Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:54804
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6991 invoked from network); 22 Aug 2011 20:01:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Aug 2011 20:01:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.42 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.212.42 mail-vw0-f42.google.com  
Received: from [209.85.212.42] ([209.85.212.42:36777] helo=mail-vw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 03/80-03148-4B5B25E4 for <internals@lists.php.net>; Mon, 22 Aug 2011 16:01:56 -0400
Received: by vwl1 with SMTP id 1so4667021vwl.29
        for <internals@lists.php.net>; Mon, 22 Aug 2011 13:01:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=BHJEi6NMdU+4b+HOvNX/A5PgKPIYyduWrLsdmgZj+yQ=;
        b=lOa+Uc5XeRMtRKBHaMhrc62S13ekj81/3/vbtAA6BDY8D1CfaGN/8chffh4njCrreA
         +nF6s8UEUKb1CoOMaUwcmT10e4Lj6KwAUjdtvIBv1Axpn7gKR7TY87tNsNSszDGkBVsq
         RApuacxAYAJGs/RMGxkcA/mEOz/oiPEtgk5i4=
MIME-Version: 1.0
Received: by 10.52.73.228 with SMTP id o4mr2484129vdv.504.1314043313925; Mon,
 22 Aug 2011 13:01:53 -0700 (PDT)
Received: by 10.52.158.202 with HTTP; Mon, 22 Aug 2011 13:01:53 -0700 (PDT)
In-Reply-To: <CALjhHG-WyQFarFK7pWW=nMfpwMA2yn3=_C_B2NMZzDRRBMOHdQ@mail.gmail.com>
References: <CALjhHG-WyQFarFK7pWW=nMfpwMA2yn3=_C_B2NMZzDRRBMOHdQ@mail.gmail.com>
Date: Mon, 22 Aug 2011 22:01:53 +0200
Message-ID: <CAEZPtU6hHSY_ZWki6V9ptiJ4WJGMR=u0H6mcvTH0REWA4eRYMQ@mail.gmail.com>
To: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= <ondrej@sury.org>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Use system crypt() when possible
From: pierre.php@gmail.com (Pierre Joye)

hi,



On Mon, Aug 22, 2011 at 9:51 PM, Ond=C5=99ej Sur=C3=BD <ondrej@sury.org> wr=
ote:
> Hi,
>
> I wrote this patch sometime ago and Debian package uses it:
>
> https://bugs.php.net/bug.php?id=3D51254
>
> which in turn made Debian packages not-vulnerable to #55439.


That's a bit easy to come up with that, I don't think either that we
should explain again why what was done with 5.3.7-final was wrong in
all possible ways and why we are all responsible for this mistake :)

> (But I
> have failed too, I should really start to check to output of the tests
> when building the package and compare them for any regressions.)

:)

> So I will (ab)use this time and ask for a feedback (again). I only
> received this from Pierre:
>
>> Not sure I agree with these changes, they are not supposed to be valid. =
I don't have the time now to reply with a detailed explanation but we will =
do it asap.
>
> and the detailed explanation never came.
>
> What the patch does:
> - it changes the m4 script to check for each individual cipher and if
> found it will use the system library for found ciphers, it will use
> PHP implementation for the rest (not-found)

In 5.4+ it should be fine to apply it as long as it is well tested
(and not only on Debian pls :), MFH once 100% tested (other esoteric
systems), incl. phpt passing everywhere. Then main problem here is
about systems doing weird or non standard things. Debian does or did
that for a couple of things, I prefer true portability.

Cheers,
--=20
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org