Bug#964318: gosa login broken with PHP 7.4

Wolfgang Schweer w.schweer at gmx.de
Mon Jul 6 11:05:44 BST 2020 

On Sun, Jul 05, 2020 at 10:34:43PM +0000, Holger Levsen wrote:
> this pretty much sounds like a 'serious' bug ( = unsuitable for a stable 
> release as per https://www.debian.org/Bugs/Developer#severities and not
> just important ("major impact,  without rendering it completely unusable
> to everyone") or less, though I will follow Wolfgang's example and opt 
> for the lesser severity. (maybe it still works with new accounts?)

It doesn't. Also, setting up LDAP from scratch fails as well, i.e. 
installation of a new Debian Edu main server is broken.

Error message:

info: Creating first user <jdoe> 'jdoe'.
To initialize a brand new LDAP+KDC: 
rm /var/lib/ldap/__db* /var/lib/ldap/*.bdb
rm /etc/krb5kdc/stash /etc/krb5.keytab*
LDAP passwords cleared from debconf database.
The provided LDAP password is valid.

PHP Fatal error:  Uncaught Error: Length must be greater than 0 in /usr/sbin/gosa-encrypt-passwords:7
Stack trace:
#0 /usr/sbin/gosa-encrypt-passwords(7): openssl_random_pseudo_bytes()
#1 /usr/sbin/gosa-encrypt-passwords(74): cred_encrypt()
#2 {main}
  thrown in /usr/sbin/gosa-encrypt-passwords on line 7

Related code in /usr/sbin/gosa-encrypt-passwords causing the error:

function cred_encrypt($input, $password, $cipher = "aes-256-ecb") {
  if (in_array($cipher, openssl_get_cipher_methods())) {
    $ivlen = openssl_cipher_iv_length($cipher);
    $iv = openssl_random_pseudo_bytes($ivlen);
    return bin2hex(openssl_encrypt($input, $cipher, $password, OPENSSL_RAW_DATA, $iv));
  }

  return null;
}

Similar GOSa² web interface related code in /usr/share/gosa/functions.inc:

function cred_encrypt($input, $password, $cipher = "aes-256-ecb") {
  if (in_array($cipher, openssl_get_cipher_methods())) {
    $ivlen = openssl_cipher_iv_length($cipher);
    $iv = openssl_random_pseudo_bytes($ivlen);
    return bin2hex(openssl_encrypt($input, $cipher, $password, OPENSSL_RAW_DATA, $iv));
  }

  return null;
}

function cred_decrypt($input, $password, $cipher = "aes-256-ecb") {
  if (in_array($cipher, openssl_get_cipher_methods())) {
    $ivlen = openssl_cipher_iv_length($cipher);
    $iv = openssl_random_pseudo_bytes(64);
    return rtrim(openssl_decrypt(pack("H*", $input), $cipher, $password, OPENSSL_RAW_DATA, $iv ), "\0\3\4\n");
  }

  return null;
}

In both encrypt and decrypt cases, the chosen cipher method seems to return 0.
 
The severity is rather 'grave', I figure.

@Mike: Also, src:fusiondirectory might be affected.
 
Wolfgang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-pkg-team/attachments/20200706/72364103/attachment.sig>

More information about the Debian-edu-pkg-team mailing list