thr3ads.net - openssh bugs - [Bug 1910] New: checkpw returns true when it shouldn't [May 2011]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2011-May-30 18:34 UTC

[Bug 1910] New: checkpw returns true when it shouldn't

https://bugzilla.mindrot.org/show_bug.cgi?id=1910

           Summary: checkpw returns true when it shouldn't
           Product: jBCrypt
           Version: unspecified
          Platform: amd64
        OS/Version: Other
            Status: NEW
          Severity: security
          Priority: P2
         Component: Default
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: jfrobishow at gmail.com


On Windows 7 64 bits JRE 6

Simple POC in Test.java.

I hashed a given password, when using checkpw against the hash it
returns true (if the seed is slightly modified, in my case I added aaa
at the end).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2011-May-30 18:34 UTC

head link

[Bug 1910] checkpw returns true when it shouldn't

https://bugzilla.mindrot.org/show_bug.cgi?id=1910

--- Comment #1 from jfrobishow at gmail.com 2011-05-31 04:34:58 EST ---
Created attachment 2052
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2052
POC code

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2011-May-30 19:47 UTC

head link

[Bug 1910] checkpw returns true when it shouldn't

https://bugzilla.mindrot.org/show_bug.cgi?id=1910

jfrobishow at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #2 from jfrobishow at gmail.com 2011-05-31 05:47:51 EST ---
Closing bug - the implementation is correct - bCrypt only XOR using the
first 72 bytes.  Perhaps a note in the doc would have been nice.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2011-Sep-06 05:33 UTC

head link

[Bug 1910] checkpw returns true when it shouldn't

https://bugzilla.mindrot.org/show_bug.cgi?id=1910

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> 2011-09-06 15:33:02
EST ---
close resolved bugs now that openssh-5.9 has been released

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

Reasonably Related Threads

Search for more apparently analagous threads

openssh bugs - May 2011 - [Bug 1910] New: checkpw returns true when it shouldn't

[Bug 1910] New: checkpw returns true when it shouldn't

[Bug 1910] checkpw returns true when it shouldn't

[Bug 1910] checkpw returns true when it shouldn't

[Bug 1910] checkpw returns true when it shouldn't

Reasonably Related Threads