Debian Bug report logs -
#613815
php5: Using openssl_encrypt with an algorithm that doesn't need an IV produces a spurious warning
Reported by: Chris Butler <chrisb@debian.org>
Date: Thu, 17 Feb 2011 13:03:03 UTC
Severity: minor
Tags: fixed-upstream, patch
Found in version php5/5.3.3-7
Fixed in version 5.3.5-1
Done: Ondřej Surý <ondrej@sury.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#613815; Package php5.
(Thu, 17 Feb 2011 13:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Butler <chrisb@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 17 Feb 2011 13:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5
Version: 5.3.3-7
Severity: minor
Tags: patch fixed-upstream
If using openssl_encrypt with an algorithm which doesn't require an
initialisation vector (e.g. ), PHP outputs a spurious warning about a blank
IV being insecure.
This was fixed in r304179 upstream, unfortunately after v5.3.3 was released:
http://svn.php.net/viewvc/php/php-src/trunk/ext/openssl/openssl.c?r1=303414&r2=304179
The fix is pretty trivial however, and applies cleanly to 5.3.3-7 source.
May be a bit of a long shot, but if it's at all possible to get this fixed
in squeeze (along with an update for something more important, perhaps) it
would sure make my life easier!
Feel free to close / mark as wontfix… it's obviously possible to supress the
message with @ (although you then risk supressing a more important error).
-- System Information:
Debian Release: 6.0
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-php5 depends on:
ii apache2-mpm-prefork 2.2.16-6 Apache HTTP Server - traditional n
ii apache2.2-common 2.2.16-6 Apache HTTP Server common files
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8.3+dfsg-4 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg-4 MIT Kerberos runtime libraries
ii libmagic1 5.04-5 File type determination library us
ii libonig2 5.9.1-1 Oniguruma regular expressions libr
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libqdbm14 1.8.77-4 QDBM Database Libraries [runtime]
ii libssl0.9.8 0.9.8o-4squeeze1 SSL shared libraries
ii libxml2 2.7.8.dfsg-2 GNOME XML library
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii php5-common 5.3.3-7 Common files for packages built fr
ii tzdata 2010o-1 time zone and daylight-saving time
ii ucf 3.0025+nmu1 Update Configuration File: preserv
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages libapache2-mod-php5 recommends:
ii php5-cli 5.3.3-7 command-line interpreter for the p
Versions of packages libapache2-mod-php5 suggests:
ii php-pear 5.3.3-7 PEAR - PHP Extension and Applicati
-- no debconf information
--
Chris Butler <chrisb@debian.org>
GnuPG Key ID: 4096R/49E3ACD3
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#613815; Package php5.
(Thu, 17 Feb 2011 13:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Butler <chrisb@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 17 Feb 2011 13:24:03 GMT) (full text, mbox, link).
Message #10 received at 613815@bugs.debian.org (full text, mbox, reply):
Sorry, meant to include an example:
openssl_encrypt('cleartext', 'AES-256-ECB', 'key', true);
=> PHP Warning: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended
ECB ciphers do not require an IV: EVP_CIPHER_iv_length returns 0.
--
Chris Butler <chrisb@debian.org>
GnuPG Key ID: 4096R/49E3ACD3
Reply sent
to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility.
(Sat, 14 May 2011 07:48:21 GMT) (full text, mbox, link).
Notification sent
to Chris Butler <chrisb@debian.org>:
Bug acknowledged by developer.
(Sat, 14 May 2011 07:48:21 GMT) (full text, mbox, link).
Message #15 received at 613815-done@bugs.debian.org (full text, mbox, reply):
Version: 5.3.5-1
Hi,
unfortunatelly this is outside the security policy which says that
only fixes for security bugs can go in. I am marking bug as closed in
5.3.5-1 (the 5.3.4 was never in Debian).
O.
--
Ondřej Surý <ondrej@sury.org>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 19 Jun 2011 07:32:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 01:29:11 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.