Re: Serious bug in security update for Crypt::CBC
On 3/14/06, Allard Hoeve <allard@byte.nl> wrote:
>
> Dear Martin,
>
> > From: Martin Schulze <joey@infodrom.org>
> > Reply-To: debian-security@lists.debian.org
> > To: Debian Security Announcements <debian-security-announce@lists.debian.org>
> > Subject: [SECURITY] [DSA 996-1] New Crypt::CBC packages fix cryptographic
> > weakness
> >
> > For the stable distribution (sarge) this problem has been fixed in
> > version 2.12-1sarge1.
>
> I'm afraid this new package introduces some serious errors in software
> that depends on this package. I have tested the new package on three
> different Sarge machines with the following results. Please reproduce
> using attached perl script.
>
> It is the simplest of perl scripts and it functions correctly with
> libcrypt-cbc-perl version 2.12-1:
>
> > allard@wijdbeens:~$ dpkg -l libcrypt-cbc-perl | grep '^ii'
> > ii libcrypt-cbc-p 2.12-1 Implementation of cipher block
> > allard@wijdbeens:~$ perl crypt-decrypt.pl
> > allard
> > allard@wijdbeens:~$
>
> After the upgrade to libcrypt-cbc-perl version 2.12-1sarge1:
>
> > allard@wijdbeens:~$ sudo apt-get install libcrypt-cbc-perl=2.12-1sarge1
> > [..]
> > allard@wijdbeens:~$ dpkg -l libcrypt-cbc-perl | grep '^ii'
> > ii libcrypt-cbc-p 2.12-1sarge1 Implementation of cipher block
> > allard@wijdbeens:~$ perl crypt-decrypt.pl
> >
> > allard@wijdbeens:~$
>
> Please remove the update from the security archive.
Hi Joey,
Allard is right, i used his test script and i've found some problems
with the patch. I will come up with a new package soon. I'll think in
a new and smaller approach than the first, suggestions are welcome.
--
-- stratus
Reply to: