The mailing list for listmasters using Sympa

[Steve Rich <address@concealed>]

Hi everyone,

Turns out there is a bug in upgrade_sympa_password.pl.  

The following:

die "Crypt::CipherSaber not installed ; cannot crypt passwords"

    unless Sympa::Tools::Password::ciphersaber_installed();

die 'Error in configuration'

    unless Conf::load(Conf::get_sympa_conf(), 'no_db');

my $sdm = Sympa::DatabaseManager->instacne

    or die 'Can\'t connect to database’;

Should be:

die 'Error in configuration'

    unless Conf::load(Conf::get_sympa_conf(), 'no_db’);

die "Crypt::CipherSaber not installed ; cannot crypt passwords"

    unless Sympa::Tools::Password::ciphersaber_installed();

my $sdm = Sympa::DatabaseManager->instance

    or die 'Can\'t connect to database';

And here’s why.  

Conf::load loads sympa.conf which contains the oh so important cookie for decrypting the RC4 encrypted passwords of older versions.

Sympa::Tools::Password::ciphersaber_installed() checks for installation of the Crypt::CipherSaber perl module.  In addition, it creates a new CipherSaber object with whatever is present in $Conf::Conf{‘cookie’} unless there is an existing CipherSaber object already.  In that case, the already instantiated object is returned with the wrong cookie value.

If the ciphersaber_installed() function is called prior to the Conf::load() function, we get a ciphersaber object who’s secret key is an empty string instead of the cookie.  

Additionally, there was a typo in the Sympa::DatabaseManager object creation (instacne instead of instance).

I’m copying Soji on this because I believe he wrote this script based on the comments.

Thanks,

Steve

From: <address@concealed> on behalf of Steve Rich
Reply-To: Steve Rich
Date: Monday, August 3, 2015 at 9:11 AM
To: Javier Ron, "address@concealed"
Subject: Re: [sympa-users] upgrade_sympa_password.pl

I suppose I should have included this in my original question.  Yes, I did ensure the cookie was the same prior to the upgrade.  However, since sending that out, I have noted that my config indicates that password_case is set to insensitive by default.  I suppose I can try the upgrade again with password_case set to sensitive since my password did have mixed case in the old environment.  If anyone has anything to add for me to try, I would greatly appreciate it.

Thanks,

Steve

From: Javier Ron
Date: Monday, August 3, 2015 at 8:58 AM
To: "address@concealed", Steve Rich
Subject: Re: upgrade_sympa_password.pl

Did you set the cookie in sympa.conf to match your previous value?

This string is used to generate MD5 authentication keys. It allows generated authentication keys to differ from a site to another. It is also used for reversible encryption of user passwords stored in the database. The presence of this string is one reason why access to sympa.conf needs to be restricted to the sympa user.

Note that changing this parameter will break all HTTP cookies stored in users' browsers, as well as all user passwords and lists X509 private keys. To prevent a catastrophe, sympa.pl refuses to start if the cookie parameter was changed.

Example:

cookie gh869jku5

Thanks
JR

---

From:address@concealed <address@concealed> on behalf of Steve Rich <address@concealed>
Sent: 03 August 2015 13:42
To: address@concealed
Subject: [sympa-users] upgrade_sympa_password.pl

 

I managed to pull off a test run of a migration from 5.4 to 6.2.3.  Then I tried updating the passwords in the database using upgrade_sympa_password.pl.  It completed and reported some 35,000 passwords were updated using the new md5 hash method.  However, I was not able to log in with my old account.  Is there a patch floating around or did I just miss something?

Thanks,

Steve