Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Sep 2015 10:57:23 -0500
From: JimF <>
Subject: Re: auditing our use of FMT_* flags

On 9/8/2015 10:42 AM, Kai Zhao wrote:
> Since JimF has add the flag for MediaWiki, PHPS and PHPS2, I think I 
> should add these formats to whitelist. Maybe also includes 
> dynamic=md5($p). Should I ? 

Is the @dynamic@ also a problem format. It should NOT be white listed. 
The way that dynamic was written, ANY hash that uses hex for the hash 
string will automatically get that bit set within the call to init()   
The bug comes (as I have been made aware), of usage of the 'minimal' 
format structure prior to the time that init() is called.

Thus, if you are seeing any dynamic hashes that trip this issue, then 
they are buggy and need fixed.  When you find these, please make sure to 
cc me personally about the problems, thank you.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.