Bug 540891

Summary: blowfish secret for cookie authentication is not hashed / fails if size too long
Product: [Fedora] Fedora EPEL Reporter: Till Maas <opensource>
Component: phpMyAdminAssignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: el5CC: mmcgrath, opensource, redhat-bugzilla
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://sourceforge.net/tracker/?func=detail&aid=2905629&group_id=23067&atid=377408
Whiteboard:
Fixed In Version: 2.11.9.6-3.el4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-27 20:34:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
phpMyAdmin-2.11.9.6-blowfish.patch none

Description Till Maas 2009-11-24 13:19:48 UTC 
Description of problem:
I set a blowfish secret for cookie authentication that was longer than 56 bytes, which is the maximum size for blowfish. Then phpmyadmin fails with showing an empty page and this is shown in the error log entry:

2009-11-24 13:56:21: (mod_fastcgi.c.2618) FastCGI-stderr: PHP Warning:  mcrypt_encrypt() [<a href='function.mcrypt-encrypt'>function.mcrypt-encrypt</a>]: Size of key is too large for this algorithm in /usr/share/phpMyAdmin/libraries/mcrypt.lib.php on line 71
PHP Fatal error:  mcrypt_encrypt() [<a href='function.mcrypt-encrypt'>function.mcrypt-encrypt</a>]: Mcrypt initialisation failed in /usr/share/phpMyAdmin/libraries/mcrypt.lib.php on line 71

Version-Release number of selected component (if applicable):
2.11.9.6-1.el5

How reproducible:
always

Steps to Reproduce:
0. install php-mhash from CentOS Extras (not a dependency of phpMyAdmin in EPEL, but phpMyAdmin complains if it is missing)
1. use a secret that is larger than 56 bytes for $cfg['blowfish_secret'] in the config file
2. use cookie authentication
3. login
  
Actual results:
Empty page is displayed

Expected results:
User is logged in

Additional info:
Instead of just pasing the secret to the mcrypt_encrypt function, it should be hashed to the appropriate length, probably with sha512 and then truncated to 56 bytes or even better the output of mcrypt_get_key_size('blowfish', 'cbc');, which is 56.
Comment 1 Robert Scheck 2009-11-29 13:06:13 UTC 
CentOS Extras is an unsupported repository. Use the packages from Fedora EPEL,
please. Next point is, that phpMyAdmin 2.11.9.6 is in maintainance-only mode
by upstream, that means, the 2.11.9.x branch will only get security updates,
no bugfixes anymore. We can't update to phpMyAdmin 3.x, because a newer version
of phpMyAdmin would require php >= 5.2, which neither RHEL 4 nor RHEL 5 is able
to satisfy (PHP 4.3.x, PHP 5.1.x).

Do you see the same issue in Fedora 11, 12 or Rawhide? If yes, we can try to
fix it then upstream and maybe backport Fedora-only. And if the issue doesn't
exist in Fedora any longer, we maybe can backport the fix already.
Comment 2 Till Maas 2009-11-29 13:17:30 UTC 
I looked at the source of phpMyAdmin 3.2.3 and $GLOBALS['cfg']['blowfish_secret'] is still used without any modification like hashing or truncation, therefore I expect the issue to be present in Rawhide, too.
Comment 3 Robert Scheck 2009-11-29 13:28:25 UTC 
I've opened upstream bug ID #2905629.
Comment 4 Robert Scheck 2009-11-29 13:40:32 UTC 
Upstream has rejected your request:

> In Documentation.html:
> $cfg['blowfish_secret'] string
>     The "cookie" auth_type uses blowfish algorithm to encrypt the password.
>     The maximum number of characters for this parameter seems to be 46.

If you don't agree with upstream, please participate in the upstream bug.
Comment 5 Robert Scheck 2009-12-03 22:40:50 UTC 
Created attachment 375944 [details]
phpMyAdmin-2.11.9.6-blowfish.patch
Comment 6 Robert Scheck 2009-12-03 22:41:33 UTC 
Till, can you please test, whether my backport try works for you as expected?
Comment 7 Fedora Update System 2009-12-03 22:45:13 UTC 
phpMyAdmin-3.2.4-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.4-1.fc10
Comment 8 Fedora Update System 2009-12-03 22:45:17 UTC 
phpMyAdmin-3.2.4-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.4-1.fc12
Comment 9 Fedora Update System 2009-12-05 00:01:07 UTC 
phpMyAdmin-3.2.4-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update phpMyAdmin'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-12711
Comment 10 Fedora Update System 2009-12-05 00:04:34 UTC 
phpMyAdmin-3.2.4-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update phpMyAdmin'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12724
Comment 11 Fedora Update System 2009-12-05 00:04:53 UTC 
phpMyAdmin-3.2.4-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update phpMyAdmin'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12727
Comment 12 Robert Scheck 2009-12-13 14:57:54 UTC 
Till, ping? Can you please test the patch from comment #5?
Comment 13 Fedora Update System 2009-12-27 20:25:27 UTC 
phpMyAdmin-3.2.4-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Robert Scheck 2009-12-27 20:33:46 UTC 
Till, can you please test, whether my backport try works for you as expected?
Comment 15 Fedora Update System 2009-12-27 20:34:01 UTC 
phpMyAdmin-3.2.4-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Till Maas 2009-12-30 18:52:51 UTC 
(In reply to comment #14)
> Till, can you please test, whether my backport try works for you as expected?  

Sorry for the delay, I did not have access to the system I experienced the problem with phpMyAdmin. I just got a virtual machine running and the patch fixes the problem on CentOS 5.4.
Comment 17 Fedora Update System 2010-01-04 00:22:42 UTC 
phpMyAdmin-2.11.9.6-2.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-2.el4
Comment 18 Fedora Update System 2010-01-04 00:22:48 UTC 
phpMyAdmin-2.11.9.6-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-2.el5
Comment 19 Fedora Update System 2010-01-21 23:31:20 UTC 
phpMyAdmin-2.11.9.6-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2010-01-21 23:32:06 UTC 
phpMyAdmin-2.11.9.6-3.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.