Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2011 13:22:15 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: magnum <rawsmooth@...dband.net>
Subject: Re: CVE request: crypt_blowfish 8-bit character
 mishandling

* [2011-06-21 22:15:25 +0400] Solar Designer wrote:

>On Tue, Jun 21, 2011 at 12:09:16PM -0600, Vincent Danen wrote:
>> Ok, so taking a quick look at php-suhosin, we have:
>>
>> ...
>>  61 typedef unsigned int BF_word;
>> ...
>> 558     BF_word tmp;
>> 559
>> 560     for (i = 0; i < BF_N + 2; i++) {
>> 561         tmp = 0;
>> 562         for (j = 0; j < 4; j++) {
>> 563             tmp <<= 8;
>> 564             tmp |= *ptr;
>>
>> I'm assuming the above means it is vulnerable (unsigned int vs unsigned
>> char).
>
>No, we can't conclude anything from just the excerpt you quoted above.
>If *ptr is signed char, then we have the bug.  If it's unsigned char,
>then we don't.  If it's just char, which it was in my original code,
>then we have the bug on most platforms, but not on those few where char
>defaults to unsigned.  Or rather, the bug is mitigated on those.

So should have included this:

556     __CONST char *ptr = key; 

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ