/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-2483.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2011-2483.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (hide annotations) (download)
Thu Nov 3 22:54:19 2011 UTC (13 years ago) by slords
Branch: MAIN
CVS Tags: php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, php-5_3_3-14_el5_sme, php-5_3_3-1_el5_sme_6, php-5_3_3-13_el5_sme_1, php-5_3_3-1_el5_sme_3, php-5_3_3-13_el5_sme_2, php-5_3_3-17_el5_sme, php-5_3_3-13_el5_sme, HEAD
Changes since 1.1: +584 -0 lines
* Thu Nov 2 2011 Shad L. Lords <slords@mail.com> - 5.3.3-1.3.sme
- Obsolete php-domxml and php-dom [SME: 6733]
- Update Obsoletes and Conflicts [SME: 6436]

1 slords 1.2
2     https://bugzilla.redhat.com/show_bug.cgi?id=715025
3    
4     http://svn.php.net/viewvc?view=revision&revision=313406
5     http://svn.php.net/viewvc?view=revision&revision=313999
6    
7     --- php-5.3.3/ext/standard/crypt_blowfish.c.cve2483
8     +++ php-5.3.3/ext/standard/crypt_blowfish.c
9     @@ -1,28 +1,39 @@
10     +/* $Id$ */
11     /*
12     - $Id: crypt_blowfish.c 295339 2010-02-21 23:47:14Z pajoye $
13     -*/
14     -/*
15     + * The crypt_blowfish homepage is:
16     + *
17     + * http://www.openwall.com/crypt/
18     + *
19     * This code comes from John the Ripper password cracker, with reentrant
20     * and crypt(3) interfaces added, but optimizations specific to password
21     * cracking removed.
22     *
23     - * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
24     - * placed in the public domain.
25     + * Written by Solar Designer <solar at openwall.com> in 1998-2011.
26     + * No copyright is claimed, and the software is hereby placed in the public
27     + * domain. In case this attempt to disclaim copyright and place the software
28     + * in the public domain is deemed null and void, then the software is
29     + * Copyright (c) 1998-2011 Solar Designer and it is hereby released to the
30     + * general public under the following terms:
31     *
32     - * There's absolutely no warranty.
33     + * Redistribution and use in source and binary forms, with or without
34     + * modification, are permitted.
35     + *
36     + * There's ABSOLUTELY NO WARRANTY, express or implied.
37     *
38     * It is my intent that you should be able to use this on your system,
39     - * as a part of a software package, or anywhere else to improve security,
40     + * as part of a software package, or anywhere else to improve security,
41     * ensure compatibility, or for any other purpose. I would appreciate
42     * it if you give credit where it is due and keep your modifications in
43     * the public domain as well, but I don't require that in order to let
44     * you place this code and any modifications you make under a license
45     * of your choice.
46     *
47     - * This implementation is compatible with OpenBSD bcrypt.c (version 2a)
48     - * by Niels Provos <provos at citi.umich.edu>, and uses some of his
49     + * This implementation is mostly compatible with OpenBSD's bcrypt.c (prefix
50     + * "$2a$") by Niels Provos <provos at citi.umich.edu>, and uses some of his
51     * ideas. The password hashing algorithm was designed by David Mazieres
52     - * <dm at lcs.mit.edu>.
53     + * <dm at lcs.mit.edu>. For more information on the level of compatibility,
54     + * please refer to the comments in BF_set_key() below and to the crypt(3)
55     + * man page included in the crypt_blowfish tarball.
56     *
57     * There's a paper on the algorithm that explains its design decisions:
58     *
59     @@ -40,16 +51,8 @@
60     #define __set_errno(val) errno = (val)
61     #endif
62    
63     -
64     -#ifndef __const
65     -#ifdef __GNUC__
66     -#define __CONST __const
67     -#else
68     -#define __CONST
69     -#endif
70     -#else
71     -#define __CONST __const
72     -#endif
73     +/* Just to make sure the prototypes match the actual definitions */
74     +#include "crypt_blowfish.h"
75    
76     #ifdef __i386__
77     #define BF_ASM 0
78     @@ -63,6 +66,7 @@
79     #endif
80    
81     typedef unsigned int BF_word;
82     +typedef signed int BF_word_signed;
83    
84     /* Number of Blowfish rounds, this is also hardcoded into a few places */
85     #define BF_N 16
86     @@ -370,35 +374,21 @@ static unsigned char BF_atoi64[0x60] = {
87     43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
88     };
89    
90     -/*
91     - * This may be optimized out if built with function inlining and no BF_ASM.
92     - */
93     -static void clean(void *data, int size)
94     -{
95     -#if BF_ASM
96     - extern void _BF_clean(void *data);
97     -#endif
98     - memset(data, 0, size);
99     -#if BF_ASM
100     - _BF_clean(data);
101     -#endif
102     -}
103     -
104     #define BF_safe_atoi64(dst, src) \
105     { \
106     tmp = (unsigned char)(src); \
107     - if (tmp == '$') break; \
108     + if (tmp == '$') break; /* PHP hack */ \
109     if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
110     tmp = BF_atoi64[tmp]; \
111     if (tmp > 63) return -1; \
112     (dst) = tmp; \
113     }
114    
115     -static int BF_decode(BF_word *dst, __CONST char *src, int size)
116     +static int BF_decode(BF_word *dst, const char *src, int size)
117     {
118     unsigned char *dptr = (unsigned char *)dst;
119     unsigned char *end = dptr + size;
120     - unsigned char *sptr = (unsigned char *)src;
121     + const unsigned char *sptr = (const unsigned char *)src;
122     unsigned int tmp, c1, c2, c3, c4;
123    
124     do {
125     @@ -415,16 +405,16 @@ static int BF_decode(BF_word *dst, __CON
126     *dptr++ = ((c3 & 0x03) << 6) | c4;
127     } while (dptr < end);
128    
129     - while (dptr < end)
130     + while (dptr < end) /* PHP hack */
131     *dptr++ = 0;
132    
133     return 0;
134     }
135    
136     -static void BF_encode(char *dst, __CONST BF_word *src, int size)
137     +static void BF_encode(char *dst, const BF_word *src, int size)
138     {
139     - unsigned char *sptr = (unsigned char *)src;
140     - unsigned char *end = sptr + size;
141     + const unsigned char *sptr = (const unsigned char *)src;
142     + const unsigned char *end = sptr + size;
143     unsigned char *dptr = (unsigned char *)dst;
144     unsigned int c1, c2;
145    
146     @@ -555,32 +545,117 @@ static void BF_swap(BF_word *x, int coun
147     } while (ptr < &data.ctx.S[3][0xFF]);
148     #endif
149    
150     -static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial)
151     +static void BF_set_key(const char *key, BF_key expanded, BF_key initial,
152     + unsigned char flags)
153     {
154     - __CONST char *ptr = key;
155     - int i, j;
156     - BF_word tmp;
157     + const char *ptr = key;
158     + unsigned int bug, i, j;
159     + BF_word safety, sign, diff, tmp[2];
160     +
161     +/*
162     + * There was a sign extension bug in older revisions of this function. While
163     + * we would have liked to simply fix the bug and move on, we have to provide
164     + * a backwards compatibility feature (essentially the bug) for some systems and
165     + * a safety measure for some others. The latter is needed because for certain
166     + * multiple inputs to the buggy algorithm there exist easily found inputs to
167     + * the correct algorithm that produce the same hash. Thus, we optionally
168     + * deviate from the correct algorithm just enough to avoid such collisions.
169     + * While the bug itself affected the majority of passwords containing
170     + * characters with the 8th bit set (although only a percentage of those in a
171     + * collision-producing way), the anti-collision safety measure affects
172     + * only a subset of passwords containing the '\xff' character (not even all of
173     + * those passwords, just some of them). This character is not found in valid
174     + * UTF-8 sequences and is rarely used in popular 8-bit character encodings.
175     + * Thus, the safety measure is unlikely to cause much annoyance, and is a
176     + * reasonable tradeoff to use when authenticating against existing hashes that
177     + * are not reliably known to have been computed with the correct algorithm.
178     + *
179     + * We use an approach that tries to minimize side-channel leaks of password
180     + * information - that is, we mostly use fixed-cost bitwise operations instead
181     + * of branches or table lookups. (One conditional branch based on password
182     + * length remains. It is not part of the bug aftermath, though, and is
183     + * difficult and possibly unreasonable to avoid given the use of C strings by
184     + * the caller, which results in similar timing leaks anyway.)
185     + *
186     + * For actual implementation, we set an array index in the variable "bug"
187     + * (0 means no bug, 1 means sign extension bug emulation) and a flag in the
188     + * variable "safety" (bit 16 is set when the safety measure is requested).
189     + * Valid combinations of settings are:
190     + *
191     + * Prefix "$2a$": bug = 0, safety = 0x10000
192     + * Prefix "$2x$": bug = 1, safety = 0
193     + * Prefix "$2y$": bug = 0, safety = 0
194     + */
195     + bug = (unsigned int)flags & 1;
196     + safety = ((BF_word)flags & 2) << 15;
197     +
198     + sign = diff = 0;
199    
200     for (i = 0; i < BF_N + 2; i++) {
201     - tmp = 0;
202     + tmp[0] = tmp[1] = 0;
203     for (j = 0; j < 4; j++) {
204     - tmp <<= 8;
205     - tmp |= *ptr;
206     -
207     - if (!*ptr) ptr = key; else ptr++;
208     + tmp[0] <<= 8;
209     + tmp[0] |= (unsigned char)*ptr; /* correct */
210     + tmp[1] <<= 8;
211     + tmp[1] |= (BF_word_signed)(signed char)*ptr; /* bug */
212     +/*
213     + * Sign extension in the first char has no effect - nothing to overwrite yet,
214     + * and those extra 24 bits will be fully shifted out of the 32-bit word. For
215     + * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign
216     + * extension in tmp[1] occurs. Once this flag is set, it remains set.
217     + */
218     + if (j)
219     + sign |= tmp[1] & 0x80;
220     + if (!*ptr)
221     + ptr = key;
222     + else
223     + ptr++;
224     }
225     + diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */
226    
227     - expanded[i] = tmp;
228     - initial[i] = BF_init_state.P[i] ^ tmp;
229     + expanded[i] = tmp[bug];
230     + initial[i] = BF_init_state.P[i] ^ tmp[bug];
231     }
232     +
233     +/*
234     + * At this point, "diff" is zero iff the correct and buggy algorithms produced
235     + * exactly the same result. If so and if "sign" is non-zero, which indicates
236     + * that there was a non-benign sign extension, this means that we have a
237     + * collision between the correctly computed hash for this password and a set of
238     + * passwords that could be supplied to the buggy algorithm. Our safety measure
239     + * is meant to protect from such many-buggy to one-correct collisions, by
240     + * deviating from the correct algorithm in such cases. Let's check for this.
241     + */
242     + diff |= diff >> 16; /* still zero iff exact match */
243     + diff &= 0xffff; /* ditto */
244     + diff += 0xffff; /* bit 16 set iff "diff" was non-zero (on non-match) */
245     + sign <<= 9; /* move the non-benign sign extension flag to bit 16 */
246     + sign &= ~diff & safety; /* action needed? */
247     +
248     +/*
249     + * If we have determined that we need to deviate from the correct algorithm,
250     + * flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but
251     + * let's stick to it now. It came out of the approach we used above, and it's
252     + * not any worse than any other choice we could make.)
253     + *
254     + * It is crucial that we don't do the same to the expanded key used in the main
255     + * Eksblowfish loop. By doing it to only one of these two, we deviate from a
256     + * state that could be directly specified by a password to the buggy algorithm
257     + * (and to the fully correct one as well, but that's a side-effect).
258     + */
259     + initial[0] ^= sign;
260     }
261    
262     -char *php_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
263     - char *output, int size)
264     +static char *BF_crypt(const char *key, const char *setting,
265     + char *output, int size,
266     + BF_word min)
267     {
268     #if BF_ASM
269     extern void _BF_body_r(BF_ctx *ctx);
270     #endif
271     + static const unsigned char flags_by_subtype[26] =
272     + {2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
273     + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 0};
274     struct {
275     BF_ctx ctx;
276     BF_key expanded_key;
277     @@ -602,7 +677,8 @@ char *php_crypt_blowfish_rn(__CONST char
278    
279     if (setting[0] != '$' ||
280     setting[1] != '2' ||
281     - setting[2] != 'a' ||
282     + setting[2] < 'a' || setting[2] > 'z' ||
283     + !flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a'] ||
284     setting[3] != '$' ||
285     setting[4] < '0' || setting[4] > '3' ||
286     setting[5] < '0' || setting[5] > '9' ||
287     @@ -613,15 +689,14 @@ char *php_crypt_blowfish_rn(__CONST char
288     }
289    
290     count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
291     - if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) {
292     - clean(data.binary.salt, sizeof(data.binary.salt));
293     + if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) {
294     __set_errno(EINVAL);
295     return NULL;
296     }
297     -
298     BF_swap(data.binary.salt, 4);
299    
300     - BF_set_key(key, data.expanded_key, data.ctx.P);
301     + BF_set_key(key, data.expanded_key, data.ctx.P,
302     + flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a']);
303    
304     memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
305    
306     @@ -651,51 +726,33 @@ char *php_crypt_blowfish_rn(__CONST char
307     } while (ptr < &data.ctx.S[3][0xFF]);
308    
309     do {
310     - data.ctx.P[0] ^= data.expanded_key[0];
311     - data.ctx.P[1] ^= data.expanded_key[1];
312     - data.ctx.P[2] ^= data.expanded_key[2];
313     - data.ctx.P[3] ^= data.expanded_key[3];
314     - data.ctx.P[4] ^= data.expanded_key[4];
315     - data.ctx.P[5] ^= data.expanded_key[5];
316     - data.ctx.P[6] ^= data.expanded_key[6];
317     - data.ctx.P[7] ^= data.expanded_key[7];
318     - data.ctx.P[8] ^= data.expanded_key[8];
319     - data.ctx.P[9] ^= data.expanded_key[9];
320     - data.ctx.P[10] ^= data.expanded_key[10];
321     - data.ctx.P[11] ^= data.expanded_key[11];
322     - data.ctx.P[12] ^= data.expanded_key[12];
323     - data.ctx.P[13] ^= data.expanded_key[13];
324     - data.ctx.P[14] ^= data.expanded_key[14];
325     - data.ctx.P[15] ^= data.expanded_key[15];
326     - data.ctx.P[16] ^= data.expanded_key[16];
327     - data.ctx.P[17] ^= data.expanded_key[17];
328     -
329     - BF_body();
330     -
331     - tmp1 = data.binary.salt[0];
332     - tmp2 = data.binary.salt[1];
333     - tmp3 = data.binary.salt[2];
334     - tmp4 = data.binary.salt[3];
335     - data.ctx.P[0] ^= tmp1;
336     - data.ctx.P[1] ^= tmp2;
337     - data.ctx.P[2] ^= tmp3;
338     - data.ctx.P[3] ^= tmp4;
339     - data.ctx.P[4] ^= tmp1;
340     - data.ctx.P[5] ^= tmp2;
341     - data.ctx.P[6] ^= tmp3;
342     - data.ctx.P[7] ^= tmp4;
343     - data.ctx.P[8] ^= tmp1;
344     - data.ctx.P[9] ^= tmp2;
345     - data.ctx.P[10] ^= tmp3;
346     - data.ctx.P[11] ^= tmp4;
347     - data.ctx.P[12] ^= tmp1;
348     - data.ctx.P[13] ^= tmp2;
349     - data.ctx.P[14] ^= tmp3;
350     - data.ctx.P[15] ^= tmp4;
351     - data.ctx.P[16] ^= tmp1;
352     - data.ctx.P[17] ^= tmp2;
353     + int done;
354    
355     - BF_body();
356     + for (i = 0; i < BF_N + 2; i += 2) {
357     + data.ctx.P[i] ^= data.expanded_key[i];
358     + data.ctx.P[i + 1] ^= data.expanded_key[i + 1];
359     + }
360     +
361     + done = 0;
362     + do {
363     + BF_body();
364     + if (done)
365     + break;
366     + done = 1;
367     +
368     + tmp1 = data.binary.salt[0];
369     + tmp2 = data.binary.salt[1];
370     + tmp3 = data.binary.salt[2];
371     + tmp4 = data.binary.salt[3];
372     + for (i = 0; i < BF_N; i += 4) {
373     + data.ctx.P[i] ^= tmp1;
374     + data.ctx.P[i + 1] ^= tmp2;
375     + data.ctx.P[i + 2] ^= tmp3;
376     + data.ctx.P[i + 3] ^= tmp4;
377     + }
378     + data.ctx.P[16] ^= tmp1;
379     + data.ctx.P[17] ^= tmp2;
380     + } while (1);
381     } while (--count);
382    
383     for (i = 0; i < 6; i += 2) {
384     @@ -721,19 +778,114 @@ char *php_crypt_blowfish_rn(__CONST char
385     BF_encode(&output[7 + 22], data.binary.output, 23);
386     output[7 + 22 + 31] = '\0';
387    
388     -/* Overwrite the most obvious sensitive data we have on the stack. Note
389     - * that this does not guarantee there's no sensitive data left on the
390     - * stack and/or in registers; I'm not aware of portable code that does. */
391     - clean(&data, sizeof(data));
392     -
393     return output;
394     }
395    
396     -char *php_crypt_gensalt_blowfish_rn(unsigned long count,
397     - __CONST char *input, int size, char *output, int output_size)
398     +static int _crypt_output_magic(const char *setting, char *output, int size)
399     +{
400     + if (size < 3)
401     + return -1;
402     +
403     + output[0] = '*';
404     + output[1] = '0';
405     + output[2] = '\0';
406     +
407     + if (setting[0] == '*' && setting[1] == '0')
408     + output[1] = '1';
409     +
410     + return 0;
411     +}
412     +
413     +/*
414     + * Please preserve the runtime self-test. It serves two purposes at once:
415     + *
416     + * 1. We really can't afford the risk of producing incompatible hashes e.g.
417     + * when there's something like gcc bug 26587 again, whereas an application or
418     + * library integrating this code might not also integrate our external tests or
419     + * it might not run them after every build. Even if it does, the miscompile
420     + * might only occur on the production build, but not on a testing build (such
421     + * as because of different optimization settings). It is painful to recover
422     + * from incorrectly-computed hashes - merely fixing whatever broke is not
423     + * enough. Thus, a proactive measure like this self-test is needed.
424     + *
425     + * 2. We don't want to leave sensitive data from our actual password hash
426     + * computation on the stack or in registers. Previous revisions of the code
427     + * would do explicit cleanups, but simply running the self-test after hash
428     + * computation is more reliable.
429     + *
430     + * The performance cost of this quick self-test is around 0.6% at the "$2a$08"
431     + * setting.
432     + */
433     +char *php_crypt_blowfish_rn(const char *key, const char *setting,
434     + char *output, int size)
435     +{
436     + const char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8";
437     + const char *test_setting = "$2a$00$abcdefghijklmnopqrstuu";
438     + static const char * const test_hash[2] =
439     + {"VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55", /* $2x$ */
440     + "i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55"}; /* $2a$, $2y$ */
441     + char *retval;
442     + const char *p;
443     + int save_errno, ok;
444     + struct {
445     + char s[7 + 22 + 1];
446     + char o[7 + 22 + 31 + 1 + 1 + 1];
447     + } buf;
448     +
449     +/* Hash the supplied password */
450     + _crypt_output_magic(setting, output, size);
451     + retval = BF_crypt(key, setting, output, size, 16);
452     + save_errno = errno;
453     +
454     +/*
455     + * Do a quick self-test. It is important that we make both calls to BF_crypt()
456     + * from the same scope such that they likely use the same stack locations,
457     + * which makes the second call overwrite the first call's sensitive data on the
458     + * stack and makes it more likely that any alignment related issues would be
459     + * detected by the self-test.
460     + */
461     + memcpy(buf.s, test_setting, sizeof(buf.s));
462     + if (retval)
463     + buf.s[2] = setting[2];
464     + memset(buf.o, 0x55, sizeof(buf.o));
465     + buf.o[sizeof(buf.o) - 1] = 0;
466     + p = BF_crypt(test_key, buf.s, buf.o, sizeof(buf.o) - (1 + 1), 1);
467     +
468     + ok = (p == buf.o &&
469     + !memcmp(p, buf.s, 7 + 22) &&
470     + !memcmp(p + (7 + 22),
471     + test_hash[(unsigned int)(unsigned char)buf.s[2] & 1],
472     + 31 + 1 + 1 + 1));
473     +
474     + {
475     + const char *k = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345";
476     + BF_key ae, ai, ye, yi;
477     + BF_set_key(k, ae, ai, 2); /* $2a$ */
478     + BF_set_key(k, ye, yi, 4); /* $2y$ */
479     + ai[0] ^= 0x10000; /* undo the safety (for comparison) */
480     + ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 &&
481     + !memcmp(ae, ye, sizeof(ae)) &&
482     + !memcmp(ai, yi, sizeof(ai));
483     + }
484     +
485     + __set_errno(save_errno);
486     + if (ok)
487     + return retval;
488     +
489     +/* Should not happen */
490     + _crypt_output_magic(setting, output, size);
491     + __set_errno(EINVAL); /* pretend we don't support this hash type */
492     + return NULL;
493     +}
494     +
495     +#if 0
496     +char *_crypt_gensalt_blowfish_rn(const char *prefix, unsigned long count,
497     + const char *input, int size, char *output, int output_size)
498     {
499     if (size < 16 || output_size < 7 + 22 + 1 ||
500     - (count && (count < 4 || count > 31))) {
501     + (count && (count < 4 || count > 31)) ||
502     + prefix[0] != '$' || prefix[1] != '2' ||
503     + (prefix[2] != 'a' && prefix[2] != 'y')) {
504     if (output_size > 0) output[0] = '\0';
505     __set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
506     return NULL;
507     @@ -743,14 +895,15 @@ char *php_crypt_gensalt_blowfish_rn(unsi
508    
509     output[0] = '$';
510     output[1] = '2';
511     - output[2] = 'a';
512     + output[2] = prefix[2];
513     output[3] = '$';
514     output[4] = '0' + count / 10;
515     output[5] = '0' + count % 10;
516     output[6] = '$';
517    
518     - BF_encode(&output[7], (BF_word *)input, 16);
519     + BF_encode(&output[7], (const BF_word *)input, 16);
520     output[7 + 22] = '\0';
521    
522     return output;
523     }
524     +#endif
525     --- php-5.3.3/ext/standard/crypt_blowfish.h.cve2483
526     +++ php-5.3.3/ext/standard/crypt_blowfish.h
527     @@ -0,0 +1,32 @@
528     +/* $Id$ */
529     +/*
530     + * Written by Solar Designer <solar at openwall.com> in 2000-2011.
531     + * No copyright is claimed, and the software is hereby placed in the public
532     + * domain. In case this attempt to disclaim copyright and place the software
533     + * in the public domain is deemed null and void, then the software is
534     + * Copyright (c) 2000-2011 Solar Designer and it is hereby released to the
535     + * general public under the following terms:
536     + *
537     + * Redistribution and use in source and binary forms, with or without
538     + * modification, are permitted.
539     + *
540     + * There's ABSOLUTELY NO WARRANTY, express or implied.
541     + *
542     + * See crypt_blowfish.c for more information.
543     + */
544     +
545     +#ifndef _CRYPT_BLOWFISH_H
546     +#define _CRYPT_BLOWFISH_H
547     +
548     +#if 0
549     +extern int _crypt_output_magic(const char *setting, char *output, int size);
550     +#endif
551     +extern char *php_crypt_blowfish_rn(const char *key, const char *setting,
552     + char *output, int size);
553     +#if 0
554     +extern char *_crypt_gensalt_blowfish_rn(const char *prefix,
555     + unsigned long count,
556     + const char *input, int size, char *output, int output_size);
557     +#endif
558     +
559     +#endif
560     --- php-5.3.3/ext/standard/crypt.c.cve2483
561     +++ php-5.3.3/ext/standard/crypt.c
562     @@ -240,7 +240,7 @@ PHP_FUNCTION(crypt)
563     } else if (
564     salt[0] == '$' &&
565     salt[1] == '2' &&
566     - salt[2] == 'a' &&
567     + salt[2] >= 'a' && salt[2] <= 'z' &&
568     salt[3] == '$' &&
569     salt[4] >= '0' && salt[4] <= '3' &&
570     salt[5] >= '0' && salt[5] <= '9' &&
571     --- php-5.3.3/ext/standard/php_crypt_r.h.cve2483
572     +++ php-5.3.3/ext/standard/php_crypt_r.h
573     @@ -46,9 +46,9 @@ PHPAPI char *php_crypt_r (const char *__
574    
575     #define MD5_HASH_MAX_LEN 120
576    
577     +#include "crypt_blowfish.h"
578     +
579     extern char * php_md5_crypt_r(const char *pw, const char *salt, char *out);
580     -extern char * php_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
581     - char *output, int size);
582     extern char * php_sha512_crypt_r (const char *key, const char *salt, char *buffer, int buflen);
583     extern char * php_sha256_crypt_r (const char *key, const char *salt, char *buffer, int buflen);
584    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed