Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 01 Oct 2012 04:15:07 +0400
From: Alexander Cherepanov <cherepan@...me.ru>
To: john-dev@...ts.openwall.com
Subject: Re: Static analysis of John using Coverity

On 2012-09-19 03:22, magnum wrote:
> Also, all (or nearly all) the mentioned formats use input files produced with *2john tools. The risk of bad input is low.

Unfortunately most *2john tools either happily pass bad input through
them or crash themselves or both. Examples are in my previous mail.

It doesn't mean that everything have to be fixed in one day but thinking
that 2john tools somehow guard john is just wrong. Some of these tools
are a problem on their own.

And the need to fix many formats poses interesting questions. Maybe more
high-level function will be useful? There is base64.[ch], what about
unhex? And such functions have to do sanity checks (like checking that
inlen%4==0 in case of base64 or don't assume it).

Or maybe generate valid()'s from some regexes by perl?..

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ