Bug 7793 - [Patch] Missing sha-256/sha-512 support in crypt()
: [Patch] Missing sha-256/sha-512 support in crypt()
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: RPM Packages
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: Thomas Backlund
:
:
:
: PATCH
:
:
  Show dependency treegraph
 
Reported: 2012-10-15 00:53 CEST by a b
Modified: 2012-12-06 09:21 CET (History)
1 user (show)

See Also:
Source RPM: glibc-2.14.1-8.mga2.src.rpm
CVE:


Attachments
Updated patch for glibc 2.14 to add sha-256/512 support (5.16 KB, patch)
2012-10-15 00:53 CEST, a b
Details | Diff
Updated spec for the updated patch (868 bytes, patch)
2012-10-15 00:55 CEST, a b
Details | Diff
Updated spec for the updated patch (1.15 KB, patch)
2012-10-15 19:55 CEST, a b
Details | Diff

Description a b 2012-10-15 00:53:56 CEST
Created attachment 2941 [details]
Updated patch for glibc 2.14 to add sha-256/512 support

Description of problem:
Up to and including glibc-2.12.1-11.3.mga1 crypt(3) supported sha-256 and sha-512 password hashes. The patch to support this was dropped from glibc-2.14.1-8.mga2, however. This caused several (ruby and python) applications to fail as they could not validate the passwords anymore. 

Version-Release number of selected component (if applicable):
glibc 2.14.1

How reproducible:
See below.

Steps to Reproduce:
1. ruby -e 'puts "my-secret".crypt("$5$rounds=10000$sHpTPaXHPpFF8agG")'
2. ruby -e 'puts "my-secret".crypt("$6$rounds=10000$sHpTPaXHPpFF8agG")'
3. python -c 'from crypt import crypt; print(crypt("my-secret", "$5$rounds=10000$sHpTPaXHPpFF8agG"))'
4. python -c 'from crypt import crypt; print(crypt("my-secret", "$6$rounds=10000$sHpTPaXHPpFF8agG"))'

In each case it should print out
$5$rounds=10000$sHpTPaXHPpFF8agG$IrVp.2mghjnCxFjXofJOCHDjzVywrvp8VXC.41wngvD
or
$6$rounds=10000$sHpTPaXHPpFF8agG$7LCyF.mfj96JeySXYze1Ut8z.TZYOzg5HrCzJC7jYe69L.nM89eg2bp.WYkW8aed2xwuL/zeaOhqev2MA1GhI0
If it instead it prints out '*0' then the algorithm is not supported.
Comment 1 a b 2012-10-15 00:55:14 CEST
Created attachment 2942 [details]
Updated spec for the updated patch
Comment 2 a b 2012-10-15 19:55:14 CEST
Created attachment 2947 [details]
Updated spec for the updated patch

Oops, just realized I had accidentally removed a hunk when I cleaned up the spec for submission.
Comment 3 Thomas Backlund 2012-10-15 20:33:57 CEST
Ah, sorry ... 

seems I disabled the patch by mistake during 2.14 rebase here:
http://svnweb.mageia.org/packages/cauldron/glibc/current/SPECS/glibc.spec?r1=156157&r2=156310

I will re-add it and push it as an update for Mageia 2 along with a few other fixes I have queued probably by the end of the week...

I will fix in Cauldron too, so it will work for mga3

Thanks for noticing it, and sorry for the problem
Comment 4 Thomas Backlund 2012-10-15 21:30:29 CEST
Fixed in Cauldron with glibc-2.16-13.mga3

Fixed in SVN for Mageia 2 and queued for next update:
http://svnweb.mageia.org/packages?view=revision&revision=306739
Comment 5 a b 2012-10-16 09:35:45 CEST
Wow, that was fast! Thanks.
Comment 6 Thierry Vignaud 2012-12-06 09:21:50 CET
Closing then

Note You need to log in before you can comment on or make changes to this bug.