Serious bug in security update for Crypt::CBC
Dear Martin,
From: Martin Schulze <joey@infodrom.org>
Reply-To: debian-security@lists.debian.org
To: Debian Security Announcements <debian-security-announce@lists.debian.org>
Subject: [SECURITY] [DSA 996-1] New Crypt::CBC packages fix cryptographic
weakness
For the stable distribution (sarge) this problem has been fixed in
version 2.12-1sarge1.
I'm afraid this new package introduces some serious errors in software
that depends on this package. I have tested the new package on three
different Sarge machines with the following results. Please reproduce
using attached perl script.
It is the simplest of perl scripts and it functions correctly with
libcrypt-cbc-perl version 2.12-1:
allard@wijdbeens:~$ dpkg -l libcrypt-cbc-perl | grep '^ii'
ii libcrypt-cbc-p 2.12-1 Implementation of cipher block
allard@wijdbeens:~$ perl crypt-decrypt.pl
allard
allard@wijdbeens:~$
After the upgrade to libcrypt-cbc-perl version 2.12-1sarge1:
allard@wijdbeens:~$ sudo apt-get install libcrypt-cbc-perl=2.12-1sarge1
[..]
allard@wijdbeens:~$ dpkg -l libcrypt-cbc-perl | grep '^ii'
ii libcrypt-cbc-p 2.12-1sarge1 Implementation of cipher block
allard@wijdbeens:~$ perl crypt-decrypt.pl
allard@wijdbeens:~$
Please remove the update from the security archive.
Regards,
Allard Hoeve
#!/usr/bin/perl
use strict;
use warnings;
use Crypt::CBC;
my $cbc = new Crypt::CBC({ key => "abcdefghi", cipher => "Blowfish" });
my $encrypted = $cbc->encrypt("allard");
undef $cbc;
$cbc = new Crypt::CBC({ key => "abcdefghi", cipher => "Blowfish" });
my $decrypted = $cbc->decrypt($encrypted);
print "$decrypted\n";
Reply to: