Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 14 May 2013 16:19:05 +0400
From: Alexander Cherepanov <cherepan@...me.ru>
To: john-dev@...ts.openwall.com
Subject: Re: Yet more crashes

On 2013-04-29 04:12, magnum wrote:
> I am not going to fix RAR. It is supposed to read input files created by rar2john and it does a bunch of sanity checks.

As we have seen the fact that something is output by *2john is no 
guarantee that it cannot crash john. Many *2john's happily work on the 
principle "garbage in, garbage out".
Didn't check it specifically for rar2john though.

> The input format is so complex it would be nearly impossible to become immune against a hacked up input line.

The first thing I see when I open rar_fmt.c is that "This code is based 
on the work of Alexander L. Roshal (C)". So I don't want even to look 
further. The faster we get rid of it the better.

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.