Package: libaprutil1 Version: 1.3.9+dfsg-5 Severity: important Tags: patch When using sha512_crypt passwords (ie with salt string starting with $6$), apache can't seem to validate correctly. This is likely due to the following bug in apr_password_validate: - the "sample" buffer is 120 bytes - strlen(salt) is 119, e.g. '$6$rounds=40000$YmXFoXtqoZApKtDc$1WLYWpQyHlKTDTrMR5r5hxmPwpcxrZ8cZIMokKZ.F5EEuRijS03DU2yI77sXAWpEtsl/yHzLkAHSeffMGVaZ00' for 'foo' - apr_password_validate calls apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1); - apr_cpystrn NUL-terminates sample. Which means sample[sizeof(sample) - 2] == '\0', i.e. the last character of the hash is overwritten
I believe this should be fixed by making all apr_cpystrn in apr_password_validate calls take sizeof(sample) instead of sizeof(sample) - 1 as third argument. By the looks of it this also affects the sid version. Cheers, Julien -- System Information: Debian Release: 6.0.5 APT prefers stable APT policy: (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libaprutil1 depends on: ii libapr1 1.4.2-6+squeeze4 The Apache Portable Runtime Librar ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [ ii libexpat1 2.0.1-7+squeeze1 XML parsing C library - runtime li ii libuuid1 2.17.2-9 Universally Unique ID library libaprutil1 recommends no packages. libaprutil1 suggests no packages. -- no debconf information -- Julien Cristau <julien.cris...@logilab.fr> Logilab http://www.logilab.fr/ Informatique scientifique & gestion de connaissances -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
