forked frompostgres/postgres
- Notifications
You must be signed in to change notification settings - Fork6
Commit932ded2
committed
Fix incorrect password transformation in contrib/pgcrypto's DES crypt().
Overly tight coding caused the password transformation loop to stopexamining input once it had processed a byte equal to 0x80. Thus, if thegiven password string contained such a byte (which is possible though nothighly likely in UTF8, and perhaps also in other non-ASCII encodings), allsubsequent characters would not contribute to the hash, making the passwordmuch weaker than it appears on the surface.This would only affect cases where applications used DES crypt() to encodepasswords before storing them in the database. If a weak password has beencreated in this fashion, the hash will stop matching after this update hasbeen applied, so it will be easy to tell if any passwords were unexpectedlyweak. Changing to a different password would be a good idea in such a case.(Since DES has been considered inadequately secure for some time, changingto a different encryption algorithm can also be recommended.)This code, and the bug, are shared with at least PHP, FreeBSD, and OpenBSD.Since the other projects have already published their fixes, there is nopoint in trying to keep this commit private.This bug has been assignedCVE-2012-2143, and credit for its discovery goesto Rubin Xu and Joseph Bonneau.1 parentd1996ed commit932ded2
1 file changed
+2
-1
lines changedLines changed: 2 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
670 | 670 | | |
671 | 671 | | |
672 | 672 | | |
673 | | - | |
| 673 | + | |
| 674 | + | |
674 | 675 | | |
675 | 676 | | |
676 | 677 | | |
| |||
0 commit comments
Comments
(0)