Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.1106271743170.17115@wotan.suse.de>
Date: Mon, 27 Jun 2011 17:44:42 +0200 (CEST)
From: Michael Matz <matz@...e.de>
To: Ludwig Nussel <ludwig.nussel@...e.de>
Cc: oss-security@...ts.openwall.com, Thorsten Kukuk <kukuk@...e.de>,
	Andreas Jaeger <aj@...e.de>
Subject: Re: CVE request: crypt_blowfish 8-bit character
 mishandling

Hi,

On Mon, 27 Jun 2011, Ludwig Nussel wrote:

> > Additionally, for the paranoid, when the option to treat 2a as 2x is 
> > disabled, disallow logins with passwords containing 0xff chars 
> > (possible attack).  Maybe only for 2a hashes, but not for 2y.  In 
> > order not to leak this fact via timings, perform the hashing anyway.  
> > (I'll consider making this built-in in a new version of 
> > crypt_blowfish, which should let us be more careful with timings.)
> 
> Ok, so we'd need two config options, one to toggle signedness bug compat 
> mode (2a=2x) and one to disallow 0xff if compat mode is off.

What's this 0xff business that crept up recently?  It's all characters 
with the high bit set, not just 0xff, that pose problems.  Let's be 
precise with these issues.


Ciao,
Michael.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.