Debian Bug report logs - #142070
base: chpasswd uses DES rather than MD5 for encryption, even though i specified MD5 at install

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Tim Warnock" <timoid@getonit.net.au>

To: <submit@bugs.debian.org>

Subject: base: chpasswd uses DES rather than MD5 for encryption, even though i specified MD5 at install

Date: Wed, 10 Apr 2002 12:05:52 +1000

Package: base
Version: 20020410
Severity: normal

-- System Information
Debian Release: 2.2
Kernel Version: Linux atlas 2.2.20 #1 SMP Sun Mar 31 07:50:58 EST 2002 i686
unknown

Message #12 received at 142070@bugs.debian.org (full text, mbox, reply):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>

To: 142070@bugs.debian.org, <control@bugs.debian.org>

Cc: Matt Zimmerman <mdz@debian.org>, <97548@bugs.debian.org>, <93156@bugs.debian.org>, <186016@bugs.debian.org>, <171808@bugs.debian.org>, <39256@bugs.debian.org>

Subject: related md5 security issue

Date: Mon, 14 Apr 2003 11:47:05 -0500 (CDT)

tags 142070 +security
thanks
Should 142070 be merged with 97548?

93156 could be a work around for these, but *not* a fix. It might be able
to keep the severity below RC, but without this being fixed it may break
systems that don't support MD5 which is a different RC bug.

Is 186016 is related closely enough to merge to the 97548 bunch?
171808, 39256 seem related too.
89523, 122427 might be related.

mdz: I think this should be +security. I understand now that 93156 should
be -security.

     Drew Daniels

Message #19 received at 142070-done@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 142070-done@bugs.debian.org

Subject: Bug is a duplicate of closed 283961

Date: Tue, 5 Apr 2005 22:22:39 +0200

This bug report is a duplicate of the recently reported, and fixed,
#283961. Hence closing it.


-- 

Message #24 received at 142070@bugs.debian.org (full text, mbox, reply):

From: "Tim Warnock" <timoid@getonit.net.au>

To: <142070@bugs.debian.org>

Subject: RE: Bug#142070 acknowledged by developer (Bug is a duplicate of closed 283961)

Date: Wed, 6 Apr 2005 07:04:06 +1000

That fix went into sarge by the looks of it, what about us woody users?

Thanks
Tim Warnock

ISP Technical Manager
GetOnIt! Nationwide Internet.
1300 88 00 97
timoid (at) getonit.net.au 

> -----Original Message-----
> From: Debian BTS [mailto:debbugs@bugs.debian.org] On Behalf 
> Of Debian Bug Tracking System
> Sent: Wednesday, 6 April 2005 6:33 AM
> To: Tim Warnock
> Subject: Bug#142070 acknowledged by developer (Bug is a 
> duplicate of closed 283961)
> 
> This is an automatic notification regarding your Bug report
> #142070: base: chpasswd uses DES rather than MD5 for 
> encryption, even though i specified MD5 at install,
> which was filed against the passwd package.
> 
> It has been closed by one of the developers, namely
> Christian Perrier <bubulle@debian.org>.
> 
> Their explanation is attached below.  If this explanation is
> unsatisfactory and you have not received a better one in a separate
> message then please contact the developer, by replying to this email.
> 
> Debian bug tracking system administrator
> (administrator, Debian Bugs database)
> 
> Received: (at 142070-done) by bugs.debian.org; 5 Apr 2005 
> 20:23:10 +0000
> From bubulle@kheops.frmug.org Tue Apr 05 13:23:10 2005
> Return-path: <bubulle@kheops.frmug.org>
> Received: from perrier.eu.org (kheops.perrier.eu.org) [81.56.227.253] 
> 	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
> 	id 1DIuZq-0005Ot-00; Tue, 05 Apr 2005 13:23:10 -0700
> Received: from localhost (localhost [127.0.0.1])
> 	by kheops.perrier.eu.org (Postfix) with ESMTP id B06F84F94D
> 	for <142070-done@bugs.debian.org>; Tue,  5 Apr 2005 
> 22:22:39 +0200 (CEST)
> Received: from kheops.perrier.eu.org ([127.0.0.1])
> 	by localhost (kheops [127.0.0.1]) (amavisd-new, port 10024)
> 	with ESMTP id 28799-09 for <142070-done@bugs.debian.org>;
> 	Tue, 5 Apr 2005 22:22:39 +0200 (CEST)
> Received: from mykerinos.kheops.frmug.org 
> (mykerinos.kheops.frmug.org [192.168.1.3])
> 	by kheops.perrier.eu.org (Postfix) with ESMTP id 314DD4F88C
> 	for <142070-done@bugs.debian.org>; Tue,  5 Apr 2005 
> 22:22:39 +0200 (CEST)
> Received: by mykerinos.kheops.frmug.org (Postfix, from userid 7426)
> 	id 0A47223272; Tue,  5 Apr 2005 22:22:39 +0200 (CEST)
> Date: Tue, 5 Apr 2005 22:22:39 +0200
> From: Christian Perrier <bubulle@debian.org>
> To: 142070-done@bugs.debian.org
> Subject: Bug is a duplicate of closed 283961
> Message-ID: <20050405202238.GO13746@mykerinos.kheops.frmug.org>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> X-message-flag: Outlook is a good virus spreading tool. It 
> can send mail, too.
> X-pot_a_miel: honeypot@kheops.frmug.org
> User-Agent: Mutt/1.5.8i
> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at 
> kheops.frmug.org
> Delivered-To: 142070-done@bugs.debian.org
> X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
> 	(1.212-2003-09-23-exp) on spohr.debian.org
> X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
> 	version=2.60-bugs.debian.org_2005_01_02
> X-Spam-Level: 
> 
> This bug report is a duplicate of the recently reported, and fixed,
> #283961. Hence closing it.
> 
> 
> -- 
> 
> 
> 

Message #29 received at 142070@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Tim Warnock <timoid@getonit.net.au>, 142070@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#142070: acknowledged by developer (Bug is a duplicate of closed 283961)

Date: Wed, 6 Apr 2005 06:35:39 +0200

Quoting Tim Warnock (timoid@getonit.net.au):
> That fix went into sarge by the looks of it, what about us woody users?


Given the huge bug log of shadow, the lack of backsight we have on it,
I'm very reluctant for keeping bugs opened, tagged "woody" and sleep
in the BTS, while sarge is near to be released.

There is no chance that woody is ever fixed for such bugs, so keeping
them opened is just a way to prevent them to be reported
again....which is very unlikely to happen from woody users now, from
my experience.

In the future life of shadow, bugs appearing on the "stable" version,
fixed in unstable and testing, *will* be handled by marking them
"sarge" and leaving them opened. But, at this moment, our priority is
going through the backlog of shadow bugs...which will last for more
time than it will take for sarge to be released.

Message #34 received at 142070@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 142070@bugs.debian.org

Subject: Patch applied in sarge branch

Date: Wed, 6 Apr 2005 06:43:45 +0200

[Message part 1 (text/plain, inline)]

Attached is the patch we applied to sarge regarding this bug.

We have to check if it applies cleanly in woody.


-- 

[010_chpasswd-md5.dpatch (text/plain, attachment)]

Message #41 received at 142070-submitter@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: pkg-shadow-devel@lists.alioth.debian.org

Cc: control@bugs.debian.org, 142070-submitter@bugs.debian.org, security@debian.org

Subject: Re: [Pkg-shadow-devel] Dealing with #142070 : chpasswd uses DES even when system is configured for MD5 passwords

Date: Wed, 6 Apr 2005 06:42:37 +0200

reopen 142070
tags 142070 woody
thanks

Quoting Nicolas François (nicolas.francois@centraliens.net):

> One question regarding #142070 (or #283961, etc.) and the last answer from
> Tim Warnock.  As this bug was tagged security, should we prepare a new
> package for stable proposed update?  Should we inform
> team@security.debian.org, as asked by Matt Zimmerman (#283961)?
> 
> I'm asking this because I've seen 3.0r5 is under preparation:
> http://lists.debian.org/debian-devel-announce/2005/04/msg00002.html
> I wonder if #283961 meet the first requirement (fixes a security problem,
> but no advisory).


That's not untrue..:-)

I forgot this was tagged "security". Indeed, this problem is subject
to interpretation : tagging it "security" is a little overflated,
IMHO. But, well, let's take this the hard way....so reopening the bug,
tagging it, inform security@debian.org....

May someone in the team try to apply the fix we applied to #283961 on
woody's shadow? This is 010_chpasswd-md5.dpatch in the sid branch. For
people not involved in the shadow maintenance team, I send it to
#142070 separately.

Message #46 received at 142070@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 142070@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#142070: Patch applied in sarge branch

Date: Wed, 6 Apr 2005 09:15:07 +0200

[Message part 1 (text/plain, inline)]

Quoting Christian Perrier (bubulle@debian.org):
> Attached is the patch we applied to sarge regarding this bug.
> 
> We have to check if it applies cleanly in woody.


The attached patch applies cleanly.

I'm currently building a new version of the shadow package on a woody
system to check if this fixes the DES/MD5 problem.

PS : the build system of shadow in woody in incredibly better. All
Debian specific patches were in debian/patches and there was a clean
line between Debian specific patches and upstream sources, not the
mess we currently have....:-(. This is exactly what I want to get back
with the 4.0.3-32 release and the use of dpatch.

[patch.142070 (text/plain, attachment)]

Message #51 received at 142070@bugs.debian.org (full text, mbox, reply):

From: Nicolas François <nicolas.francois@centraliens.net>

To: Christian Perrier <bubulle@debian.org>, 142070@bugs.debian.org

Subject: Re: Bug#142070: Patch applied in sarge branch

Date: Wed, 6 Apr 2005 10:08:05 +0200

Hello Christian,

Can you also update the chpasswd man page?

I think it is part of the fix, because it indicates that the default
algorithm is DES.

-- 
Nekral

Message #56 received at 142070@bugs.debian.org (full text, mbox, reply):

From: Tomasz Kłoczko <kloczek@zie.pg.gda.pl>

To: Christian Perrier <bubulle@debian.org>, 142070@bugs.debian.org

Cc: debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>

Subject: Re: [Pkg-shadow-devel] Bug#142070: Patch applied in sarge branch

Date: Wed, 6 Apr 2005 14:43:25 +0200 (CEST)

[Message part 1 (text/plain, inline)]

On Wed, 6 Apr 2005, Christian Perrier wrote:

> Attached is the patch we applied to sarge regarding this bug.
> 
> We have to check if it applies cleanly in woody.

If I can ..
Now I thing it will be better prepare this kind functionality in more 
common way for allow not only one encryption algorintm.
Propably in future even on libc level will be used more than two algorithms
(now DES and MD5).
Instead use --md5 and probalby in future --sha1 (--sha256), --blodish and
other better will be use --<shwitch> <algh_name>.

I think best will be plug this under "{-c|--crypt} <algh_name>" (other 
proposition ?)

If it will be acceptable I'll try ASAP prepare patch using this new shema
for CVS shadow tree.

kloczek
-- 
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek@rudy.mif.pg.gda.pl*

Message #61 received at 142070@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 142070@bugs.debian.org

Subject: Re: Bug#142070: [Pkg-shadow-devel] Bug#142070: Patch applied in sarge branch

Date: Wed, 6 Apr 2005 14:12:11 +0200

(remember, only reply to the bug number...:-)))

> If I can ..
> Now I thing it will be better prepare this kind functionality in more 
> common way for allow not only one encryption algorintm.
> Propably in future even on libc level will be used more than two algorithms
> (now DES and MD5).
> Instead use --md5 and probalby in future --sha1 (--sha256), --blodish and
> other better will be use --<shwitch> <algh_name>.
> 
> I think best will be plug this under "{-c|--crypt} <algh_name>" (other 
> proposition ?)
> 
> If it will be acceptable I'll try ASAP prepare patch using this new shema
> for CVS shadow tree.

I think that's OK, but you'll have to keep the "--des" and "--md5"
command line switches for backward compatibility.

Maybe get utilities print some warning message when they are
used. Something like:

$ echo tintin:tintin | chpasswd --des
WARNING: the --des command line switch is obsolete. Please use
         "--crypt des" instead.
$

(and doing the work anyway...)

Message #66 received at 142070@bugs.debian.org (full text, mbox, reply):

From: Martin Quinson <martin.quinson@loria.fr>

To: 142070@bugs.debian.org

Subject: Progress?

Date: Wed, 11 May 2005 14:03:04 +0200

[Message part 1 (text/plain, inline)]

#142070: base: chpasswd uses DES rather than MD5 for encryption, even though
               i specified MD5 at install

Hello,

What is the status of this one? Christian, you said you had a fix for this.
Did you contact Joey yet to see how it could be included in the next stable
release?

Bye, Mt.

[signature.asc (application/pgp-signature, inline)]

Message #71 received at 142070@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 142070@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#142070: Progress?

Date: Wed, 11 May 2005 18:13:58 +0200

Quoting Martin Quinson (martin.quinson@loria.fr):
> #142070: base: chpasswd uses DES rather than MD5 for encryption, even though
>                i specified MD5 at install
> 
> Hello,
> 
> What is the status of this one? Christian, you said you had a fix for this.
> Did you contact Joey yet to see how it could be included in the next stable
> release?


The security team was CC'ed to the mail I sent to reopen the bug.

While writing it I see that I CC'ed security@debian.org rather than
team @security.debian.org....I should have tried that one first.

However, I haven't completed the work to rebuild the package on a
woody system and all this went far in my head.

I may re-check on this system, if the security team feels that having
chpasswd default to MD5 rather then DES is worth an update in woody.

(sarge is safe for ages on that matter)

Message #76 received at 142070-done@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 142070-done@bugs.debian.org

Subject: Bug is dead with woody

Date: Fri, 17 Jun 2005 23:13:25 +0200

This bug is now dead with woody being the old Debian stable
release..:-)

-- 

Send a report that this bug log contains spam.