Re: Bug#714219: [Debian #714219] libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software

To: Alexandre Oliva <aoliva@redhat.com>, 714219@bugs.debian.org
Cc: Thorsten Glaser <tg@mirbsd.de>, libc-alpha@sources.redhat.com, debian-glibc@lists.debian.org
Subject: Re: Bug#714219: [Debian #714219] libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software
From: "Carlos O'Donell" <carlos@systemhalted.org>
Date: Wed, 3 Jul 2013 08:19:07 -0400
Message-id: <[🔎] CAE2sS1ib6R8BSyiAoeoeyqptiwTnmeK494AqwcMjKoY_BOntaA@mail.gmail.com>
In-reply-to: <[🔎] orehbgj44n.fsf@livre.home>
References: <20130626220647.9086.25208.reportbug@tglase.lan.tarent.de> <handler.714219.B.137228441412378.ack@bugs.debian.org> <Pine.BSM.4.64L.1306262247030.3287@herc.mirbsd.org> <20130626233558.GA13072@hall.aurel32.net> <Pine.BSM.4.64L.1306262348430.3287@herc.mirbsd.org> <20130627001037.GE13072@hall.aurel32.net> <Pine.BSM.4.64L.1306270024230.3287@herc.mirbsd.org> <20130627231943.GM13072@hall.aurel32.net> <[🔎] Pine.BSM.4.64L.1307011852130.24352@herc.mirbsd.org> <[🔎] orehbgj44n.fsf@livre.home>

On Tue, Jul 2, 2013 at 12:52 PM, Alexandre Oliva <aoliva@redhat.com> wrote:
> At this point, I'd rather we took the opportunity to fix code that makes
> unsafe assumptions about the behavior of crypt than push the problem on
> for users to figure out when a glibc upgrade causes passwords to fail to
> be recognized because the salt suggests the use of a different,
> newly-recognized encryption algorithm.

Fully agreed.

> This is my current rationale for the current implementation, after two
> rounds of discussion on its merits.  I must admit I'm not comfortable
> with the change that was made to out-of-alphabet DES salt, but ATM I'm
> even less comfortable with the alternatives. I didn't always favor the
> current situation, and that might change again depending on arguments I
> get.  But then, I don't have the final word on any of this ;-)
>
> So, if the rationale above doesn't make you as (un)happy as I am about
> the current state of crypt in glibc, please bring forth your
> counterarguments and let's see if we can all come to a sensible
> agreement.

Exactly.

Cheers,
Carlos.

Reply to:

References:
- Re: [Debian #714219] libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software
  - From: Thorsten Glaser <tg@mirbsd.de>
- Bug#714219: [Debian #714219] libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software
  - From: Alexandre Oliva <aoliva@redhat.com>

Prev by Date: Re: [Debian #714219] libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software
Next by Date: Bug#704623: eglibc: CVE-2013-1914: getaddrinfo() stack overflow
Previous by thread: Re: [Debian #714219] libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software
Next by thread: Bug#714744: locales: Update gives sigmentation fault
Index(es):
- Date
- Thread