[php-maint] Bug#631347: CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash

Luciano Bello luciano at debian.org
Thu Jun 23 03:37:46 UTC 2011


Package: php5
Severity: serious
Tags: security

Hi,
A bug in crypt_blowfish was reported [1,2,3]. The RH report [4] may be useful 
too.

The function BF_set_key in ./ext/standard/crypt_blowfish.c is vulnerable. Can 
you confirm that the bug affects the Debian packages?

If so, please, considerer providing patches for stable and oldstable besides 
sid.

The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2483.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

[1] http://www.openwall.com/lists/oss-security/2011/06/20/2
[2] http://www.openwall.com/lists/john-dev/2011/06/20/3
[3] http://www.openwall.com/lists/john-dev/2011/06/20/5
[4] https://bugzilla.redhat.com/show_bug.cgi?id=715025

-luciano





More information about the pkg-php-maint mailing list