oss-sec mailing list archives
Re: CVE request: WordPress 3.5.1 denial of service vulnerability
From: Alexander Cherepanov <cherepan () mccme ru>
Date: Thu, 13 Jun 2013 00:05:14 +0400
On 2013-06-12 17:11, Solar Designer wrote:
Arguably, library code should reject the most insane parameter values. For example, musl libc - http://www.musl-libc.org - version 0.9.10 rejects bcrypt's log2(cost)> 19 and limits SHA-crypt's rounds count to< 10M for this reason (original SHA-crypt limits to< 1 billion).
On a related note: shouldn't John the Ripper also reject hashes with insane run-time or memory cost parameters?
-- Alexander Cherepanov
Current thread:
- CVE request: WordPress 3.5.1 denial of service vulnerability Henri Salo (Jun 11)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Solar Designer (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Andrew Nacin (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Alexander Cherepanov (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Solar Designer (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Kurt Seifried (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Solar Designer (Jun 12)