mirror of
git://slackware.nl/current.git
synced 2024-12-31 10:28:29 +01:00
ad9ea8bf78
extra/php80/php80-8.0.28-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: Core: Password_verify() always return true with some hash. Core: 1-byte array overrun in common path resolve code. SAPI: DOS vulnerability when parsing multipart request body. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0567 https://www.cve.org/CVERecord?id=CVE-2023-0568 https://www.cve.org/CVERecord?id=CVE-2023-0662 (* Security fix *) extra/php81/php81-8.1.16-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: Core: Password_verify() always return true with some hash. Core: 1-byte array overrun in common path resolve code. SAPI: DOS vulnerability when parsing multipart request body. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0567 https://www.cve.org/CVERecord?id=CVE-2023-0568 https://www.cve.org/CVERecord?id=CVE-2023-0662 (* Security fix *) patches/packages/hwdata-0.367-noarch-1_slack15.0.txz: Upgraded. Upgraded to get information for newer hardware. Requested by kingbeowulf on LQ. patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/102.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/ https://www.cve.org/CVERecord?id=CVE-2023-25728 https://www.cve.org/CVERecord?id=CVE-2023-25730 https://www.cve.org/CVERecord?id=CVE-2023-25743 https://www.cve.org/CVERecord?id=CVE-2023-0767 https://www.cve.org/CVERecord?id=CVE-2023-25735 https://www.cve.org/CVERecord?id=CVE-2023-25737 https://www.cve.org/CVERecord?id=CVE-2023-25738 https://www.cve.org/CVERecord?id=CVE-2023-25739 https://www.cve.org/CVERecord?id=CVE-2023-25729 https://www.cve.org/CVERecord?id=CVE-2023-25732 https://www.cve.org/CVERecord?id=CVE-2023-25734 https://www.cve.org/CVERecord?id=CVE-2023-25742 https://www.cve.org/CVERecord?id=CVE-2023-25746 (* Security fix *) patches/packages/php-7.4.33-x86_64-3_slack15.0.txz: Rebuilt. This update fixes security issues: Core: Password_verify() always return true with some hash. Core: 1-byte array overrun in common path resolve code. SAPI: DOS vulnerability when parsing multipart request body. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0567 https://www.cve.org/CVERecord?id=CVE-2023-0568 https://www.cve.org/CVERecord?id=CVE-2023-0662 (* Security fix *)
142 lines
4 KiB
Diff
142 lines
4 KiB
Diff
From 7882d12ff2d8d8c5a4af821464e0a5ac2cde2002 Mon Sep 17 00:00:00 2001
|
||
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
|
||
Date: Mon, 23 Jan 2023 21:15:24 +0100
|
||
Subject: [PATCH] crypt: Fix validation of malformed BCrypt hashes
|
||
MIME-Version: 1.0
|
||
Content-Type: text/plain; charset=UTF-8
|
||
Content-Transfer-Encoding: 8bit
|
||
|
||
PHP’s implementation of crypt_blowfish differs from the upstream Openwall
|
||
version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
|
||
by including a `$` character within the characters that represent the salt.
|
||
|
||
Hashes that are affected by the “PHP Hack” may erroneously validate any
|
||
password as valid when used with `password_verify` and when comparing the
|
||
return value of `crypt()` against the input.
|
||
|
||
The PHP Hack exists since the first version of PHP’s own crypt_blowfish
|
||
implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5.
|
||
|
||
No clear reason is given for the PHP Hack’s existence. This commit removes it,
|
||
because BCrypt hashes containing a `$` character in their salt are not valid
|
||
BCrypt hashes.
|
||
---
|
||
ext/standard/crypt_blowfish.c | 8 --
|
||
.../tests/crypt/bcrypt_salt_dollar.phpt | 82 +++++++++++++++++++
|
||
2 files changed, 82 insertions(+), 8 deletions(-)
|
||
create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
|
||
|
||
diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c
|
||
index 3806a290aee4..351d40308089 100644
|
||
--- a/ext/standard/crypt_blowfish.c
|
||
+++ b/ext/standard/crypt_blowfish.c
|
||
@@ -371,7 +371,6 @@ static const unsigned char BF_atoi64[0x60] = {
|
||
#define BF_safe_atoi64(dst, src) \
|
||
{ \
|
||
tmp = (unsigned char)(src); \
|
||
- if (tmp == '$') break; /* PHP hack */ \
|
||
if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
|
||
tmp = BF_atoi64[tmp]; \
|
||
if (tmp > 63) return -1; \
|
||
@@ -399,13 +398,6 @@ static int BF_decode(BF_word *dst, const char *src, int size)
|
||
*dptr++ = ((c3 & 0x03) << 6) | c4;
|
||
} while (dptr < end);
|
||
|
||
- if (end - dptr == size) {
|
||
- return -1;
|
||
- }
|
||
-
|
||
- while (dptr < end) /* PHP hack */
|
||
- *dptr++ = 0;
|
||
-
|
||
return 0;
|
||
}
|
||
|
||
diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
|
||
new file mode 100644
|
||
index 000000000000..32e335f4b087
|
||
--- /dev/null
|
||
+++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
|
||
@@ -0,0 +1,82 @@
|
||
+--TEST--
|
||
+bcrypt correctly rejects salts containing $
|
||
+--FILE--
|
||
+<?php
|
||
+for ($i = 0; $i < 23; $i++) {
|
||
+ $salt = '$2y$04$' . str_repeat('0', $i) . '$';
|
||
+ $result = crypt("foo", $salt);
|
||
+ var_dump($salt);
|
||
+ var_dump($result);
|
||
+ var_dump($result === $salt);
|
||
+}
|
||
+?>
|
||
+--EXPECT--
|
||
+string(8) "$2y$04$$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(9) "$2y$04$0$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(10) "$2y$04$00$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(11) "$2y$04$000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(12) "$2y$04$0000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(13) "$2y$04$00000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(14) "$2y$04$000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(15) "$2y$04$0000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(16) "$2y$04$00000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(17) "$2y$04$000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(18) "$2y$04$0000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(19) "$2y$04$00000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(20) "$2y$04$000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(21) "$2y$04$0000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(22) "$2y$04$00000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(23) "$2y$04$000000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(24) "$2y$04$0000000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(25) "$2y$04$00000000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(26) "$2y$04$000000000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(27) "$2y$04$0000000000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(28) "$2y$04$00000000000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(29) "$2y$04$000000000000000000000$"
|
||
+string(2) "*0"
|
||
+bool(false)
|
||
+string(30) "$2y$04$0000000000000000000000$"
|
||
+string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K"
|
||
+bool(false)
|