Your message dated Wed, 01 Mar 2023 12:04:04 +0000
with message-id <[email protected]>
and subject line Bug#1014110: fixed in argon2 0~20190702-0.1
has caused the Debian Bug report #1014110,
regarding argon2(-tool) doesn't use threads
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014110: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014110
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: argon2
Version: 0~20171227-0.3
Severity: important
Tags: security
Hey.
I stumbled over the issue, that with the same set of parameters
argon2(-tool) takes *considerably* longer to calculate than e.g.
cryptsetup (which uses libargon2) does.
At first I thought that cryptsetup might do something wrong or
silently reduce the parameters, but thanks to cryptsetup's
upstream develor Milan Broz it was found out that Debian’s
argon2(-tool) doesn't use threads... and is such much slower than
it needs to be.
Apparently the tool would need to be linked against libpthread for
that to work
It also isn't linked to the shared libargon2, which it likely
should be?
IMO that's also a subtle security problem:
If users actually want to use argon2(-tool) and do not notice that
it runs artificially slower than needed, they may choose parameters
which are "less secure" (because it seeems to cost enough time at
their system),... while an attacker would of course use threads and
be thus in advantage.
Could you please build argon2(-tool) with support for threads?
If a statically linked version should be needed,... it could
perhaps be privided in a argon2-static?
Thanks,
Chris.
--- End Message ---
--- Begin Message ---
Source: argon2
Source-Version: 0~20190702-0.1
Done: Bastian Germann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
argon2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <[email protected]> (supplier of updated argon2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Feb 2023 11:58:57 +0100
Source: argon2
Architecture: source
Version: 0~20190702-0.1
Distribution: unstable
Urgency: medium
Maintainer: Luca Bruno <[email protected]>
Changed-By: Bastian Germann <[email protected]>
Closes: 902858 1012682 1014110 1032102
Changes:
argon2 (0~20190702-0.1) unstable; urgency=medium
.
* Non-maintainer upload
* Only build udeb without threads (Closes: #1014110)
.
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field (Closes: #1032102)
* New upstream version 0~20190702 (Closes: #1012682)
.
[ Laurent Bigonville ]
* debian/patches/: Refresh the patches
* Drop transitional libargon2-0 package (Closes: #902858)
.
[ Debian Janitor ]
* Set upstream metadata fields: Bug-Database.
* Set upstream metadata fields: Bug-Submit.
* Remove constraints unnecessary since buster (oldstable):
+ Build-Depends: Drop versioned constraint on dh-exec.
Checksums-Sha1:
13a07f0269ab7ea9398a65db3bae5401c00abf10 1892 argon2_0~20190702-0.1.dsc
4b1de90ec1ccfb6e91001e849f2cbe0222cc8b4c 1505307 argon2_0~20190702.orig.tar.gz
e1c4e517c678d0c35b1480b44e0ce338848aae26 7148
argon2_0~20190702-0.1.debian.tar.xz
b45c24c124f7417ca715f8cf3f9ceacd63bfcca9 5468
argon2_0~20190702-0.1_source.buildinfo
Checksums-Sha256:
af55e8a54e5a79169f6ca212d283f4b621cd4ec88c5761d0dfdcdd9c409e0728 1892
argon2_0~20190702-0.1.dsc
daf972a89577f8772602bf2eb38b6a3dd3d922bf5724d45e7f9589b5e830442c 1505307
argon2_0~20190702.orig.tar.gz
6d5c8a923a5e316fde7ae7a8a696afa89c0b5d19f271545e700025f6eefbe33d 7148
argon2_0~20190702-0.1.debian.tar.xz
930f8512fb64dc4c5e04a4d4ec1e4fdf8c35e14b10b5723a9d61b42985cbd90c 5468
argon2_0~20190702-0.1_source.buildinfo
Files:
5d981b10037926e9f7b450f23e7a4ca5 1892 libs optional argon2_0~20190702-0.1.dsc
0f234cc21ac6cebfe373da6afa70bb1d 1505307 libs optional
argon2_0~20190702.orig.tar.gz
c1545925a1d001071b1dc9fb61ae783d 7148 libs optional
argon2_0~20190702-0.1.debian.tar.xz
5c8d6ad967fae892c3d69a08934df950 5468 libs optional
argon2_0~20190702-0.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmP95K4QHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFICQDACPr2i2hPKb9scvIylN7sD3ZzCUb7w1Zhnx
6jEkCPRbZcM/hLIdOAxqJdjIcSnOiFxYhnARS2Q2PvY1aFerc8LnjAs279yqwYDa
0N0a++PZDl1es8aTYlLcXgp54naLTVfX2apENbFUNPMsC0idz5B+TCgMfYmeCmdQ
nuFLZggGB05J8kv2KkJHwQbDUmjAwtao82LXHLp+qh4+UPq0DU2g4snk2h4gOdu7
aYOPvyLfi5cSPiXFv8D5Zm2uRXY+dcL7NmL2A36LctVRxdk7zwoviokMJ43oPo2d
Zkfjhg46cOPMCU12KdUCd7/qS/udOVasSh3rsw8h/I/df+i6MTN6F7fMCViyUVPI
UKtcHFDcAtA34jtt+Jog1SDJ0HR0j9uCt2hVQCmefaZ2yYxvMe5Fbkddkq4yaQH2
n7ubJvT6L1b5sMesFAQCO+HJRbCREcnoBSt2GD8txJ9fYfge46pLIzI0I/B80SxY
1vrRHiAqXKNVLYoIhTmwfocEx3vAjJM=
=MPBj
-----END PGP SIGNATURE-----
--- End Message ---
