hawq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Guo (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HAWQ-865) Rebase upstream pgcrypto to a newer commit which includes a critical DES crypt() bug fix
Date Fri, 24 Jun 2016 02:12:16 GMT
Paul Guo created HAWQ-865:

             Summary: Rebase upstream pgcrypto to a newer commit which includes a critical
DES crypt() bug fix
                 Key: HAWQ-865
                 URL: https://issues.apache.org/jira/browse/HAWQ-865
             Project: Apache HAWQ
          Issue Type: Bug
            Reporter: Paul Guo
            Assignee: Lei Chang

We'd rebase to the following commit.
commit 932ded2ed51e8333852e370c7a6dad75d9f236f9
Author: Tom Lane <tgl@sss.pgh.pa.us>
Date:   Wed May 30 10:53:30 2012 -0400

    Fix incorrect password transformation in contrib/pgcrypto's DES crypt().

    Overly tight coding caused the password transformation loop to stop
    examining input once it had processed a byte equal to 0x80.  Thus, if the
    given password string contained such a byte (which is possible though not
    highly likely in UTF8, and perhaps also in other non-ASCII encodings), all
    subsequent characters would not contribute to the hash, making the password
    much weaker than it appears on the surface.

    This would only affect cases where applications used DES crypt() to encode
    passwords before storing them in the database.  If a weak password has been
    created in this fashion, the hash will stop matching after this update has
    been applied, so it will be easy to tell if any passwords were unexpectedly
    weak.  Changing to a different password would be a good idea in such a case.
    (Since DES has been considered inadequately secure for some time, changing
    to a different encryption algorithm can also be recommended.)

    This code, and the bug, are shared with at least PHP, FreeBSD, and OpenBSD.
    Since the other projects have already published their fixes, there is no
    point in trying to keep this commit private.

    This bug has been assigned CVE-2012-2143, and credit for its discovery goes
    to Rubin Xu and Joseph Bonneau.

This message was sent by Atlassian JIRA

View raw message