Site Navigation

Date:      Fri, 24 Oct 2014 06:14:20 -0500
From:      Jim Pirzyk <pirzyk@freeBSD.org>
To:        freebsd-stable@freebsd.org
Subject:   Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:11.crypt
Message-ID:  <F0DAE32B-34CF-4191-9070-A517ACDC6E2A@freeBSD.org>
In-Reply-To: <201410222107.s9ML7nLC010739@freefall.freebsd.org>
References:  <201410222107.s9ML7nLC010739@freefall.freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hi,

I was wondering if there is more information about this change?  FreeBSD =
changed the default away from DES to MD5 back in the 1.1.5 -> 2.0 =
transition.  It seems to me a downgrade and rewarding bad programming to =
be changing back to DES now.  Also the proper course of action is to =
correct programs that make the wrong assumption about what crypt() =
changes.

Thanks

- JimP

On Oct 22, 2014, at 4:07 PM, FreeBSD Errata Notices =
<errata-notices@freebsd.org> wrote:

> Signed PGP part
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
> FreeBSD-EN-14:11.crypt                                          Errata =
Notice
>                                                           The FreeBSD =
Project
>=20
> Topic:          crypt(3) default hashing algorithm
>=20
> Category:       core
> Module:         libcrypt
> Announced:      2014-10-22
> Affects:        FreeBSD 9.3 and FreeBSD 10.0-STABLE after 2014-05-11 =
and
>                 before 2014-10-16.
> Corrected:      2014-10-13 15:56:47 UTC (stable/10, 10.1-PRERELEASE)
>                 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC3)
>                 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC2-p2)
>                 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC1-p2)
>                 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-BETA3-p2)
>                 2014-10-21 21:09:54 UTC (stable/9, 9.3-STABLE)
>                 2014-10-21 23:50:46 UTC (releng/9.3, 9.3-RELEASE-p4)
>=20
> For general information regarding FreeBSD Errata Notices and Security
> Advisories, including descriptions of the fields above, security
> branches, and the following sections, please visit
> <URL:http://security.freebsd.org/>.
>=20
> I.   Background
>=20
> The crypt(3) function performs password hashing.  Different algorithms
> of varying strength are available, with older, weaker algorithms being
> retained for compatibility.
>=20
> The crypt(3) function was originally based on the DES encryption
> algorithm and generated a 13-character hash from an eight-character
> password (longer passwords were truncated) and a two-character salt.
>=20
> II.  Problem Description
>=20
> In recent FreeBSD releases, the default algorithm for crypt(3) was
> changed to SHA-512, which generates a much longer hash than the
> traditional DES-based algorithm.
>=20
> III. Impact
>=20
> Many applications assume that crypt(3) always returns a traditional =
DES
> hash, and blindly copy it into a short buffer without bounds checks. =
This
> may lead to a variety of undesirable results including, at worst, =
crashing
> the application.
>=20
> IV.  Workaround
>=20
> No workaround is available.
>=20
> V.   Solution
>=20
> Perform one of the following:
>=20
> 1) Upgrade your system to a supported FreeBSD stable or release / =
security
> branch (releng) dated after the correction date.
>=20
> 2) To update your present system via a source code patch:
>=20
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>=20
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>=20
> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch
> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch.asc
> # gpg --verify crypt.patch.asc
>=20
> b) Apply the patch.  Execute the following commands as root:
>=20
> # cd /usr/src
> # patch < /path/to/patch
>=20
> c) Recompile the operating system using buildworld and installworld as
> described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
>=20
> Restart all deamons using the library, or reboot the system.
>=20
> 3) To update your system via a binary patch:
>=20
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>=20
> # freebsd-update fetch
> # freebsd-update install
>=20
> VI.  Correction details
>=20
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>=20
> Branch/path                                                      =
Revision
> =
-------------------------------------------------------------------------
> stable/9/                                                         =
r273425
> releng/9.3/                                                       =
r273438
> stable/10/                                                        =
r273043
> releng/10.1/                                                      =
r273187
> =
-------------------------------------------------------------------------
>=20
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
>=20
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>=20
> Or visit the following URL, replacing NNNNNN with the revision number:
>=20
> <URL:http://svnweb.freebsd.org/base?view=3Drevision&revision=3DNNNNNN>;
>=20
> VII. References
>=20
> The latest revision of this Errata Notice is available at
> http://security.FreeBSD.org/advisories/FreeBSD-EN-14:11.crypt.asc
>=20
> _______________________________________________
> freebsd-announce@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to =
"freebsd-announce-unsubscribe@freebsd.org"

--- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk Exp $
    __o  jim@pirzyk.org =
--------------------------------------------------
 _'\<,_
(*)/ (*) I'd rather be out biking.


--Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iFcDBQFUSjSS+2AFq07nokoRCHQtAP4nBn/msYhnsMGA/MZnyI+fjDIco8jwXGZl
qim0cNo0gQD/ZcEqf87MEnyfzvHbXMdd94rpsOs6mA5xt45kVbzvnmo=
=kfPf
-----END PGP SIGNATURE-----

--Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F0DAE32B-34CF-4191-9070-A517ACDC6E2A>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact