Uploaded image for project: 'Apache HAWQ'
  1. Apache HAWQ
  2. HAWQ-865

Rebase upstream pgcrypto to a newer commit which includes a critical DES crypt() bug fix



    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s:
    • Component/s: None
    • Labels:


      We'd rebase to the following commit.
      commit 932ded2ed51e8333852e370c7a6dad75d9f236f9
      Author: Tom Lane <tgl@sss.pgh.pa.us>
      Date: Wed May 30 10:53:30 2012 -0400

      Fix incorrect password transformation in contrib/pgcrypto's DES crypt().

      Overly tight coding caused the password transformation loop to stop
      examining input once it had processed a byte equal to 0x80. Thus, if the
      given password string contained such a byte (which is possible though not
      highly likely in UTF8, and perhaps also in other non-ASCII encodings), all
      subsequent characters would not contribute to the hash, making the password
      much weaker than it appears on the surface.

      This would only affect cases where applications used DES crypt() to encode
      passwords before storing them in the database. If a weak password has been
      created in this fashion, the hash will stop matching after this update has
      been applied, so it will be easy to tell if any passwords were unexpectedly
      weak. Changing to a different password would be a good idea in such a case.
      (Since DES has been considered inadequately secure for some time, changing
      to a different encryption algorithm can also be recommended.)

      This code, and the bug, are shared with at least PHP, FreeBSD, and OpenBSD.
      Since the other projects have already published their fixes, there is no
      point in trying to keep this commit private.

      This bug has been assigned CVE-2012-2143, and credit for its discovery goes
      to Rubin Xu and Joseph Bonneau.


          Issue Links



              • Assignee:
                Paul Guo Paul Guo
                Paul Guo Paul Guo
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: