[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2011 22:15:25 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: magnum <rawsmooth@...dband.net>
Subject: Re: CVE request: crypt_blowfish 8-bit character mishandling
On Tue, Jun 21, 2011 at 12:09:16PM -0600, Vincent Danen wrote:
> Ok, so taking a quick look at php-suhosin, we have:
>
> ...
> 61 typedef unsigned int BF_word;
> ...
> 558 BF_word tmp;
> 559
> 560 for (i = 0; i < BF_N + 2; i++) {
> 561 tmp = 0;
> 562 for (j = 0; j < 4; j++) {
> 563 tmp <<= 8;
> 564 tmp |= *ptr;
>
> I'm assuming the above means it is vulnerable (unsigned int vs unsigned
> char).
No, we can't conclude anything from just the excerpt you quoted above.
If *ptr is signed char, then we have the bug. If it's unsigned char,
then we don't. If it's just char, which it was in my original code,
then we have the bug on most platforms, but not on those few where char
defaults to unsigned. Or rather, the bug is mitigated on those.
Alexander
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
