Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2011 13:22:15 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: magnum <rawsmooth@...dband.net>
Subject: Re: CVE request: crypt_blowfish 8-bit character
 mishandling

* [2011-06-21 22:15:25 +0400] Solar Designer wrote:

>On Tue, Jun 21, 2011 at 12:09:16PM -0600, Vincent Danen wrote:
>> Ok, so taking a quick look at php-suhosin, we have:
>>
>> ...
>>  61 typedef unsigned int BF_word;
>> ...
>> 558     BF_word tmp;
>> 559
>> 560     for (i = 0; i < BF_N + 2; i++) {
>> 561         tmp = 0;
>> 562         for (j = 0; j < 4; j++) {
>> 563             tmp <<= 8;
>> 564             tmp |= *ptr;
>>
>> I'm assuming the above means it is vulnerable (unsigned int vs unsigned
>> char).
>
>No, we can't conclude anything from just the excerpt you quoted above.
>If *ptr is signed char, then we have the bug.  If it's unsigned char,
>then we don't.  If it's just char, which it was in my original code,
>then we have the bug on most platforms, but not on those few where char
>defaults to unsigned.  Or rather, the bug is mitigated on those.

So should have included this:

556     __CONST char *ptr = key; 

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.