Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jun 2011 10:19:58 +0200
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Either my test script is b0rken or BF has an 8-bit
 bug

Am 20.06.2011 01:08, schrieb Solar Designer:
>
> Now I am wondering how Authen::Passphrase avoided the bug (IIRC, it used
> my code from crypt_blowfish), and why I am getting different hashes for
> 8-bit chars produced by crypt() in Perl on Owl (which uses crypt_blowfish
> in glibc on Owl).  I'll need to investigate that.  If crypt_blowfish has
> the bug too, and it looks like it does, that's pretty bad, because it
> means we have incorrect (incompatible with OpenBSD's) hashes in the wild
> as well.

There are (or were) other incorrect hashes in the wild as well, see
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2010-02/msg00005.html

Gawker used this broken implementation, which replaced all
non-ascii characters with question marks prior to hashing.


Frank

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ