Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2011 12:09:16 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: magnum <rawsmooth@...dband.net>
Subject: Re: CVE request: crypt_blowfish 8-bit character
 mishandling

* [2011-06-21 21:55:26 +0400] Solar Designer wrote:

>On Tue, Jun 21, 2011 at 10:50:18AM -0600, Vincent Danen wrote:
>> So Crypt::Eksblowfish uses the same code but wasn't affected?  Do we
>> know why that is?
>
>It is based on the same code, but the author made changes when merging
>the code.  Specifically, he switched to using "unsigned char *".
>
>> I can't promise I will have time to look at it, but I will try if I can
>> find the time.
>
>Thanks!

Ok, so taking a quick look at php-suhosin, we have:

...
  61 typedef unsigned int BF_word;
...
558     BF_word tmp;
559 
560     for (i = 0; i < BF_N + 2; i++) {
561         tmp = 0;
562         for (j = 0; j < 4; j++) {
563             tmp <<= 8;
564             tmp |= *ptr;

I'm assuming the above means it is vulnerable (unsigned int vs unsigned
char).

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ