You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "Paul Guo (JIRA)" <ji...@apache.org> on 2016/06/24 02:15:16 UTC
[jira] [Commented] (HAWQ-865) Rebase upstream pgcrypto to a newer
commit which includes a critical DES crypt() bug fix
[ https://issues.apache.org/jira/browse/HAWQ-865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347559#comment-15347559 ]
Paul Guo commented on HAWQ-865:
-------------------------------
We've encountered this issue in a simple test.
> Rebase upstream pgcrypto to a newer commit which includes a critical DES crypt() bug fix
> ----------------------------------------------------------------------------------------
>
> Key: HAWQ-865
> URL: https://issues.apache.org/jira/browse/HAWQ-865
> Project: Apache HAWQ
> Issue Type: Bug
> Reporter: Paul Guo
> Assignee: Lei Chang
>
> We'd rebase to the following commit.
> commit 932ded2ed51e8333852e370c7a6dad75d9f236f9
> Author: Tom Lane <tg...@sss.pgh.pa.us>
> Date: Wed May 30 10:53:30 2012 -0400
> Fix incorrect password transformation in contrib/pgcrypto's DES crypt().
> Overly tight coding caused the password transformation loop to stop
> examining input once it had processed a byte equal to 0x80. Thus, if the
> given password string contained such a byte (which is possible though not
> highly likely in UTF8, and perhaps also in other non-ASCII encodings), all
> subsequent characters would not contribute to the hash, making the password
> much weaker than it appears on the surface.
> This would only affect cases where applications used DES crypt() to encode
> passwords before storing them in the database. If a weak password has been
> created in this fashion, the hash will stop matching after this update has
> been applied, so it will be easy to tell if any passwords were unexpectedly
> weak. Changing to a different password would be a good idea in such a case.
> (Since DES has been considered inadequately secure for some time, changing
> to a different encryption algorithm can also be recommended.)
> This code, and the bug, are shared with at least PHP, FreeBSD, and OpenBSD.
> Since the other projects have already published their fixes, there is no
> point in trying to keep this commit private.
> This bug has been assigned CVE-2012-2143, and credit for its discovery goes
> to Rubin Xu and Joseph Bonneau.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)