Ticket #368 (closed defect: fixed)

Opened 7 years ago

Last modified 7 years ago

[PATCH] Decryption fails with Crypt::CBC 2.17 and later

Reported by: rjl Owned by: rjl
Priority: normal Milestone: 1.0.2
Component: Perl scripts Version: 1.0.1
Severity: normal Keywords: Crypt::CBC decrypt decryption
Cc:

Description

Newer versions of Crypt::CBC (2.17 and later) fail to decrypt the text they encrypt for some reason most likely related to the initialization vector changes introduced in 2.17. Ticket #280 addressed these changes in a partial form to ensure that compatibility with Mcrypt (at the PHP end of things) remained intact, but evidently further changes are needed in order to make the process-quarantine-sub.pl decrypt things properly before reporting takes place.

Some experimentation with options to the Crypt::CBC->new() method may be needed to determine the correct way to prepare that object for the decrypt() method. Until this ticket is closed, however, users should limit themselves to version 2.15 or earlier of Crypt::CBC.

Attachments

crypt-cbc.patch (1.2 kB) - added by rjl 7 years ago.
Patch for Crypt::CBC 2.17

Change History

Changed 7 years ago by rjl

Patch for Crypt::CBC 2.17

Changed 7 years ago by rjl

  • status changed from new to assigned
  • summary changed from Decryption fails with Crypt::CBC 2.17 and later to [PATCH] Decryption fails with Crypt::CBC 2.17 and later
  • patch changed from 0 to 1

This is evidently the result of a bug in Crypt::CBC 2.17 and later (presumably to at least 2.21). Jesse Norrell has supplied a small (3-line) patch against CBC.pm from version 2.17 which corrects the problem, and the module's author has been notified, so hopefully in 2.22 this bug will be fixed. At that point we'll simply have to have configtest.pl detect the broken versions of Crypt::CBC and advise an upgrade (or downgrade) to working versions.

Changed 7 years ago by rjl

Lincoln Stein (the maintainer of Crypt::CBC) has incorporated the attached patch into version 2.22 of his module, which has now been released. The configtest.pl script should complain about versions 2.17-2.21, and/or recommend a new minimum version of 2.22.

Changed 7 years ago by dmorton

  • status changed from assigned to closed
  • resolution set to fixed

in [1135] made minimum requirement to be 2.22

The structure to hold this info doesn't have the flexibility to block certain range of versions.

Note: See TracTickets for help on using tickets.