[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Sep 2012 01:22:56 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Static analysis of John using Coverity
On 19 Sep, 2012, at 1:03 , Solar Designer <solar@...nwall.com> wrote:
> On Wed, Sep 19, 2012 at 01:15:37AM +0400, Alexander Cherepanov wrote:
>> On 2012-09-17 01:23, Alexander Cherepanov wrote:
>>> And I suspect that every format with trivial valid() -- there are
>>> ~40-50 of them -- have buffer overflows in get_salt and/or similar
>>> functions. You don't need a code analyzer to find them.
>>
>> To have something for a start here are crashers for 36 formats:
> ...
>
> Thank you!
>
> Can we try to quickly fix the subset of these that are in the fixes
> branch? Like today?
I very much doubt it is a good idea to include such fixes in Jumbo-7, the risk of introducing worse bugs (like silently rejecting some valid hashes) is significant. Also, all (or nearly all) the mentioned formats use input files produced with *2john tools. The risk of bad input is low.
But I agree they should eventually be made more rigid.
magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
