Bug#356810: libcrypt-cbc-perl: behaviour-change; header_iv bugs (both sending as receiving)

Bas van Sisseren tsd at tsd.student.utwente.nl
Tue Mar 14 08:44:09 UTC 2006 

Package: libcrypt-cbc-perl
Version: 2.12-1sarge1
Severity: grave
Justification: renders package unusable

I've detected 4 problems with the security update of libcrypt-cbc-perl;

1. I'm using Crypt::CBC between several systems; the one system encrypts
data and the other decrypts data. In this security update, you've
changed the header from 'RandomIV' to 'Salted__'. Unfortunately, when
using Crypt::CBC on both sides (one old version of the package, and the
other this new libcrypt-cbc-perl version), the older one cannot decrypt
the messages from the new debian package anymore. I don't think you
would like to have this in a stable release. (at least.. not as default
without a compatibility fallback)

2. The prepend_iv option (default ON) sets the 'my $prepend_header'
variable, but the encrypt function expects this to be
$self->{prepend_header}. Result: $self->{prepend_header} is always
undef, and no header is prepended.

3. On decrypting, the salt and/or iv option is retrieved from the
data-stream. The Salted__ option doesn't work:
   $self->{salt} = $salt;          # Replace manually-specified salt
   undef $self->{key};             # reset the key and iv
   undef $self->{iv};

 and after that:
   my $salt = $self->_get_random_bytes(8);
   my ($key,$iv) = $self->_salted_key_and_iv($self->{key},$salt);
   $self->{key}  ||= $key;   # don't replace manually-specified key
   $self->{iv}   ||= $iv;    # don't replace manually-specified IV

Why is $salt randomized here. Should $salt not just be $self->{salt}?
(not tested, might be wrong)

4. On decrypting, the RandomIV option doesn't work either. Haven't
investigated this one further.



-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.15.5.0magnatz11
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages libcrypt-cbc-perl depends on:
ii  libcrypt-blowfish-perl     2.09-5        Blowfish cryptography for Perl
ii  libcrypt-des-perl          2.03-3        Perl DES encryption module
ii  perl                       5.8.4-8sarge3 Larry Wall's Practical Extraction 

-- no debconf information

More information about the pkg-perl-maintainers mailing list