Bug#684268: marked as done (libaprutil1: apr_password_validate mangles sha512_crypt hashes)
Your message dated Wed, 15 Aug 2012 18:47:42 +0000
with message-id <E1T1id4-0004PB-1b@franck.debian.org>
and subject line Bug#684268: fixed in apr-util 1.4.1-3
has caused the Debian Bug report #684268,
regarding libaprutil1: apr_password_validate mangles sha512_crypt hashes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
684268: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684268
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: libaprutil1
Version: 1.3.9+dfsg-5
Severity: important
Tags: patch
When using sha512_crypt passwords (ie with salt string starting with
$6$), apache can't seem to validate correctly. This is likely due to
the following bug in apr_password_validate:
- the "sample" buffer is 120 bytes
- strlen(salt) is 119, e.g.
'$6$rounds=40000$YmXFoXtqoZApKtDc$1WLYWpQyHlKTDTrMR5r5hxmPwpcxrZ8cZIMokKZ.F5EEuRijS03DU2yI77sXAWpEtsl/yHzLkAHSeffMGVaZ00'
for 'foo'
- apr_password_validate calls apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1);
- apr_cpystrn NUL-terminates sample. Which means sample[sizeof(sample) - 2] == '\0',
i.e. the last character of the hash is overwritten
I believe this should be fixed by making all apr_cpystrn in
apr_password_validate calls take sizeof(sample) instead of
sizeof(sample) - 1 as third argument. By the looks of it this also
affects the sid version.
Cheers,
Julien
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libaprutil1 depends on:
ii libapr1 1.4.2-6+squeeze4 The Apache Portable Runtime Librar
ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libexpat1 2.0.1-7+squeeze1 XML parsing C library - runtime li
ii libuuid1 2.17.2-9 Universally Unique ID library
libaprutil1 recommends no packages.
libaprutil1 suggests no packages.
-- no debconf information
--
Julien Cristau <julien.cristau@logilab.fr>
Logilab http://www.logilab.fr/
Informatique scientifique & gestion de connaissances
--- End Message ---
--- Begin Message ---
Source: apr-util
Source-Version: 1.4.1-3
We believe that the bug you reported is fixed in the latest version of
apr-util, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 684268@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr-util package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 15 Aug 2012 20:10:55 +0200
Source: apr-util
Binary: libaprutil1 libaprutil1-ldap libaprutil1-dbd-mysql libaprutil1-dbd-sqlite3 libaprutil1-dbd-odbc libaprutil1-dbd-pgsql libaprutil1-dbd-freetds libaprutil1-dev libaprutil1-dbg
Architecture: source i386
Version: 1.4.1-3
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
libaprutil1 - Apache Portable Runtime Utility Library
libaprutil1-dbd-freetds - Apache Portable Runtime Utility Library - FreeTDS Driver
libaprutil1-dbd-mysql - Apache Portable Runtime Utility Library - MySQL Driver
libaprutil1-dbd-odbc - Apache Portable Runtime Utility Library - ODBC Driver
libaprutil1-dbd-pgsql - Apache Portable Runtime Utility Library - PostgreSQL Driver
libaprutil1-dbd-sqlite3 - Apache Portable Runtime Utility Library - SQLite3 Driver
libaprutil1-dbg - Apache Portable Runtime Utility Library - Debugging Symbols
libaprutil1-dev - Apache Portable Runtime Utility Library - Development Headers
libaprutil1-ldap - Apache Portable Runtime Utility Library - LDAP Driver
Closes: 684268
Changes:
apr-util (1.4.1-3) unstable; urgency=low
.
* Fix apr_password_validate() to work with sha512-crypt hashes.
Closes: #684268
Checksums-Sha1:
fb33f0bb7171a4ee420e32d34b046645aa5d1252 1994 apr-util_1.4.1-3.dsc
71e30f8cccaee8d8218f43805d54d89ede6fcd10 17413 apr-util_1.4.1-3.debian.tar.gz
1b86c879fea0222148c26ba84c83bd9d79db4bfc 91688 libaprutil1_1.4.1-3_i386.deb
802eca167ca221be28c5c3a5bca1eacae317bbc8 16640 libaprutil1-ldap_1.4.1-3_i386.deb
5340ff3e5ee022c0682d923711feda352ebeed0a 21270 libaprutil1-dbd-mysql_1.4.1-3_i386.deb
5250d87cd306e1749aa4499cbbd37c71d6342bc0 18874 libaprutil1-dbd-sqlite3_1.4.1-3_i386.deb
535e7f9e54cc6ba51461b0800211dfb94de7baf1 25492 libaprutil1-dbd-odbc_1.4.1-3_i386.deb
369c44a45bd8336f0df2793bbf433be8a589cb60 21230 libaprutil1-dbd-pgsql_1.4.1-3_i386.deb
7f2ef647fbf34d0484e4ac5d1e1d8f0935b424b6 19404 libaprutil1-dbd-freetds_1.4.1-3_i386.deb
1f8519f4a6d56d31c97f309dbfbb22be608abf5a 708686 libaprutil1-dev_1.4.1-3_i386.deb
dea45e7f23199fdc39a81d99c60fe47a97ca4d41 34470 libaprutil1-dbg_1.4.1-3_i386.deb
Checksums-Sha256:
ddb9a2bc25559295c79ea369d949e55f5e9dc4ca665c76374b468791c9c9ee06 1994 apr-util_1.4.1-3.dsc
65f73b001976c1effc377608cb5b810c4e86496481babed35fdc5dd342fac0f4 17413 apr-util_1.4.1-3.debian.tar.gz
3cfff5e9b8f26b35b47646b3de30ef8aae985f852495028f89fd503197050b8b 91688 libaprutil1_1.4.1-3_i386.deb
7bdcdf78e57532851434ac8b7bffdcaceca82d0d8a26705952792d42ef22273e 16640 libaprutil1-ldap_1.4.1-3_i386.deb
4afb03291b2973eafa345e38003c53e2676a4a64243a9070386c2105fc004017 21270 libaprutil1-dbd-mysql_1.4.1-3_i386.deb
2fc875a392b106e29a22e2c7b5d7ea004ec95d0b67cd34d22b7c6d5726cf6b20 18874 libaprutil1-dbd-sqlite3_1.4.1-3_i386.deb
3997f98843a75d0dc21e322bd7c338c59152df5a34a3f31c93a8bf4908f70f9a 25492 libaprutil1-dbd-odbc_1.4.1-3_i386.deb
f35910bc924231c0018e3b0667b3e900595c61660df07cd830aa3466613ec86f 21230 libaprutil1-dbd-pgsql_1.4.1-3_i386.deb
19d34adb7a0a7e1bb984091701c1512d2691eeb4a06a704e8af6d8459e406ba7 19404 libaprutil1-dbd-freetds_1.4.1-3_i386.deb
1e0c8a48a8be72b6aa6266f25cb92c868025a067c42520b2573272355d5b2cf6 708686 libaprutil1-dev_1.4.1-3_i386.deb
8f993007f3ece873311f6659821693387cbf5996035c394a70372ffecb85676c 34470 libaprutil1-dbg_1.4.1-3_i386.deb
Files:
845d2bf18283b58af2c404c447b7d7bf 1994 libs optional apr-util_1.4.1-3.dsc
b635c2003e30dbc8b4270370a71c8829 17413 libs optional apr-util_1.4.1-3.debian.tar.gz
5da455acc908339ce46ef7091fcc1d3d 91688 libs optional libaprutil1_1.4.1-3_i386.deb
a37e1a971a4719e76df589c560a83063 16640 libs optional libaprutil1-ldap_1.4.1-3_i386.deb
8ffb506393ecc863418ac9add983d47b 21270 libs optional libaprutil1-dbd-mysql_1.4.1-3_i386.deb
1fe79171978b778bbeffc9efc6e19bae 18874 libs optional libaprutil1-dbd-sqlite3_1.4.1-3_i386.deb
a8d78db5c675ea5673ca90070f67bbdf 25492 libs optional libaprutil1-dbd-odbc_1.4.1-3_i386.deb
caccc80e4bb5601d3c00e82bad9bb4e8 21230 libs optional libaprutil1-dbd-pgsql_1.4.1-3_i386.deb
72ca9b0e34f55979aaa2728ec2013aed 19404 libs optional libaprutil1-dbd-freetds_1.4.1-3_i386.deb
b08cbf37f6fd768fd22be92c83c59805 708686 libdevel optional libaprutil1-dev_1.4.1-3_i386.deb
07acc097095f22799f4adbcbbe8cf4d6 34470 debug extra libaprutil1-dbg_1.4.1-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFQK+wpbxelr8HyTqQRAk/nAKDPOd5+XI062Feg4q3tzTreFREDPQCgxEDG
OLynKyoqH/C74RwQR+0pBY8=
=kEE+
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: