Date: Sat, 27 Jun 1998 09:20:01 -0700 (PDT) From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: freebsd-bugs@FreeBSD.ORG Subject: Re: bin/7090: crypt(3) partially returns raw password when salt isn't null-terminated Message-ID: <199806271620.JAA29831@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/7090; it has been noted by GNATS.
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
To: japh@gol.com
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/7090: crypt(3) partially returns raw password when salt isn't null-terminated
Date: Sat, 27 Jun 1998 18:10:57 +0200
> MD5 based crypt(3) in libcrypt.{a,so.maj.min} as distributed
> by FreeBSD returns a portion of the password in the clear,
> when the salt isn't terminated by a null character.
>
> Example:
>
> crypt("abcdefgh","YX") returns <$1$YXabcdef$.tHXoLufzR8OYyH4BBghm1
> ^^^^^^
> This problem surfaces when an application that assumes a salt
> is an array of two characters with no trailing null character
> calls crypt(3). Such an example is xlock(1), with USE_XLOCKRC
> defined in the compilation.
Then xlock doesn't use the crypt API correctly and should be fixed.
--
Poul-Henning Kamp FreeBSD coreteam member
phk@FreeBSD.ORG "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806271620.JAA29831>