Dear Martin,
From: Martin Schulze <[EMAIL PROTECTED]>
Reply-To: debian-security@lists.debian.org
To: Debian Security Announcements <debian-security-announce@lists.debian.org>
Subject: [SECURITY] [DSA 996-1] New Crypt::CBC packages fix cryptographic
weakness
For the stable distribution (sarge) this problem has been fixed in
version 2.12-1sarge1.
I'm afraid this new package introduces some serious errors in software
that depends on this package. I have tested the new package on three
different Sarge machines with the following results. Please reproduce
using attached perl script.
It is the simplest of perl scripts and it functions correctly with
libcrypt-cbc-perl version 2.12-1:
[EMAIL PROTECTED]:~$ dpkg -l libcrypt-cbc-perl | grep '^ii'
ii libcrypt-cbc-p 2.12-1 Implementation of cipher block
[EMAIL PROTECTED]:~$ perl crypt-decrypt.pl
allard
[EMAIL PROTECTED]:~$
After the upgrade to libcrypt-cbc-perl version 2.12-1sarge1:
[EMAIL PROTECTED]:~$ sudo apt-get install libcrypt-cbc-perl=2.12-1sarge1
[..]
[EMAIL PROTECTED]:~$ dpkg -l libcrypt-cbc-perl | grep '^ii'
ii libcrypt-cbc-p 2.12-1sarge1 Implementation of cipher block
[EMAIL PROTECTED]:~$ perl crypt-decrypt.pl
[EMAIL PROTECTED]:~$
Please remove the update from the security archive.
Regards,
Allard Hoeve
#!/usr/bin/perl
use strict;
use warnings;
use Crypt::CBC;
my $cbc = new Crypt::CBC({ key => "abcdefghi", cipher => "Blowfish" });
my $encrypted = $cbc->encrypt("allard");
undef $cbc;
$cbc = new Crypt::CBC({ key => "abcdefghi", cipher => "Blowfish" });
my $decrypted = $cbc->decrypt($encrypted);
print "$decrypted\n";
