Date: Thu, 7 Jul 2011 10:05:07 +0200 From: Ludwig Nussel <ludwig.nussel@...e.de> To: oss-security@...ts.openwall.com Cc: Solar Designer <solar@...nwall.com>, Michael Matz <matz@...e.de>, Thorsten Kukuk <kukuk@...e.de>, Andreas Jaeger <aj@...e.de> Subject: Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer wrote: > Here's my current code, with lots of comments - more comments than code, > actually, because the code is very compact: mkpasswd (package whois) checks whether the crypted password starts with the originally requested prefix. Since crypt_gensalt now returns $2y for $2a mkpasswd fails. I'm not claiming mkpasswd's assumption on the behavior of crypt_gensalt is correct but it's not documented whether crypt_gensalt may change the prefix. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.