You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hawq.apache.org by "Paul Guo (JIRA)" <ji...@apache.org> on 2016/06/24 02:15:16 UTC

[jira] [Commented] (HAWQ-865) Rebase upstream pgcrypto to a newer commit which includes a critical DES crypt() bug fix

    [ https://issues.apache.org/jira/browse/HAWQ-865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347559#comment-15347559 ] 

Paul Guo commented on HAWQ-865:
-------------------------------

We've encountered this issue in a simple test.

> Rebase upstream pgcrypto to a newer commit which includes a critical DES crypt() bug fix
> ----------------------------------------------------------------------------------------
>
>                 Key: HAWQ-865
>                 URL: https://issues.apache.org/jira/browse/HAWQ-865
>             Project: Apache HAWQ
>          Issue Type: Bug
>            Reporter: Paul Guo
>            Assignee: Lei Chang
>
> We'd rebase to the following commit.
> commit 932ded2ed51e8333852e370c7a6dad75d9f236f9
> Author: Tom Lane <tg...@sss.pgh.pa.us>
> Date:   Wed May 30 10:53:30 2012 -0400
>     Fix incorrect password transformation in contrib/pgcrypto's DES crypt().
>     Overly tight coding caused the password transformation loop to stop
>     examining input once it had processed a byte equal to 0x80.  Thus, if the
>     given password string contained such a byte (which is possible though not
>     highly likely in UTF8, and perhaps also in other non-ASCII encodings), all
>     subsequent characters would not contribute to the hash, making the password
>     much weaker than it appears on the surface.
>     This would only affect cases where applications used DES crypt() to encode
>     passwords before storing them in the database.  If a weak password has been
>     created in this fashion, the hash will stop matching after this update has
>     been applied, so it will be easy to tell if any passwords were unexpectedly
>     weak.  Changing to a different password would be a good idea in such a case.
>     (Since DES has been considered inadequately secure for some time, changing
>     to a different encryption algorithm can also be recommended.)
>     This code, and the bug, are shared with at least PHP, FreeBSD, and OpenBSD.
>     Since the other projects have already published their fixes, there is no
>     point in trying to keep this commit private.
>     This bug has been assigned CVE-2012-2143, and credit for its discovery goes
>     to Rubin Xu and Joseph Bonneau.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)