Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jun 2011 14:56:28 +0000
From: The Fungi <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: crypt_blowfish 8-bit character
 mishandling

On Mon, Jun 20, 2011 at 06:05:54PM +0400, Solar Designer wrote:
[...]
> Does anyone need this? Or do we just assume that passwords with
> non-ASCII characters are uncommon enough that we can bite the
> bullet (of fixing the bug) without providing any backwards
> compatibility workaround?
[...]

Would it make sense to include transitional compatability calls
which preserve the original behavior? Then applications using the
library can be adjusted to fall back on the buggy version if the
supplied data has 8-bit characters and the corrected calls don't
result in a match. This would allow tools to regenerate and replace
non-conforming hashes if they were the result of this bug, and might
make it easier to audit existing lists for them as well.
-- 
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi@...goth.org); FINGER(fungi@...goth.org);
MUD(kinrui@...arsis.mudpy.org:6669); IRC(fungi@....yuggoth.org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ