Bug#543539: marked as done (cups: the web interface doesn't accept passwords longer than 32 chars.)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 11 Aug 2013 10:57:55 +0100
with message-id <11082013105609.21299d98c315@desktop.copernicus.demon.co.uk>
and subject line Re: Bug#344898: Web UI: can't login if password is longer than 32 characters
has caused the Debian Bug report #344898,
regarding cups: the web interface doesn't accept passwords longer than 32 chars.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
344898: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=344898
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cups: the web interface doesn't accept passwords longer than 32 chars.
• From: Louis Opter <opter_l@epitech.net>
• Date: Tue, 25 Aug 2009 19:39:38 +0200
• Message-id: <20090825173938.2176.18037.reportbug@coconutcrab.2.168.192.in-addr.arpa>
• Reply-to: opter_l@epitech.net

Package: cups
Version: 1.3.8-1+lenny6
Severity: important
Tags: patch

Dear maintainer,

In my quest to get my printer usable (see also #542640). I have found
that the cups web interface doesn't accept passwords longer than 32
chars and fails with a blank page.

32 correspond to the length of a md5 hash. A define MAX_USERPASSWORD was
defined but not used.

I have written a patch; it sets MAX_USERPASSWORD to 128 and uses it. I
have also added the define MD5_HASHLEN with the value 33.

The patch seems to work. Any suggestion will be appreciated.

Best Regards.

-- Louis Opter

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cups depends on:
ii  adduser         3.110                    add and remove users and groups
ii  cups-common     1.3.8-1+lenny6           Common UNIX Printing System(tm) - 
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  ghostscript     8.62.dfsg.1-3.2lenny1    The GPL Ghostscript PostScript/PDF
ii  libavahi-compat 0.6.23-3lenny1           Avahi Apple Bonjour compatibility 
ii  libc6           2.7-18                   GNU C Library: Shared libraries
ii  libcups2        1.3.8-1+lenny6           Common UNIX Printing System(tm) - 
ii  libcupsimage2   1.3.8-1+lenny6           Common UNIX Printing System(tm) - 
ii  libdbus-1-3     1.2.1-5+lenny1           simple interprocess messaging syst
ii  libgnutls26     2.4.2-6+lenny1           the GNU TLS library - runtime libr
ii  libkrb53        1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii  libldap-2.4-2   2.4.11-1                 OpenLDAP libraries
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libpaper1       1.1.23+nmu1              library for handling paper charact
ii  libslp1         1.2.1-7.5                OpenSLP libraries
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  perl-modules    5.10.0-19                Core Perl modules
ii  poppler-utils [ 0.8.7-2                  PDF utilitites (based on libpopple
ii  procps          1:3.2.7-11               /proc file system utilities
ii  ssl-cert        1.0.23                   simple debconf wrapper for OpenSSL

Versions of packages cups recommends:
pn  avahi-utils           <none>             (no description available)
ii  cups-client           1.3.8-1+lenny6     Common UNIX Printing System(tm) - 
ii  foomatic-filters      3.0.2-20080211-3.2 OpenPrinting printer support - fil
pn  smbclient             <none>             (no description available)

Versions of packages cups suggests:
ii  cups-bsd                1.3.8-1+lenny6   Common UNIX Printing System(tm) - 
pn  cups-driver-gutenprint  <none>           (no description available)
ii  cups-pdf                2.4.8-3          PDF printer for CUPS
ii  foomatic-db             20080211-2+nmu1  OpenPrinting printer support - dat
ii  foomatic-db-engine      3.0.2-20080211-1 OpenPrinting printer support - pro
ii  hplip                   2.8.6.b-4        HP Linux Printing and Imaging Syst
pn  xpdf-korean | xpdf-japa <none>           (no description available)

-- debconf information:
* cupsys/raw-print: true
* cupsys/backend: usb

diff -u cups-1.3.8-orig/scheduler/auth.c cups-1.3.8/scheduler/auth.c
--- cups-1.3.8-orig/scheduler/auth.c	2008-04-21 19:13:22.000000000 -0400
+++ cups-1.3.8/scheduler/auth.c	2009-08-25 11:59:12.000000000 -0400
@@ -115,7 +115,7 @@
 			              const char *con_server_name);
 #endif /* HAVE_GSSAPI */
 static char		*get_md5_password(const char *username,
-			                  const char *group, char passwd[33]);
+			                  const char *group, char passwd[MD5_HASHLEN]);
 #if HAVE_LIBPAM
 static int		pam_func(int, const struct pam_message **,
 			         struct pam_response **, void *);
@@ -131,8 +131,8 @@
 #if HAVE_LIBPAM
 typedef struct cupsd_authdata_s		/**** Authentication data ****/
 {
-  char	username[33],			/* Username string */
-	password[33];			/* Password string */
+  char	username[MAX_USERPASS],			/* Username string */
+	password[MAX_USERPASS];			/* Password string */
 } cupsd_authdata_t;
 #endif /* HAVE_LIBPAM */
 
@@ -339,12 +339,12 @@
   int		type;			/* Authentication type */
   const char	*authorization;		/* Pointer into Authorization string */
   char		*ptr,			/* Pointer into string */
-		username[256],		/* Username string */
-		password[33];		/* Password string */
+		username[MAX_USERPASS],		/* Username string */
+		password[MAX_USERPASS];		/* Password string */
   cupsd_cert_t	*localuser;		/* Certificate username */
   char		nonce[HTTP_MAX_VALUE],	/* Nonce value from client */
-		md5[33],		/* MD5 password */
-		basicmd5[33];		/* MD5 of Basic password */
+		md5[MD5_HASHLEN],		/* MD5 password */
+		basicmd5[MD5_HASHLEN];		/* MD5 of Basic password */
   static const char * const states[] =	/* HTTP client states... */
 		{
 		  "WAITING",
@@ -1282,7 +1282,7 @@
 {
   int			i;		/* Looping var */
   struct group		*group;		/* System group info */
-  char			junk[33];	/* MD5 password (not used) */
+  char			junk[MD5_HASHLEN];	/* MD5 password (not used) */
 #ifdef HAVE_MBR_UID_TO_UUID
   uuid_t		useruuid,	/* UUID for username */
 			groupuuid;	/* UUID for groupname */
@@ -2516,13 +2516,13 @@
 static char *				/* O - MD5 password string */
 get_md5_password(const char *username,	/* I - Username */
                  const char *group,	/* I - Group */
-                 char       passwd[33])	/* O - MD5 password string */
+                 char       passwd[MD5_HASHLEN])	/* O - MD5 password string */
 {
   cups_file_t	*fp;			/* passwd.md5 file */
   char		filename[1024],		/* passwd.md5 filename */
 		line[256],		/* Line from file */
-		tempuser[33],		/* User from file */
-		tempgroup[33];		/* Group from file */
+		tempuser[MAX_USERPASS],		/* User from file */
+		tempgroup[MAX_USERPASS];		/* Group from file */
 
 
   cupsdLogMessage(CUPSD_LOG_DEBUG2,
diff -u cups-1.3.8-orig/scheduler/cupsd.h cups-1.3.8/scheduler/cupsd.h
--- cups-1.3.8-orig/scheduler/cupsd.h	2008-02-15 18:26:51.000000000 -0500
+++ cups-1.3.8/scheduler/cupsd.h	2009-08-25 11:23:38.000000000 -0400
@@ -74,13 +74,14 @@
 #  define TRUE		(!FALSE)
 #endif /* !FALSE */
 
+#define MD5_HASHLEN	33
 
 /*
  * Implementation limits...
  */
 
 #define MAX_ENV			100	/* Maximum number of environment strings */
-#define MAX_USERPASS		33	/* Maximum size of username/password */
+#define MAX_USERPASS		128	/* Maximum size of username/password */
 #define MAX_FILTERS		20	/* Maximum number of filters */
 #define MAX_SYSTEM_GROUPS	32	/* Maximum number of system groups */
 

--- End Message ---

--- Begin Message ---

• To: 344898-done@bugs.debian.org
• Subject: Re: Bug#344898: Web UI: can't login if password is longer than 32 characters
• From: Brian Potkin <claremont102@gmail.com>
• Date: Sun, 11 Aug 2013 10:57:55 +0100
• Message-id: <11082013105609.21299d98c315@desktop.copernicus.demon.co.uk>
• In-reply-to: <20051227120941.8A4BE61063B@tigreraye.nulle.part>
• References: <20051227120941.8A4BE61063B@tigreraye.nulle.part>

On Tue 27 Dec 2005 at 13:09:41 +0100, Jean-Philippe Guérard wrote:

> If I choose a password with more than 32 characters, I can't get 
> recognised anymore by the Web UI.
> 
> Chosing a password of 32 characters or less works fine.

http://www.cups.org/documentation.php/doc-1.6/whatsnew.html?VERSION=1.6&Q=
                                                                                                                         
   What's New in CUPS 1.6                                                                                                
                                                                                                                         
   5. Passwords; Passwords up to 127 characters are now supported.                                                       
                                                                                                                         
Hence closing this report.                                                                                               
                                                                                                                         
Regards,                                                                                                                 
                                                                                                                         
Brian.

--- End Message ---