Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Mar 2012 22:17:25 +0400
From: Solar Designer <>
Cc: Jeff Law <>
Subject: Re: glibc crypt(3), crypt_r(3), PHP crypt() may use alloca()

Tomas - thank you for notifying oss-security of this.
Jeff - thank you for working on a fix.

On Fri, Mar 30, 2012 at 07:56:39PM +0200, Tomas Hoger wrote:
> FYI, a fix just got committed upstream,

Wow.  I thought we'd need to notify glibc developers more specifically
for this to happen, which I did not do yet for lack of decision on what
to do with the return value.

> which makes glibc use malloc
> instead of alloca for long inputs and hence possibly make crypt() return
> NULL on errors:
> Upstream discussion:

I think the NULL returns are a bad idea, and this aspect doesn't appear
to have been discussed.  We may want to check if there were other cases
where glibc's crypt() could return NULL, then propose a separate patch
on libc-alpha.  So far, the "*0" / "*1" approach appears to be best:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ