oss-sec mailing list archives
Re: CVE request: crypt_blowfish 8-bit character mishandling
From: Michael Matz <matz () suse de>
Date: Mon, 27 Jun 2011 17:44:42 +0200 (CEST)
Hi, On Mon, 27 Jun 2011, Ludwig Nussel wrote:
Additionally, for the paranoid, when the option to treat 2a as 2x is disabled, disallow logins with passwords containing 0xff chars (possible attack). Maybe only for 2a hashes, but not for 2y. In order not to leak this fact via timings, perform the hashing anyway. (I'll consider making this built-in in a new version of crypt_blowfish, which should let us be more careful with timings.)Ok, so we'd need two config options, one to toggle signedness bug compat mode (2a=2x) and one to disallow 0xff if compat mode is off.
What's this 0xff business that crept up recently? It's all characters with the high bit set, not just 0xff, that pose problems. Let's be precise with these issues. Ciao, Michael.
Current thread:
- Re: CVE request: crypt_blowfish 8-bit character mishandling, (continued)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 20)
- Re: CVE request: crypt_blowfish 8-bit character mishandling The Fungi (Jun 20)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Josh Bressers (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jun 22)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 23)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 23)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Michael Matz (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Michael Matz (Jun 28)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 29)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Vincent Danen (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Vincent Danen (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)