Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Sat, 31 Mar 2007 21:11:52 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: New MSCASH patch

On Fri, Mar 30, 2007 at 05:27:38PM -0800, Alain Espinosa wrote:
> I think that i forget to put the FMT_SPLIT_UNIFIES_CASE flag.
> Please put it for me.

I've added FMT_SPLIT_UNIFIES_CASE, increased the out[] buffer size in
ms_split(), and added some bounds checking to ms_split() and valid().
I think that you had a buffer overflow there for usernames of longer
than 5 characters.  I'm not sure what the maximum username length is;
I've used 32.  I did not test this other than with "--test".

Revision 4.1 with the above changes is in contrib/ and is linked from
the web page.

Thanks,

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ