Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2011 21:55:26 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: magnum <rawsmooth@...dband.net>, Pierre Joye <pierre.php@...il.com>
Subject: Re: CVE request: crypt_blowfish 8-bit character mishandling

On Tue, Jun 21, 2011 at 10:50:18AM -0600, Vincent Danen wrote:
> So Crypt::Eksblowfish uses the same code but wasn't affected?  Do we
> know why that is?

It is based on the same code, but the author made changes when merging
the code.  Specifically, he switched to using "unsigned char *".

> I can't promise I will have time to look at it, but I will try if I can
> find the time.

Thanks!

Meanwhile, I've released crypt_blowfish 1.1 with the fixes I had
mentioned in here.

http://www.openwall.com/crypt/

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ