oss-security - Re: CVE request: crypt_blowfish 8-bit character mishandling

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-Id: <201107071005.07672.ludwig.nussel@suse.de>
Date: Thu, 7 Jul 2011 10:05:07 +0200
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: oss-security@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>, Michael Matz <matz@...e.de>,
	Thorsten Kukuk <kukuk@...e.de>, Andreas Jaeger <aj@...e.de>
Subject: Re: CVE request: crypt_blowfish 8-bit character mishandling

Solar Designer wrote:
> Here's my current code, with lots of comments - more comments than code,
> actually, because the code is very compact:

mkpasswd (package whois) checks whether the crypted password starts
with the originally requested prefix. Since crypt_gensalt now
returns $2y for $2a mkpasswd fails. I'm not claiming mkpasswd's
assumption on the behavior of crypt_gensalt is correct but it's not
documented whether crypt_gensalt may change the prefix.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.