|
Date: Wed, 19 Sep 2012 01:22:56 +0200 From: magnum <john.magnum@...hmail.com> To: john-dev@...ts.openwall.com Subject: Re: Static analysis of John using Coverity On 19 Sep, 2012, at 1:03 , Solar Designer <solar@...nwall.com> wrote: > On Wed, Sep 19, 2012 at 01:15:37AM +0400, Alexander Cherepanov wrote: >> On 2012-09-17 01:23, Alexander Cherepanov wrote: >>> And I suspect that every format with trivial valid() -- there are >>> ~40-50 of them -- have buffer overflows in get_salt and/or similar >>> functions. You don't need a code analyzer to find them. >> >> To have something for a start here are crashers for 36 formats: > ... > > Thank you! > > Can we try to quickly fix the subset of these that are in the fixes > branch? Like today? I very much doubt it is a good idea to include such fixes in Jumbo-7, the risk of introducing worse bugs (like silently rejecting some valid hashes) is significant. Also, all (or nearly all) the mentioned formats use input files produced with *2john tools. The risk of bad input is low. But I agree they should eventually be made more rigid. magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.