Re: CVE request: crypt_blowfish 8-bit character mishandling

[The Fungi <fungi () yuggoth org>]

On Mon, Jun 20, 2011 at 06:05:54PM +0400, Solar Designer wrote:
[...]
> Does anyone need this? Or do we just assume that passwords with
> non-ASCII characters are uncommon enough that we can bite the
> bullet (of fixing the bug) without providing any backwards
> compatibility workaround?
[...]

Would it make sense to include transitional compatability calls
which preserve the original behavior? Then applications using the
library can be adjusted to fall back on the buggy version if the
supplied data has 8-bit characters and the corrected calls don't
result in a match. This would allow tools to regenerate and replace
non-conforming hashes if they were the result of this bug, and might
make it easier to audit existing lists for them as well.
-- 
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi () yuggoth org); FINGER(fungi () yuggoth org);
MUD(kinrui () katarsis mudpy org:6669); IRC(fungi () irc yuggoth org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }