[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:11.crypt

Ronald Klop ronald-lists at klop.ws
Fri Oct 24 13:12:07 UTC 2014 

See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192277

Regards,
Ronald.

On Fri, 24 Oct 2014 13:14:20 +0200, Jim Pirzyk <pirzyk at freebsd.org> wrote:

> Hi,
>
> I was wondering if there is more information about this change?  FreeBSD  
> changed the default away from DES to MD5 back in the 1.1.5 -> 2.0  
> transition.  It seems to me a downgrade and rewarding bad programming to  
> be changing back to DES now.  Also the proper course of action is to  
> correct programs that make the wrong assumption about what crypt()  
> changes.
>
> Thanks
>
> - JimP
>
> On Oct 22, 2014, at 4:07 PM, FreeBSD Errata Notices  
> <errata-notices at freebsd.org> wrote:
>
>> Signed PGP part
>> =============================================================================
>> FreeBSD-EN-14:11.crypt                                          Errata  
>> Notice
>>                                                           The FreeBSD  
>> Project
>>
>> Topic:          crypt(3) default hashing algorithm
>>
>> Category:       core
>> Module:         libcrypt
>> Announced:      2014-10-22
>> Affects:        FreeBSD 9.3 and FreeBSD 10.0-STABLE after 2014-05-11 and
>>                 before 2014-10-16.
>> Corrected:      2014-10-13 15:56:47 UTC (stable/10, 10.1-PRERELEASE)
>>                 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC3)
>>                 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC2-p2)
>>                 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC1-p2)
>>                 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-BETA3-p2)
>>                 2014-10-21 21:09:54 UTC (stable/9, 9.3-STABLE)
>>                 2014-10-21 23:50:46 UTC (releng/9.3, 9.3-RELEASE-p4)
>>
>> For general information regarding FreeBSD Errata Notices and Security
>> Advisories, including descriptions of the fields above, security
>> branches, and the following sections, please visit
>> <URL:http://security.freebsd.org/>.
>>
>> I.   Background
>>
>> The crypt(3) function performs password hashing.  Different algorithms
>> of varying strength are available, with older, weaker algorithms being
>> retained for compatibility.
>>
>> The crypt(3) function was originally based on the DES encryption
>> algorithm and generated a 13-character hash from an eight-character
>> password (longer passwords were truncated) and a two-character salt.
>>
>> II.  Problem Description
>>
>> In recent FreeBSD releases, the default algorithm for crypt(3) was
>> changed to SHA-512, which generates a much longer hash than the
>> traditional DES-based algorithm.
>>
>> III. Impact
>>
>> Many applications assume that crypt(3) always returns a traditional DES
>> hash, and blindly copy it into a short buffer without bounds checks.  
>> This
>> may lead to a variety of undesirable results including, at worst,  
>> crashing
>> the application.
>>
>> IV.  Workaround
>>
>> No workaround is available.
>>
>> V.   Solution
>>
>> Perform one of the following:
>>
>> 1) Upgrade your system to a supported FreeBSD stable or release /  
>> security
>> branch (releng) dated after the correction date.
>>
>> 2) To update your present system via a source code patch:
>>
>> The following patches have been verified to apply to the applicable
>> FreeBSD release branches.
>>
>> a) Download the relevant patch from the location below, and verify the
>> detached PGP signature using your PGP utility.
>>
>> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch
>> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch.asc
>> # gpg --verify crypt.patch.asc
>>
>> b) Apply the patch.  Execute the following commands as root:
>>
>> # cd /usr/src
>> # patch < /path/to/patch
>>
>> c) Recompile the operating system using buildworld and installworld as
>> described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
>>
>> Restart all deamons using the library, or reboot the system.
>>
>> 3) To update your system via a binary patch:
>>
>> Systems running a RELEASE version of FreeBSD on the i386 or amd64
>> platforms can be updated via the freebsd-update(8) utility:
>>
>> # freebsd-update fetch
>> # freebsd-update install
>>
>> VI.  Correction details
>>
>> The following list contains the revision numbers of each file that was
>> corrected in FreeBSD.
>>
>> Branch/path                                                       
>> Revision
>> -------------------------------------------------------------------------
>> stable/9/                                                          
>> r273425
>> releng/9.3/                                                        
>> r273438
>> stable/10/                                                         
>> r273043
>> releng/10.1/                                                       
>> r273187
>> -------------------------------------------------------------------------
>>
>> To see which files were modified by a particular revision, run the
>> following command, replacing NNNNNN with the revision number, on a
>> machine with Subversion installed:
>>
>> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>>
>> Or visit the following URL, replacing NNNNNN with the revision number:
>>
>> <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>>
>> VII. References
>>
>> The latest revision of this Errata Notice is available at
>> http://security.FreeBSD.org/advisories/FreeBSD-EN-14:11.crypt.asc
>>
>> _______________________________________________
>> freebsd-announce at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
>> To unsubscribe, send any mail to  
>> "freebsd-announce-unsubscribe at freebsd.org"
>
> --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk Exp $
>     __o  jim at pirzyk.org  
> --------------------------------------------------
>  _'\<,_
> (*)/ (*) I'd rather be out biking.

More information about the freebsd-stable mailing list