This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 715025 - (CVE-2011-2483) CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash
CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different pa...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
David Kutálek
public=20110620,reported=20110620,sou...
: Security
Depends On: 715033 715034 715035 715036 740731 740732 740733 740734 740735 740736 740737 740738 740739 740740 740741 812239 812243 831135
Blocks: 715030
  Show dependency treegraph
 
Reported: 2011-06-21 12:15 EDT by Vincent Danen
Modified: 2015-12-16 08:40 EST (History)
10 users (show)

See Also:
Fixed In Version: php 5.3.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-05 05:43:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-06-21 12:15:53 EDT
A flaw in John the Ripper and crypt_blowfish was reported [1],[2],[3] where passwords with 8-bit characters were mishandled.  A password containing a single character with the 8th bit set have 1 to 3 characters immediately preceding the 8-bit character ignored (approximately 3 in 16 passwords).  With more than one 8-bit character in the password, there may be more ignored characters.  This can result in passwords being even easier to crack than expected.  This is due to a char signedness bug in crypt_blowfish.

Other programs, such as PHP Suhosin, PHP 5.3.x, and PostgreSQL's pgcrypt module, contain the vulnerable crypt_blowfish code.

A fix for this flaw [4], as well as 8-bit tests [5] and a self-test at runtime [6] have been committed upstream.

[1] http://www.openwall.com/lists/oss-security/2011/06/20/2
[2] http://www.openwall.com/lists/john-dev/2011/06/20/3
[3] http://www.openwall.com/lists/john-dev/2011/06/20/5
[4] http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/crypt_blowfish.c.diff?r1=1.9;r2=1.10
[5] http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/wrapper.c.diff?r1=1.9;r2=1.10
[6] http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/crypt_blowfish.c.diff?r1=1.10;r2=1.11
Comment 1 Vincent Danen 2011-06-21 12:48:21 EDT
Created php-suhosin tracking bugs for this issue

Affects: fedora-all [bug 715035]
Affects: epel-all [bug 715036]
Comment 2 Vincent Danen 2011-06-21 12:48:24 EDT
Created php tracking bugs for this issue

Affects: fedora-all [bug 715033]
Comment 3 Vincent Danen 2011-06-21 12:48:27 EDT
Created postgresql tracking bugs for this issue

Affects: fedora-all [bug 715034]
Comment 4 Tom Lane 2011-06-21 14:46:48 EDT
I've pushed a fix for this into postgresql's git repo.  It's a bit more than just the upstream patch, as there's a routing function that has to be taught about the new $2x$ prefix.
Comment 5 Tomas Hoger 2011-06-22 05:28:21 EDT
(In reply to comment #4)
> I've pushed a fix for this into postgresql's git repo.  It's a bit more than
> just the upstream patch, as there's a routing function that has to be taught
> about the new $2x$ prefix.

http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e
Comment 6 Tomas Hoger 2011-06-27 07:10:11 EDT
Upstream PHP commit in (unreleased) 5.4 and trunk SVN:
http://svn.php.net/viewvc?view=revision&revision=312505

There are concerns regarding how to fix in released 5.3, given the backwards incompatibility of the fix:
http://marc.info/?l=php-internals&m=130912430403265&w=2
Comment 7 Vincent Danen 2011-06-27 18:51:00 EDT
Further analysis from Solar Designer:

http://seclists.org/oss-sec/2011/q2/678

To quote from what he wrote, as respecting the impact of the flaw:

"Initially, I thought that only lengths n*4-1 and very large lengths were
at risk of easy collisions.  And, for small lengths, I estimated that
roughly 3 out of 16 passwords containing one 8-bit character were at risk.

After more thorough analysis, it turns out that other odd lengths are
also at risk, and that "very large" starts at length 20.  Thus, I have
to revise my "3 of 16" estimate.  The new estimate for risky passwords
with one 8-bit character is 30% for lengths up to 20 inclusive.  Like
before, this assumes uniform distribution of lengths and positions for
the 8-bit character, which is obviously not the case in practice, yet it
works as an estimate.

Lengths that are _not_ at risk: 1, 2, 4, 6, 8, 10, 12, 14, 16, 18.
The rest are at risk (meaning that 8-bit chars in _some_ positions
result in 1 to 3 preceding chars being ignored)."
Comment 8 Vincent Danen 2011-07-19 15:19:05 EDT
Patch to update to crypt_blowfish 1.2 in PHP:

http://news.php.net/php.internals/54000
Comment 9 Tomas Hoger 2011-07-20 04:21:59 EDT
(In reply to comment #8)
> Patch to update to crypt_blowfish 1.2 in PHP:
> 
> http://news.php.net/php.internals/54000

http://svn.php.net/viewvc?view=revision&revision=313406

Upstream archive (news.php) does not seem to offer direct links to other replies in the thread.  Adding equivalent marc.info link for convenience:

http://marc.info/?l=php-internals&m=131092736909655&w=2

Additional test suite changes were proposed by Solar, which are not committed in upstream SVN yet.
Comment 10 Tomas Hoger 2011-08-03 12:17:54 EDT
(In reply to comment #9)
> http://svn.php.net/viewvc?view=revision&revision=313406

Alexander also pointed out this is required:
http://svn.php.net/viewvc?view=revision&revision=313999
Comment 11 Vincent Danen 2011-08-18 12:13:34 EDT
This is corrected in upstream 5.3.7: http://www.php.net/archive/2011.php#id2011-08-18-1
Comment 12 Tomas Hoger 2011-08-24 02:12:35 EDT
(In reply to comment #11)
> This is corrected in upstream 5.3.7:
> http://www.php.net/archive/2011.php#id2011-08-18-1

This may be a better permalink:
  http://www.php.net/releases/5_3_7.php

A regression was introduced to crypt() in 5.3.7, which caused MD5 hashes not to be computed correctly, resulting in only salt part of the hash to be returned. This regression is corrected in 5.3.8:
  https://bugs.php.net/bug.php?id=55439
  http://www.php.net/releases/5_3_8.php
Comment 13 Tomas Hoger 2011-08-24 02:50:30 EDT
(In reply to comment #12)
> A regression was introduced to crypt() in 5.3.7, which caused MD5 hashes not to
> be computed correctly, resulting in only salt part of the hash to be returned.
> This regression is corrected in 5.3.8:
>   https://bugs.php.net/bug.php?id=55439
>   http://www.php.net/releases/5_3_8.php

That regression got CVE-2011-3189, see bug #732795.
Comment 31 errata-xmlrpc 2011-10-17 17:47:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2011:1377 https://rhn.redhat.com/errata/RHSA-2011-1377.html
Comment 32 errata-xmlrpc 2011-10-17 17:58:21 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1378 https://rhn.redhat.com/errata/RHSA-2011-1378.html
Comment 33 Vincent Danen 2011-11-02 17:59:38 EDT
External References:

http://www.php.net/security/crypt_blowfish.php
Comment 34 errata-xmlrpc 2011-11-02 18:24:31 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html

Note You need to log in before you can comment on or make changes to this bug.