[php-maint] Bug#687031: php5: Incorrect crypt() function behavior

Clint Byrum clint at ubuntu.com
Sat Sep 8 15:51:15 UTC 2012 

Package: php5
Version: 5.3.3-7+squeeze14
Severity: important

This bug was originally reported against the Ubuntu php5 packages:

https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1046330

I have tested this in a squeeze chroot and a wheezy chroot.

If I run this command:

php -r "echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.319ikKPU'), PHP_EOL;"

On upstream PHP 5.4.6, and on the CentOS 6 PHP packages, I see this behavior:

CRYPT_EXT_DES: 1
_.012saltIO.319ikKPU

Which is correct. On squeeze and wheezy (and Ubuntu 10.04 and later) I see this:

CRYPT_EXT_DES: 1
_.msUWmoj85W6

This means that standard DES is being used, even though CRYPT_EXT_DES == 1.

Removing php_crypt_revamped.patch and use_system_crypt_fixes.patch from
debian/patches/series produces the correct behavior.

After reading this bug report:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572601

I do agree that the system's crypt() should be used when possible,
however, since the system crypt does not seem to support extended DES
(Forgive my ignorance in this area, but the tests seem to indicate it
does not) then we should be using the PHP internal implementation. At
that point, why bother with the special case of using crypt() from glibc
only when somebody uses a standard DES salt?

I don't really see a valid reason for such a large divergence from
upstream behavior, so we should probably revert those patches and accept
that upstream does not support the system library bahavior (or push them
to improve their support).

As an alternative, CRYPT_EXT_DES should be set to 0 since it is clearly
not working.


-- System Information:
Debian Release: wheezy/sid
  APT prefers quantal-updates
  APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal'), (400, 'precise-proposed')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5.0-10-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5 depends on:
pn  libapache2-mod-php5 | libapache2-mod-php5filter | php5-cgi   <none>
ii  php5-common                                                  5.4.4-3ubuntu1

php5 recommends no packages.

php5 suggests no packages.

More information about the pkg-php-maint mailing list