|
Message-ID: <20110620145622.GF1293@yuggoth.org> Date: Mon, 20 Jun 2011 14:56:28 +0000 From: The Fungi <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: crypt_blowfish 8-bit character mishandling On Mon, Jun 20, 2011 at 06:05:54PM +0400, Solar Designer wrote: [...] > Does anyone need this? Or do we just assume that passwords with > non-ASCII characters are uncommon enough that we can bite the > bullet (of fixing the bug) without providing any backwards > compatibility workaround? [...] Would it make sense to include transitional compatability calls which preserve the original behavior? Then applications using the library can be adjusted to fall back on the buggy version if the supplied data has 8-bit characters and the corrected calls don't result in a match. This would allow tools to regenerate and replace non-conforming hashes if they were the result of this bug, and might make it easier to audit existing lists for them as well. -- { IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829); WHOIS(STANL3-ARIN); SMTP(fungi@...goth.org); FINGER(fungi@...goth.org); MUD(kinrui@...arsis.mudpy.org:6669); IRC(fungi@....yuggoth.org#ccl); ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.