[Bug 2044391] [NEW] Blowfish decryption failure because of incorrect key length

Jeremy Sowden 2044391 at bugs.launchpad.net
Thu Nov 23 16:02:54 UTC 2023 

Public bug reported:

The version of OpenSSL in Jammy (3.0.2) is affected by this issue:
https://github.com/openssl/openssl/issues/18359.  The upshot is that
ciphertext created in Jammy cannot be decrypted by unaffected versions
of OpenSSL and vice versa.  For example, here we encrypt a plaintext in
Jammy:

    $ cat plaintext.txt 
    The quick brown fox jumps over the lazy dog
    $ openssl enc -provider legacy -bf-cfb -e -in plaintext.txt -out ciphertext.asc -a -K d5cca2db098c2ea2 -iv da5638ace83dcde1
    $ cat ciphertext.asc 
    tBL52uAegjMw+DQLL1ipaXQjDnX0KK72QyqMxU1MbuSIfchivPj/JOGWUOU=
    $ openssl enc -provider legacy -bf-cfb -d -in ciphertext.asc -a -K d5cca2db098c2ea2 -iv da5638ace83dcde1
    The quick brown fox jumps over the lazy dog

If we then try to decrypt it in Debian Sid, we get:

    $ openssl enc -provider legacy -bf-cfb -d -in ciphertext.asc -a -K d5cca2db098c2ea2 -iv da5638ace83dcde1
    hex string is too short, padding with zero bytes to length
    �;S��\h<�Vɦyʄ(�g`Hrm^�[��u      �"f�S�-9�u

This has been fixed upstream here:
https://github.com/openssl/openssl/commit/1b8ef23e68b273bb5e59f60df62251153f24768d

** Affects: openssl (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2044391

Title:
  Blowfish decryption failure because of incorrect key length

Status in openssl package in Ubuntu:
  New

Bug description:
  The version of OpenSSL in Jammy (3.0.2) is affected by this issue:
  https://github.com/openssl/openssl/issues/18359.  The upshot is that
  ciphertext created in Jammy cannot be decrypted by unaffected versions
  of OpenSSL and vice versa.  For example, here we encrypt a plaintext
  in Jammy:

      $ cat plaintext.txt 
      The quick brown fox jumps over the lazy dog
      $ openssl enc -provider legacy -bf-cfb -e -in plaintext.txt -out ciphertext.asc -a -K d5cca2db098c2ea2 -iv da5638ace83dcde1
      $ cat ciphertext.asc 
      tBL52uAegjMw+DQLL1ipaXQjDnX0KK72QyqMxU1MbuSIfchivPj/JOGWUOU=
      $ openssl enc -provider legacy -bf-cfb -d -in ciphertext.asc -a -K d5cca2db098c2ea2 -iv da5638ace83dcde1
      The quick brown fox jumps over the lazy dog

  If we then try to decrypt it in Debian Sid, we get:

      $ openssl enc -provider legacy -bf-cfb -d -in ciphertext.asc -a -K d5cca2db098c2ea2 -iv da5638ace83dcde1
      hex string is too short, padding with zero bytes to length
      �;S��\h<�Vɦyʄ(�g`Hrm^�[��u      �"f�S�-9�u

  This has been fixed upstream here:
  https://github.com/openssl/openssl/commit/1b8ef23e68b273bb5e59f60df62251153f24768d

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2044391/+subscriptions

More information about the foundations-bugs mailing list