Re: CVE request: crypt_blowfish 8-bit character mishandling

[Vincent Danen <vdanen () redhat com>]

* [2011-06-21 20:18:50 +0400] Solar Designer wrote:

> On Tue, Jun 21, 2011 at 09:56:23AM -0600, Vincent Danen wrote:
> > PostgreSQL is affected as well (the pgcrypto module):
> >
> > % head crypt-blowfish.c
> > /*
> >  * $PostgreSQL: pgsql/contrib/pgcrypto/crypt-blowfish.c,v 1.14 2009/06/11
> >  14:48:52 momjian Exp $
>
> We need to actually review and/or test this revision of the code before
> we conclusively say that it's affected.  Maybe you did that already?
>
> So far, there's one example where a revision of the code turned out to
> be unaffected - Crypt::Eksblowfish in CPAN.  In fact, this is what has
> resulted in discovery of the bug (even though it was fixed in
> Crypt::Eksblowfish during its initial integration of the code in 2007).

Ahhh... ok.  I only did a code review, I didn't test the actual
functionality to make that determination.

So Crypt::Eksblowfish uses the same code but wasn't affected?  Do we
know why that is?

> > php-suhosin also contains the same code.
>
> Yes.  These two are listed at http://www.openwall.com/crypt/
>
> We need to go over those listed on that page and then also search the
> web for possible other users of the code.  Then try to figure out which
> are actually affected (probably most of them are) and notify the
> maintainers.  For now, my focus is to push crypt_blowfish 1.1 out, but I
> do need to include a few sentences on roughly what software is affected
> in my announcement.  I'd appreciate any help with those reviews/testing.

I can't promise I will have time to look at it, but I will try if I can
find the time.

--
Vincent Danen / Red Hat Security Response Team