oss-security - Re: CVE request: crypt_blowfish 8-bit character mishandling

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20110620154319.GG1293@yuggoth.org>
Date: Mon, 20 Jun 2011 15:43:20 +0000
From: The Fungi <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: crypt_blowfish 8-bit character
 mishandling

On Mon, Jun 20, 2011 at 07:19:13PM +0400, Solar Designer wrote:
[...]
> That said, I appreciate you posting this suggestion, and I'd be
> happy to consider some more. It is always possible that there's
> some brilliant idea I had not thought of...

No, I agree your proposed approach lends a more general solution
which could be applied to the use cases I was considering. I saw you
mention it over on the crypto list as well, but it sounded like you
were trying to find ways to avoid a new hash encoding identifier in
the wild which could conflict with something OpenBSD might consider
assigning for some other purpose at a later date (though assuming
this workaround makes it onto their radar, that seems an unlikely
situation anyway).
-- 
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi@...goth.org); FINGER(fungi@...goth.org);
MUD(kinrui@...arsis.mudpy.org:6669); IRC(fungi@....yuggoth.org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.