oss-security - Re: CVE request: crypt_blowfish 8-bit character mishandling

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 21 Jun 2011 12:09:16 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: magnum <rawsmooth@...dband.net>
Subject: Re: CVE request: crypt_blowfish 8-bit character
 mishandling

* [2011-06-21 21:55:26 +0400] Solar Designer wrote:

>On Tue, Jun 21, 2011 at 10:50:18AM -0600, Vincent Danen wrote:
>> So Crypt::Eksblowfish uses the same code but wasn't affected?  Do we
>> know why that is?
>
>It is based on the same code, but the author made changes when merging
>the code.  Specifically, he switched to using "unsigned char *".
>
>> I can't promise I will have time to look at it, but I will try if I can
>> find the time.
>
>Thanks!

Ok, so taking a quick look at php-suhosin, we have:

...
  61 typedef unsigned int BF_word;
...
558     BF_word tmp;
559 
560     for (i = 0; i < BF_N + 2; i++) {
561         tmp = 0;
562         for (j = 0; j < 4; j++) {
563             tmp <<= 8;
564             tmp |= *ptr;

I'm assuming the above means it is vulnerable (unsigned int vs unsigned
char).

-- 
Vincent Danen / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.