Debian Bug report logs -
#572561
php5: crypt() output inconsistency between version 5.2 and 5.3
Reported by: Fonso <ulfonk_mennhar@gmx.de>
Date: Thu, 4 Mar 2010 21:30:01 UTC
Severity: important
Tags: fixed-upstream
Found in version php5/5.3.1-5
Fixed in version 5.3.2-2
Done: Ondřej Surý <ondrej@sury.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#572561; Package php5.
(Thu, 04 Mar 2010 21:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Fonso <ulfonk_mennhar@gmx.de>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 04 Mar 2010 21:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5
Version: 5.3.1-5
Severity: important
The output of crypt() for certain salts has changed between version 5.2.6-1+lenny6 and 5.3.1-5
The following small test script demonstrates this:
<?php echo crypt("semmel", "1$"); ?>
With php 5.3.1-5 this results in: 1$YZfgMfg2BiI
With php 5.2.6-1+lenny6 this results in: 1$IjqLeTnxFwo
As far as I can see from the documentation at http://de.php.net/manual/en/function.crypt.php "1$" is a valid salt for standard DES.
As a side note, the same output is generated, with the following script which provides an invalid, but different, salt:
<?php echo crypt("semmel", 1); ?>
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.3.1-5 server-side, HTML-embedded scripti
ii php5-common 5.3.1-5 Common files for packages built fr
php5 recommends no packages.
php5 suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#572561; Package php5.
(Fri, 05 Mar 2010 05:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Fri, 05 Mar 2010 05:48:06 GMT) (full text, mbox, link).
Message #10 received at 572561@bugs.debian.org (full text, mbox, reply):
tag 572561 fixed-upstream
reassign 572561 php5-common 5.3.1-5
clone 572561 -1
retitle -1 PHP's bundled crypt implementation is used
severity -1 normal
thanks
Hi,
On 4 March 2010 15:30, Fonso <ulfonk_mennhar@gmx.de> wrote:
> Package: php5
> Version: 5.3.1-5
> Severity: important
>
>
> The output of crypt() for certain salts has changed between version 5.2.6-1+lenny6 and 5.3.1-5
> The following small test script demonstrates this:
>
> <?php echo crypt("semmel", "1$"); ?>
>
> With php 5.3.1-5 this results in: 1$YZfgMfg2BiI
> With php 5.2.6-1+lenny6 this results in: 1$IjqLeTnxFwo
This has already been fixed by upstream and the fix is included in
5.3.2 which should be uploaded some time soon.
In case you urgently need it to work the way it used to, this commit fixes it:
http://svn.php.net/viewvc?view=revision&revision=295340
> As a side note, the same output is generated, with the following script which provides an invalid, but different, salt:
Not sure this can be treated as a bug (if you insist, report it
upstream) as the salt is obviously invalid. The memory where the salt
is copied to is filled with '$'s which in this case leads to the same
result: '1$'.
As a side note... this bug would not have been triggered if php was
actually using the system's crypt(3) instead of the bundled copy. This
in turn means that something failed during the configure checks.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Added tag(s) fixed-upstream.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Fri, 05 Mar 2010 05:48:08 GMT) (full text, mbox, link).
Bug reassigned from package 'php5' to 'php5-common'.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Fri, 05 Mar 2010 05:48:08 GMT) (full text, mbox, link).
Bug No longer marked as found in versions php5/5.3.1-5.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Fri, 05 Mar 2010 05:48:09 GMT) (full text, mbox, link).
Bug Marked as found in versions php5/5.3.1-5.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Fri, 05 Mar 2010 05:48:10 GMT) (full text, mbox, link).
Bug 572561 cloned as bug 572601.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Fri, 05 Mar 2010 05:48:11 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility.
(Thu, 21 Oct 2010 09:24:04 GMT) (full text, mbox, link).
Notification sent
to Fonso <ulfonk_mennhar@gmx.de>:
Bug acknowledged by developer.
(Thu, 21 Oct 2010 09:24:04 GMT) (full text, mbox, link).
Message #25 received at 572561-done@bugs.debian.org (full text, mbox, reply):
Version: 5.3.2-2
We have updated php5 to use system crypt. php5 5.3.2-2 and higher returns:
1$IjqLeTnxFwo
again.
Ondrej
--
Ondřej Surý <ondrej@sury.org>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 07 Jan 2011 07:35:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 00:20:50 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.