $salt randomized here. Should $salt not just be $self->{salt}?
(not tested, might be wrong)
4. On decrypting, the RandomIV option doesn't work either. Haven't
investigated this one further.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.15.5.0magnatz11
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages libcrypt-cbc-perl depends on:
ii libcrypt-blowfish-perl 2.09-5 Blowfish cryptography for Perl
ii libcrypt-des-perl 2.03-3 Perl DES encryption module
ii perl 5.8.4-8sarge3 Larry Wall's Practical Extraction
-- no debconf information
--- End Message ---
--- Begin Message ---
Package: libcrypt-cbc-perl
Version: 2.12-1sarge2
On Wed, Jun 14, 2006 at 02:52:04PM +0200, Allard Hoeve wrote:
> Any news on the upload? Tags have been "pending, sarge" since late March,
> but still no 2.12-1sarge2...
2.12-1sarge2 was accepted in February 2007 presumably fixing this bug,
so closing.
Cheers,
--
Niko Tyni [EMAIL PROTECTED]
--- End Message ---
