Re: CVE request: crypt_blowfish 8-bit character mishandling

[Vincent Danen <vdanen () redhat com>]

* [2011-06-21 22:15:25 +0400] Solar Designer wrote:

> On Tue, Jun 21, 2011 at 12:09:16PM -0600, Vincent Danen wrote:
> > Ok, so taking a quick look at php-suhosin, we have:
> >
> > ...
> >  61 typedef unsigned int BF_word;
> > ...
> > 558     BF_word tmp;
> > 559
> > 560     for (i = 0; i < BF_N + 2; i++) {
> > 561         tmp = 0;
> > 562         for (j = 0; j < 4; j++) {
> > 563             tmp <<= 8;
> > 564             tmp |= *ptr;
> >
> > I'm assuming the above means it is vulnerable (unsigned int vs unsigned
> > char).
>
> No, we can't conclude anything from just the excerpt you quoted above.
> If *ptr is signed char, then we have the bug.  If it's unsigned char,
> then we don't.  If it's just char, which it was in my original code,
> then we have the bug on most platforms, but not on those few where char
> defaults to unsigned.  Or rather, the bug is mitigated on those.

So should have included this:

556     __CONST char *ptr = key; 

--
Vincent Danen / Red Hat Security Response Team