Re: CVE request: crypt_blowfish 8-bit character mishandling

[Vincent Danen <vdanen () redhat com>]

* [2011-06-21 21:55:26 +0400] Solar Designer wrote:

> On Tue, Jun 21, 2011 at 10:50:18AM -0600, Vincent Danen wrote:
> > So Crypt::Eksblowfish uses the same code but wasn't affected?  Do we
> > know why that is?
>
> It is based on the same code, but the author made changes when merging
> the code.  Specifically, he switched to using "unsigned char *".
>
> > I can't promise I will have time to look at it, but I will try if I can
> > find the time.
>
> Thanks!

Ok, so taking a quick look at php-suhosin, we have:

...
 61 typedef unsigned int BF_word;
...
558     BF_word tmp;
559 
560     for (i = 0; i < BF_N + 2; i++) {
561         tmp = 0;
562         for (j = 0; j < 4; j++) {
563             tmp <<= 8;
564             tmp |= *ptr;

I'm assuming the above means it is vulnerable (unsigned int vs unsigned
char).

--
Vincent Danen / Red Hat Security Response Team