Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: crypt_blowfish 8-bit character mishandling
From: Solar Designer <solar () openwall com>
Date: Sun, 17 Jul 2011 23:15:40 +0400

On Tue, Jun 21, 2011 at 09:56:23AM -0600, Vincent Danen wrote:
PostgreSQL is affected as well (the pgcrypto module):

% head crypt-blowfish.c 
/*
 * $PostgreSQL: pgsql/contrib/pgcrypto/crypt-blowfish.c,v 1.14 2009/06/11 
 14:48:52 momjian Exp $

Right.  Luckily, it is well-maintained - Tom Lane committed a fix based
on crypt_blowfish 1.1's on June 21st:

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e

I've just e-mailed Tom to let him know about crypt_blowfish 1.2 with its
more elaborate changes, and to try to persuade him to include the runtime
quick self-test - to catch miscompiles, bugs potentially introduced in
re-users of the code (such as in a future revision of pgcrypto - who
knows), and to clean up the stack locations.

Alexander


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]