Bug 715025 (CVE-2011-2483) - CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash
Summary: CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different pa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2483
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: David Kutálek
URL:
Whiteboard:
Depends On: 715033 715034 715035 715036 740731 740732 740733 740734 740735 740736 740737 740738 740739 740740 740741 812239 812243 831135
Blocks: 715030
TreeView+ depends on / blocked
 
Reported: 2011-06-21 16:15 UTC by Vincent Danen
Modified: 2021-02-24 15:12 UTC (History)
10 users (show)

Fixed In Version: php 5.3.7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-05 09:43:22 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1377 0 normal SHIPPED_LIVE Moderate: postgresql security update 2011-10-17 21:47:43 UTC
Red Hat Product Errata RHSA-2011:1378 0 normal SHIPPED_LIVE Moderate: postgresql84 security update 2011-10-17 21:58:15 UTC
Red Hat Product Errata RHSA-2011:1423 0 normal SHIPPED_LIVE Moderate: php53 and php security update 2011-11-02 22:24:16 UTC

Description Vincent Danen 2011-06-21 16:15:53 UTC
A flaw in John the Ripper and crypt_blowfish was reported [1],[2],[3] where passwords with 8-bit characters were mishandled.  A password containing a single character with the 8th bit set have 1 to 3 characters immediately preceding the 8-bit character ignored (approximately 3 in 16 passwords).  With more than one 8-bit character in the password, there may be more ignored characters.  This can result in passwords being even easier to crack than expected.  This is due to a char signedness bug in crypt_blowfish.

Other programs, such as PHP Suhosin, PHP 5.3.x, and PostgreSQL's pgcrypt module, contain the vulnerable crypt_blowfish code.

A fix for this flaw [4], as well as 8-bit tests [5] and a self-test at runtime [6] have been committed upstream.

[1] http://www.openwall.com/lists/oss-security/2011/06/20/2
[2] http://www.openwall.com/lists/john-dev/2011/06/20/3
[3] http://www.openwall.com/lists/john-dev/2011/06/20/5
[4] http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/crypt_blowfish.c.diff?r1=1.9;r2=1.10
[5] http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/wrapper.c.diff?r1=1.9;r2=1.10
[6] http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/crypt_blowfish.c.diff?r1=1.10;r2=1.11

Comment 1 Vincent Danen 2011-06-21 16:48:21 UTC
Created php-suhosin tracking bugs for this issue

Affects: fedora-all [bug 715035]
Affects: epel-all [bug 715036]

Comment 2 Vincent Danen 2011-06-21 16:48:24 UTC
Created php tracking bugs for this issue

Affects: fedora-all [bug 715033]

Comment 3 Vincent Danen 2011-06-21 16:48:27 UTC
Created postgresql tracking bugs for this issue

Affects: fedora-all [bug 715034]

Comment 4 Tom Lane 2011-06-21 18:46:48 UTC
I've pushed a fix for this into postgresql's git repo.  It's a bit more than just the upstream patch, as there's a routing function that has to be taught about the new $2x$ prefix.

Comment 5 Tomas Hoger 2011-06-22 09:28:21 UTC
(In reply to comment #4)
> I've pushed a fix for this into postgresql's git repo.  It's a bit more than
> just the upstream patch, as there's a routing function that has to be taught
> about the new $2x$ prefix.

http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e

Comment 6 Tomas Hoger 2011-06-27 11:10:11 UTC
Upstream PHP commit in (unreleased) 5.4 and trunk SVN:
http://svn.php.net/viewvc?view=revision&revision=312505

There are concerns regarding how to fix in released 5.3, given the backwards incompatibility of the fix:
http://marc.info/?l=php-internals&m=130912430403265&w=2

Comment 7 Vincent Danen 2011-06-27 22:51:00 UTC
Further analysis from Solar Designer:

http://seclists.org/oss-sec/2011/q2/678

To quote from what he wrote, as respecting the impact of the flaw:

"Initially, I thought that only lengths n*4-1 and very large lengths were
at risk of easy collisions.  And, for small lengths, I estimated that
roughly 3 out of 16 passwords containing one 8-bit character were at risk.

After more thorough analysis, it turns out that other odd lengths are
also at risk, and that "very large" starts at length 20.  Thus, I have
to revise my "3 of 16" estimate.  The new estimate for risky passwords
with one 8-bit character is 30% for lengths up to 20 inclusive.  Like
before, this assumes uniform distribution of lengths and positions for
the 8-bit character, which is obviously not the case in practice, yet it
works as an estimate.

Lengths that are _not_ at risk: 1, 2, 4, 6, 8, 10, 12, 14, 16, 18.
The rest are at risk (meaning that 8-bit chars in _some_ positions
result in 1 to 3 preceding chars being ignored)."

Comment 8 Vincent Danen 2011-07-19 19:19:05 UTC
Patch to update to crypt_blowfish 1.2 in PHP:

http://news.php.net/php.internals/54000

Comment 9 Tomas Hoger 2011-07-20 08:21:59 UTC
(In reply to comment #8)
> Patch to update to crypt_blowfish 1.2 in PHP:
> 
> http://news.php.net/php.internals/54000

http://svn.php.net/viewvc?view=revision&revision=313406

Upstream archive (news.php) does not seem to offer direct links to other replies in the thread.  Adding equivalent marc.info link for convenience:

http://marc.info/?l=php-internals&m=131092736909655&w=2

Additional test suite changes were proposed by Solar, which are not committed in upstream SVN yet.

Comment 10 Tomas Hoger 2011-08-03 16:17:54 UTC
(In reply to comment #9)
> http://svn.php.net/viewvc?view=revision&revision=313406

Alexander also pointed out this is required:
http://svn.php.net/viewvc?view=revision&revision=313999

Comment 11 Vincent Danen 2011-08-18 16:13:34 UTC
This is corrected in upstream 5.3.7: http://www.php.net/archive/2011.php#id2011-08-18-1

Comment 12 Tomas Hoger 2011-08-24 06:12:35 UTC
(In reply to comment #11)
> This is corrected in upstream 5.3.7:
> http://www.php.net/archive/2011.php#id2011-08-18-1

This may be a better permalink:
  http://www.php.net/releases/5_3_7.php

A regression was introduced to crypt() in 5.3.7, which caused MD5 hashes not to be computed correctly, resulting in only salt part of the hash to be returned. This regression is corrected in 5.3.8:
  https://bugs.php.net/bug.php?id=55439
  http://www.php.net/releases/5_3_8.php

Comment 13 Tomas Hoger 2011-08-24 06:50:30 UTC
(In reply to comment #12)
> A regression was introduced to crypt() in 5.3.7, which caused MD5 hashes not to
> be computed correctly, resulting in only salt part of the hash to be returned.
> This regression is corrected in 5.3.8:
>   https://bugs.php.net/bug.php?id=55439
>   http://www.php.net/releases/5_3_8.php

That regression got CVE-2011-3189, see bug #732795.

Comment 31 errata-xmlrpc 2011-10-17 21:47:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2011:1377 https://rhn.redhat.com/errata/RHSA-2011-1377.html

Comment 32 errata-xmlrpc 2011-10-17 21:58:21 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1378 https://rhn.redhat.com/errata/RHSA-2011-1378.html

Comment 33 Vincent Danen 2011-11-02 21:59:38 UTC
External References:

http://www.php.net/security/crypt_blowfish.php

Comment 34 errata-xmlrpc 2011-11-02 22:24:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html


Note You need to log in before you can comment on or make changes to this bug.