Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2011 10:50:18 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: magnum <rawsmooth@...dband.net>, Pierre Joye <pierre.php@...il.com>
Subject: Re: CVE request: crypt_blowfish 8-bit character
 mishandling

* [2011-06-21 20:18:50 +0400] Solar Designer wrote:

>On Tue, Jun 21, 2011 at 09:56:23AM -0600, Vincent Danen wrote:
>> PostgreSQL is affected as well (the pgcrypto module):
>>
>> % head crypt-blowfish.c
>> /*
>>  * $PostgreSQL: pgsql/contrib/pgcrypto/crypt-blowfish.c,v 1.14 2009/06/11
>>  14:48:52 momjian Exp $
>
>We need to actually review and/or test this revision of the code before
>we conclusively say that it's affected.  Maybe you did that already?
>
>So far, there's one example where a revision of the code turned out to
>be unaffected - Crypt::Eksblowfish in CPAN.  In fact, this is what has
>resulted in discovery of the bug (even though it was fixed in
>Crypt::Eksblowfish during its initial integration of the code in 2007).

Ahhh... ok.  I only did a code review, I didn't test the actual
functionality to make that determination.

So Crypt::Eksblowfish uses the same code but wasn't affected?  Do we
know why that is?

>> php-suhosin also contains the same code.
>
>Yes.  These two are listed at http://www.openwall.com/crypt/
>
>We need to go over those listed on that page and then also search the
>web for possible other users of the code.  Then try to figure out which
>are actually affected (probably most of them are) and notify the
>maintainers.  For now, my focus is to push crypt_blowfish 1.1 out, but I
>do need to include a few sentences on roughly what software is affected
>in my announcement.  I'd appreciate any help with those reviews/testing.

I can't promise I will have time to look at it, but I will try if I can
find the time.

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ