oss-sec mailing list archives
Re: CVE request: crypt_blowfish 8-bit character mishandling
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Tue, 21 Jun 2011 16:34:41 +0200
Solar Designer wrote:
Returning to the crypt_blowfish topic, I am considering keeping supportfor the broken hashes under another prefix - say, "$2x$" (where the "x" would stand for "sign eXtension bug") instead of the usual "$2a$". For typical passwords, they'd be the same (except for this one letter in the prefix). Their potential use would be by a sysadmin wishing to avoid any service disruption for anyone (even if that means potentially staying with weaker passwords than what some users might have expected; maybe password changes would then be recommended or forced over time). That sysadmin would replace "$2a$" with "$2x$" in existing hashes on the system right before upgrade to corrected software (such as PHP or glibc with crypt_blowfish). Alternatively, say, a custom web app could be making this replacement for crypt() calls only, on hashes created before upgrade date.
I wonder whether it would make sense to patch pam_unix (resp pam_unix2 in our case) to detect the problem and activate the workaround automatically. pam_unix has the clear text password so knows when it contains 8bit characters. It also has the shadow entry which tells when the password was set. If that date is before the update was installed the 2x method could be tried if 2a failed and a warning could be logged to syslog.
cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Current thread:
- CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 19)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Daniel Godás (Jun 20)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 20)
- Re: CVE request: crypt_blowfish 8-bit character mishandling The Fungi (Jun 20)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 20)
- Re: CVE request: crypt_blowfish 8-bit character mishandling The Fungi (Jun 20)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Josh Bressers (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 20)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Daniel Godás (Jun 20)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 21)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jun 22)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 23)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 23)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Michael Matz (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 27)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Michael Matz (Jun 28)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 29)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jun 27)