oss-sec mailing list archives
Re: CVE request: crypt_blowfish 8-bit character mishandling
From: Solar Designer <solar () openwall com>
Date: Sun, 17 Jul 2011 23:15:40 +0400
On Tue, Jun 21, 2011 at 09:56:23AM -0600, Vincent Danen wrote:
PostgreSQL is affected as well (the pgcrypto module): % head crypt-blowfish.c /* * $PostgreSQL: pgsql/contrib/pgcrypto/crypt-blowfish.c,v 1.14 2009/06/11 14:48:52 momjian Exp $
Right. Luckily, it is well-maintained - Tom Lane committed a fix based on crypt_blowfish 1.1's on June 21st: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e I've just e-mailed Tom to let him know about crypt_blowfish 1.2 with its more elaborate changes, and to try to persuade him to include the runtime quick self-test - to catch miscompiles, bugs potentially introduced in re-users of the code (such as in a future revision of pgcrypto - who knows), and to clean up the stack locations. Alexander
Current thread:
- Re: CVE request: crypt_blowfish 8-bit character mishandling, (continued)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 11)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 12)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 13)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 14)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 14)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 14)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 17)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 17)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Aug 03)