Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 29 Dec 2012 22:39:20 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: New self-test for maximum length (was: Formats dmg,
 encfs and strip crash on longer passwords)

On Sat, Dec 29, 2012 at 10:23 PM, magnum <john.magnum@...hmail.com> wrote:
> I just threw this in with devastating results:
>
> commit f49d2c56531de71da2a03c0e28c8bc939cce376b
> Author: magnum <john.magnum@...hmail.com>
> Date:   Sat Dec 29 17:25:46 2012 +0100
>
>     formats.c: Add a self-test that puts maximum length candidates in all
>     buffer positions and then read them back to verify. This finds incorrect
>     claims of PLAINTEXT_SIZE as well as most kinds of key buffer over-runs.
>     It found 15 problematic formats right away.
>
> I have no idea why I did not get the idea long ago. Unlike the "valid() killer" test that is only active with -DDEBUG, this one doesn't seem prone to segfault so it's always active. This is the current results on my 64-bit machine:
> 15 out of 198 tests have FAILED

Surprisingly most of my formats passed. I got scared when I did a "git
pull" and saw the commit message.

> All these are probably real bugs. As you can see, some formats do not get any error within the new test but later - this indicates worse problems than just fence post errors.
>
> I will start looking into raw-md4 and sapB (because they might be my fault). Any other volunteers please post here before starting to debug a format, so we avoid double work.

I am picking IKE, RAdmin and TrueCrypt.

-- 
Cheers,
Dhiru

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.