oss-security - Re: CVE request: crypt_blowfish 8-bit character mishandling

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Mon, 20 Jun 2011 14:56:28 +0000
From: The Fungi <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: crypt_blowfish 8-bit character
 mishandling

On Mon, Jun 20, 2011 at 06:05:54PM +0400, Solar Designer wrote:
[...]
> Does anyone need this? Or do we just assume that passwords with
> non-ASCII characters are uncommon enough that we can bite the
> bullet (of fixing the bug) without providing any backwards
> compatibility workaround?
[...]

Would it make sense to include transitional compatability calls
which preserve the original behavior? Then applications using the
library can be adjusted to fall back on the buggy version if the
supplied data has 8-bit characters and the corrected calls don't
result in a match. This would allow tools to regenerate and replace
non-conforming hashes if they were the result of this bug, and might
make it easier to audit existing lists for them as well.
-- 
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi@...goth.org); FINGER(fungi@...goth.org);
MUD(kinrui@...arsis.mudpy.org:6669); IRC(fungi@....yuggoth.org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.