oss-sec mailing list archives

Re: CVE request: crypt_blowfish 8-bit character mishandling

From: Vincent Danen <vdanen () redhat com>
Date: Tue, 21 Jun 2011 09:56:23 -0600

* [2011-06-20 09:01:11 +0400] Solar Designer wrote:

[...]

As to what's affected besides crypt_blowfish itself, I expect it to be
PHP (the code in php-5.3.7RC1 looks affected), Linux distros that use
crypt_blowfish (Owl, ALT Linux, SUSE), and some others (I'll try to
identify them and notify the maintainers).


PostgreSQL is affected as well (the pgcrypto module):

% head crypt-blowfish.c/*

 * $PostgreSQL: pgsql/contrib/pgcrypto/crypt-blowfish.c,v 1.14 2009/06/11 14:48:52 momjian Exp $
 *
 * This code comes from John the Ripper password cracker, with reentrant
 * and crypt(3) interfaces added, but optimizations specific to password
 * cracking removed.

php-suhosin also contains the same code.

--

Vincent Danen / Red Hat Security Response Team

Current thread:

Re: CVE request: crypt_blowfish 8-bit character mishandling, (continued)
- - - Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jun 22)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 23)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 23)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jun 27)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Michael Matz (Jun 27)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 27)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Michael Matz (Jun 28)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 29)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Vincent Danen (Jun 21)
  - Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Vincent Danen (Jun 21)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Vincent Danen (Jun 21)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
    - Re: CVE request: crypt_blowfish 8-bit character mishandling Vincent Danen (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Djalal Harouni (Jun 24)