oss-sec mailing list archives
Re: openwall phpass fallback mode
From: Solar Designer <solar () openwall com>
Date: Mon, 11 May 2015 13:31:31 +0300
Hi Kash, On Sat, May 09, 2015 at 11:40:03PM -0400, Kash Pande wrote:
http://www.openwall.com/phpass/ This library has an unfortunate consequence when using it in multiple environments without strong consistent access to one crypto method.. it will fall back to weaker methods, which breaks the expectations of security.. Fallback have been assigned CVE here before. As well, it is an openwall release. I may be wrong and it could already be assigned one, but I don't see it.
I expect MITRE will decide on your CVE request, but meanwhile: what is the purpose of your request? Is it e.g. one or more of the below? - 1. Trying to propose/influence a change for phpass. If so, what change? 2. Having a CVE ID to list e.g. in an advisory for some piece of software where you or someone else has somehow "fixed" "the issue". If so, what software and what's the fix? 3. Testing just how far CVEs can go, and whether/where the slippery slope stops? (Is there a CVE for "the world is not perfect" yet?) 4. Testing just how far CVEs can go as it relates specifically to fallbacks? (Where are the CVE IDs for autoconf, and also for all individual autoconf'ed apps? This actually makes some sense.) 5. Refining the criteria for which fallbacks are CVE worthy vs. not. 6. Getting this one CVE ID assigned for the sake of having one CVE ID, and not making any use of it nor influencing anything further (thus, having phpass with a CVE ID assigned and "the issue" not "fixed"). I am primarily interested in aspect #1 above - possible changes to the actual code - rather than the CVE specifics. Thanks, Alexander
Current thread:
- openwall phpass fallback mode Kash Pande (May 09)
- Re: openwall phpass fallback mode Solar Designer (May 11)