Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jun 2011 07:55:30 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: Either my test script is b0rken or BF has an 8-bit bug

On Mon, Jun 20, 2011 at 03:08:52AM +0400, Solar Designer wrote:
> Now I am wondering how Authen::Passphrase avoided the bug (IIRC, it used
> my code from crypt_blowfish)

I've just checked Crypt::Eksblowfish (which is used by
Authen::Passphrase), versions 0.001 (almost initial, released in 2006)
and 0.009 (current).  Both use "unsigned char" there.  So it appears
that the author of Crypt::Eksblowfish happened to fix the bug while
reworking/merging my code.  Perhaps he did not realize there was a bug,
but was merely adjusting the code to his conventions.  (I think I got to
reconsider mine.)

However, PHP looks affected. :-(  I'll contact the maintainer.

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ