Bug#356810: Serious bug in security update for Crypt::CBC

Kjetil Kjernsmo kjetilk at opera.com
Wed Mar 15 17:11:33 UTC 2006 

Hi all!

Sorry to be jumping in without preserving the In-Reply-To.

Allard Hoeve wrote:
>I'm afraid this new package introduces some serious errors in software 
>that depends on this package. I have tested the new package on three 
>different Sarge machines with the following results. Please reproduce 
>using attached perl script.   

This bug jumped up and bit us too during testing, and it has been 
reported as bug #356810: http://bugs.debian.org/356810
so, it is now clear that it poses a serious problem for users, as it 
breaks the default behaviour.

However,
>Please remove the update from the security archive.

...it is not that simple. If you read the original advisory:
http://www.securityfocus.com/archive/1/archive/1/425966/100/0/threaded
you'll see that we have  (indirectly) been relying on weak and 
deprecated behaviour. While this is not the sort of breakage you expect 
from stable, it underlines that security is not just about blindly 
upgrading packages. 

So, it is probably better to get a heads-up from something that breaks 
down than getting the heads up from someone who breaks in... :-)

The problem in this case is that we don't know if it is serious:
  "The difficulty of breaking data encrypted using this flawed algorithm
   is unknown, but it should be assumed that all information encrypted   
   in this way has been, or could someday be, compromised."

Given that the upgrade certainly breaks stable, a DSA could have 
suggested the workaround as the correct path for sysadmins:
  "If using Crypt::CBC versions 2.16 and lower, pass the -salt=>1 option
   to Crypt::CBC->new()."
I.e., say "you should do this now to upgrade your systems". 

Many users are likely to be bit by this upgrade, so, indeed, it may be a 
reasonable path to remove the security upgrade and instead suggest the 
workaround.

Best,

Kjetil
-- 
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20060315/3fc86543/attachment.pgp

More information about the pkg-perl-maintainers mailing list