Bugzilla – Bug 700876
VUL-0: CVE-2011-2483: glibc: crypt_blowfish: 8-bit character mishandling
Last modified: 2024-01-29 15:49:14 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. crypt_blowfish suffers from a signedness issue. Some characters of passwords with the 8th bit (ie umlauts) get ignored and therefore make such passwords easier to crack. References: Announcement by Solar Designer: http://www.openwall.com/lists/oss-security/2011/06/20/2 Original discovery on the John the Ripper list: http://www.openwall.com/lists/john-dev/2011/06/19/2 http://www.openwall.com/lists/john-dev/2011/06/19/3 http://www.openwall.com/lists/john-dev/2011/06/20/3 http://www.openwall.com/lists/john-dev/2011/06/20/5
Created attachment 435343 [details] check if glibc is affected
Hmm, if we were to fix this problem it would mean that passwords in /etc/shadow created before the change (i.e. most of them on suse systems) would become invalid, as the hashing changes. Or, well, passwords with 8bit chars at least. So, we either break potentially _many_ setups or we live with the bug :-/
Upstream solution is to keep the buggy implementation as $2x: http://openwall.com/lists/oss-security/2011/06/20/6 http://openwall.com/lists/oss-security/2011/06/21/2 Patch: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/crypt_blowfish.c.diff?r1=1.9;r2=1.10
CVE-2011-2483
addnote CVE-2011-2483 "This issue affects SUSE Linux. It however only affects passwords that use special characters with bit 8 set, like e.g. german umlauts. The usual english ASCII character set does not contain characters with bit 8 set and is safe.<p>A fix for this issue is not trivial, a reliable working method is currently developed and will be delivered soon.
mitigating factor: the yast2 users module does not allow to set non-ASCII passwords. The command line tool and the gnome frontend don't have such restrictions though.
The SWAMPID for this issue is 42358. This issue was rated as moderate. Please submit fixed packages until 2011-08-09. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
This is an autogenerated message for OBS integration: This bug (700876) was mentioned in https://build.opensuse.org/request/show/77145 Factory / libxcrypt
This is an autogenerated message for OBS integration: This bug (700876) was mentioned in https://build.opensuse.org/request/show/77166 11.3 / glibc https://build.opensuse.org/request/show/77167 11.4 / glibc https://build.opensuse.org/request/show/77168 11.4 / libxcrypt https://build.opensuse.org/request/show/77169 11.3 / libxcrypt https://build.opensuse.org/request/show/77170 11.4 / libxcrypt https://build.opensuse.org/request/show/77171 11.3 / pam-modules https://build.opensuse.org/request/show/77172 11.4 / pam-modules https://build.opensuse.org/request/show/77173 11.4 / pwdutils https://build.opensuse.org/request/show/77174 11.3 / pwdutils
This is an autogenerated message for OBS integration: This bug (700876) was mentioned in https://build.opensuse.org/request/show/79219 Factory / yast2-core
Update released for: glibc, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-debuginfo, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-debuginfo, glibc-obsolete, glibc-obsolete-debuginfo, glibc-profile, libxcrypt, libxcrypt-debuginfo, libxcrypt-debuginfo-32bit, libxcrypt-debuginfo-x86, libxcrypt-debugsource, libxcrypt-devel, nscd, nscd-debuginfo, pam-modules, pam-modules-debuginfo, pam-modules-debugsource, pwdutils, pwdutils-debuginfo, pwdutils-debugsource, pwdutils-plugin-audit, pwdutils-plugin-audit-debuginfo, pwdutils-rpasswd, pwdutils-rpasswd-debuginfo Products: openSUSE 11.3 (debug, i586, i686, x86_64) openSUSE 11.4 (debug, i586, i686, x86_64)
This is an autogenerated message for OBS integration: This bug (700876) was mentioned in https://build.opensuse.org/request/show/79229 11.4 / yast2-core
This is an autogenerated message for OBS integration: This bug (700876) was mentioned in https://build.opensuse.org/request/show/79240 11.3 / yast2-core
Update released for: glibc, glibc-32bit, glibc-64bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-64bit, glibc-dceext-devel, glibc-dceext-x86, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-devel-64bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-64bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-64bit, glibc-profile-x86, glibc-x86, libxcrypt, libxcrypt-32bit, libxcrypt-64bit, libxcrypt-debuginfo, libxcrypt-devel, libxcrypt-x86, nscd, pam-modules, pam-modules-32bit, pam-modules-64bit, pam-modules-debuginfo, pam-modules-x86, pwdutils, pwdutils-debuginfo, pwdutils-plugin-audit Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
I got a complained from my customer about this fix. The changes made a big and have an impact, but this is not documented. From the patch description you can see: SUSE's crypt() implementation supports the blowfish password hashing function (id $2a) and system logins by default also use this method. ... New passwords hashes are created with the id "$2y" to unambiguously identify them as generated with the correct implementation. ... In the manpage crypt(3) you will find the following: ... The following values of id are supported: ID | Method --------------------------------------------------------- 1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7) So $5$salt$encrypted is an SHA-256 encoded password and ... There is no entry for "2y" and this should be mentioned. Please also release an update for the man pages.
Update released for: glibc, glibc-devel, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-profile, libxcrypt, libxcrypt-devel, nscd, pam-modules, pwdutils, timezone Products: Novell-Linux-POS 9 (i386) Open-Enterprise-Server 9 (i386) SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
Update released for: yast2-core, yast2-core-debuginfo, yast2-core-debugsource, yast2-core-devel Products: openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64)
This is an autogenerated message for OBS integration: This bug (700876) was mentioned in https://build.opensuse.org/request/show/80346 Factory / pam-modules
Update released for: yast2-core, yast2-core-debuginfo, yast2-core-debugsource, yast2-core-devel Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Submitted 2 days ago for SLE10 SP3 and SP4: RPM: yast2-core-2.13.48 SVN: http://svn.opensuse.org/viewvc/yast?view=revision&revision=65489 IBS (SP3): https://build.suse.de/request/show/14543 IBS (SP4): https://build.suse.de/request/show/14544
This is an autogenerated message for OBS integration: This bug (700876) was mentioned in https://build.opensuse.org/request/show/80724 Evergreen:11.2 / yast2-core https://build.opensuse.org/request/show/80725 Evergreen:11.2 / glibc https://build.opensuse.org/request/show/80726 Evergreen:11.2 / libxcrypt https://build.opensuse.org/request/show/80727 Evergreen:11.2 / pwdutils https://build.opensuse.org/request/show/80728 Evergreen:11.2 / pam-modules
all released meanwhile
Update released for: yast2-core, yast2-core-debuginfo, yast2-core-devel Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: yast2-core, yast2-core-debuginfo, yast2-core-devel Products: SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: postgresql, postgresql-contrib, postgresql-debuginfo, postgresql-devel, postgresql-docs, postgresql-libs, postgresql-libs-32bit, postgresql-pl, postgresql-server Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: postgresql, postgresql-contrib, postgresql-debuginfo, postgresql-devel, postgresql-docs, postgresql-libs, postgresql-libs-32bit, postgresql-libs-64bit, postgresql-libs-x86, postgresql-pl, postgresql-server Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)