oss-sec mailing list archives
Re: CVE request: crypt_blowfish 8-bit character mishandling
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 21 Jun 2011 13:22:15 -0600
* [2011-06-21 22:15:25 +0400] Solar Designer wrote:
On Tue, Jun 21, 2011 at 12:09:16PM -0600, Vincent Danen wrote:Ok, so taking a quick look at php-suhosin, we have: ... 61 typedef unsigned int BF_word; ... 558 BF_word tmp; 559 560 for (i = 0; i < BF_N + 2; i++) { 561 tmp = 0; 562 for (j = 0; j < 4; j++) { 563 tmp <<= 8; 564 tmp |= *ptr; I'm assuming the above means it is vulnerable (unsigned int vs unsigned char).No, we can't conclude anything from just the excerpt you quoted above. If *ptr is signed char, then we have the bug. If it's unsigned char, then we don't. If it's just char, which it was in my original code, then we have the bug on most platforms, but not on those few where char defaults to unsigned. Or rather, the bug is mitigated on those.
So should have included this:556 __CONST char *ptr = key;
--Vincent Danen / Red Hat Security Response Team
Current thread:
- Re: CVE request: crypt_blowfish 8-bit character mishandling, (continued)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Michael Matz (Jun 28)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 29)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Vincent Danen (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Vincent Danen (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Vincent Danen (Jun 21)