Bug#1032234: marked as done (argon2(-tool) doesn't use threads)
Your message dated Wed, 26 Apr 2023 06:48:46 +0000
with message-id <E1prYxK-002r5a-DU@fasolo.debian.org>
and subject line Bug#1032234: fixed in argon2 0~20171227-0.3+deb12u1
has caused the Debian Bug report #1032234,
regarding argon2(-tool) doesn't use threads
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1032234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032234
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: argon2(-tool) doesn't use threads
- From: Christoph Anton Mitterer <calestyo@scientia.org>
- Date: Thu, 30 Jun 2022 13:10:19 +0200
- Message-id: <165658741992.16882.12022329973365308011.reportbug@heisenberg.scientia.org>
Package: argon2
Version: 0~20171227-0.3
Severity: important
Tags: security
Hey.
I stumbled over the issue, that with the same set of parameters
argon2(-tool) takes *considerably* longer to calculate than e.g.
cryptsetup (which uses libargon2) does.
At first I thought that cryptsetup might do something wrong or
silently reduce the parameters, but thanks to cryptsetup's
upstream develor Milan Broz it was found out that Debian’s
argon2(-tool) doesn't use threads... and is such much slower than
it needs to be.
Apparently the tool would need to be linked against libpthread for
that to work
It also isn't linked to the shared libargon2, which it likely
should be?
IMO that's also a subtle security problem:
If users actually want to use argon2(-tool) and do not notice that
it runs artificially slower than needed, they may choose parameters
which are "less secure" (because it seeems to cost enough time at
their system),... while an attacker would of course use threads and
be thus in advantage.
Could you please build argon2(-tool) with support for threads?
If a statically linked version should be needed,... it could
perhaps be privided in a argon2-static?
Thanks,
Chris.
--- End Message ---
--- Begin Message ---
Source: argon2
Source-Version: 0~20171227-0.3+deb12u1
Done: Guilhem Moulin <guilhem@debian.org>
We believe that the bug you reported is fixed in the latest version of
argon2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1032234@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated argon2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Apr 2023 21:29:33 +0200
Source: argon2
Architecture: source
Version: 0~20171227-0.3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Luca Bruno <lucab@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1032234 1034696
Changes:
argon2 (0~20171227-0.3+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
.
[ Bastian Germann ]
* Add Breaks on cryptsetup-initramfs (see #1032235)
.
[ Guilhem Moulin ]
* d/gbp.conf: Set 'debian-branch = debian/bookworm'.
* d/rules: Restore threading support to libargon2-1-udeb (closes: #1034696).
This is beneficial for cryptsetup-udeb, see #1028250. Removing threading
support in libargon2-1-udeb was done for historical reasons no longer
relevant since Debian Bookworm. This also restores threading support to
argon2 which was inadvertently dropped in 0~20171227-0.1 (closes:
#1032234).
Checksums-Sha1:
e15a8182669f18a5f5dee7afebf99885e6fd44ee 2140 argon2_0~20171227-0.3+deb12u1.dsc
f79deca75557f7c7ae2d43614c0b89b64be1cad8 7268 argon2_0~20171227-0.3+deb12u1.debian.tar.xz
4d4f3f46cfefc44193e91d064d300cfbd54c116e 7905 argon2_0~20171227-0.3+deb12u1_amd64.buildinfo
Checksums-Sha256:
64b82cae9e03543f045506391398472f5659a391d626b4ad701c845bd5cfb862 2140 argon2_0~20171227-0.3+deb12u1.dsc
7283479e5a4f3dd6294b1b74cb69e1324a62022d8e7f4b59a7de1ddbc64ed1e7 7268 argon2_0~20171227-0.3+deb12u1.debian.tar.xz
7b1f2fb7a9393082e54a7b4306b2f8138429f5eddfa2d69498e3239aee0932d7 7905 argon2_0~20171227-0.3+deb12u1_amd64.buildinfo
Files:
8681e51bcc4e912425ccf26c6f8eac2c 2140 libs optional argon2_0~20171227-0.3+deb12u1.dsc
a770349b832e8731fe433a92370edf44 7268 libs optional argon2_0~20171227-0.3+deb12u1.debian.tar.xz
e6cedd5fe52e375781a3cc1220933d77 7905 libs optional argon2_0~20171227-0.3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmRG/goACgkQ05pJnDwh
pVLBmg/8Cmr0P1f4CpGWbuLkZ/imaSOzVx7j47wuA3oIb+OL/dPCqyINN5zWcvCD
cZ+ovnFZViAKlOWPSlDMsKIzRsdtKIYGaYhNAt/EKoYZS7rMBy53PwkN/MFVi7kL
AFFG9j+MCbcJUz1fy+ficSTVENM1pmK2WHNc6uTUDPi8K53sJvA7OtEQ8DFL5jRn
P7eZAGozBIVE0r2FlgoQvTjd38xE1jPpxDOs7V8u2SsRS95eNa0ZHFIlS6ING9iv
RUuhLXRo34F2EMScp/X+z9Nn/vqTGGpvCOLUaTI0bk4Xd7OA2EVPNQF/OkLBJMQl
6DX2qZtPVlVcDbFWJM/bcy+91OlhBFs3ffB3icMPpi7kK1k7e7/falqsXU/s4VFa
GXioiPHdhXGpSvgImPDXXuzSsMyEefxEpKkGOr48qBVD+nnHaAQm7nvP0au2RkrW
yo2jh5uEKrBGe5zsIvGQIpYp6ndTknXnhFR/k4kU1610KRMHVJosojgtMSwGstU2
sSp9VK8TNfzrHQcAZUUW4imGvUfcz4j9wPtS5eI5AXtWqurvpr99ArM//+CZ3LKC
U/crNHupaBrpAIfAZCvgnKVYexK1nU3M4yf7JHfus/njehK+zfd/kAnDdXl2jEex
bMCpUd/OHAvhfT+DuMToZe2PqnPL/LPz/JRtX17uZD1K1ZkqCTw=
=JrS8
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: