Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 May 2013 16:19:05 +0400
From: Alexander Cherepanov <cherepan@...me.ru>
To: john-dev@...ts.openwall.com
Subject: Re: Yet more crashes

On 2013-04-29 04:12, magnum wrote:
> I am not going to fix RAR. It is supposed to read input files created by rar2john and it does a bunch of sanity checks.

As we have seen the fact that something is output by *2john is no 
guarantee that it cannot crash john. Many *2john's happily work on the 
principle "garbage in, garbage out".
Didn't check it specifically for rar2john though.

> The input format is so complex it would be nearly impossible to become immune against a hacked up input line.

The first thing I see when I open rar_fmt.c is that "This code is based 
on the work of Alexander L. Roshal (C)". So I don't want even to look 
further. The faster we get rid of it the better.

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ