Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#368 closed defect (fixed)

[PATCH] Decryption fails with Crypt::CBC 2.17 and later

Reported by: rjl Owned by: rjl
Priority: normal Milestone: 1.0.2
Component: Perl scripts Version: 1.0.1
Severity: normal Keywords: Crypt::CBC decrypt decryption


Newer versions of Crypt::CBC (2.17 and later) fail to decrypt the text they encrypt for some reason most likely related to the initialization vector changes introduced in 2.17. Ticket #280 addressed these changes in a partial form to ensure that compatibility with Mcrypt (at the PHP end of things) remained intact, but evidently further changes are needed in order to make the decrypt things properly before reporting takes place.

Some experimentation with options to the Crypt::CBC->new() method may be needed to determine the correct way to prepare that object for the decrypt() method. Until this ticket is closed, however, users should limit themselves to version 2.15 or earlier of Crypt::CBC.

Attachments (1)

crypt-cbc.patch (1.2 KB) - added by rjl 14 years ago.
Patch for Crypt::CBC 2.17

Download all attachments as: .zip

Change History (4)

Changed 14 years ago by rjl

Patch for Crypt::CBC 2.17

comment:1 Changed 14 years ago by rjl

  • patch changed from 0 to 1
  • Status changed from new to assigned
  • Summary changed from Decryption fails with Crypt::CBC 2.17 and later to [PATCH] Decryption fails with Crypt::CBC 2.17 and later

This is evidently the result of a bug in Crypt::CBC 2.17 and later (presumably to at least 2.21). Jesse Norrell has supplied a small (3-line) patch against from version 2.17 which corrects the problem, and the module's author has been notified, so hopefully in 2.22 this bug will be fixed. At that point we'll simply have to have detect the broken versions of Crypt::CBC and advise an upgrade (or downgrade) to working versions.

comment:2 Changed 14 years ago by rjl

Lincoln Stein (the maintainer of Crypt::CBC) has incorporated the attached patch into version 2.22 of his module, which has now been released. The script should complain about versions 2.17-2.21, and/or recommend a new minimum version of 2.22.

comment:3 Changed 14 years ago by dmorton

  • Resolution set to fixed
  • Status changed from assigned to closed

in [1135] made minimum requirement to be 2.22

The structure to hold this info doesn't have the flexibility to block certain range of versions.

Note: See TracTickets for help on using tickets.