[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:11.crypt
Ronald Klop
ronald-lists at klop.ws
Fri Oct 24 13:49:08 UTC 2014
Hi,
I have nothing to do with the actual coding, but please reread comment 7
from the bug report:
'This doesn't have anything common with system default password
encryption, this is realized using /etc/login.conf and applications like
passwd, etc.'
Regards,
Ronald.
On Fri, 24 Oct 2014 15:21:48 +0200, Jim Pirzyk <pirzyk at freebsd.org> wrote:
> I think this should be reopened and reverted. This is the wrong answer
> and has not taken into account the history of crypt() on FreeBSD. I
> point you to the svn log:
>
> http://svnweb.freebsd.org/base?view=revision&revision=4246
>
> and
>
> http://www.freebsd.org/releases/2.0/notes.html
>
> If password security for FreeBSD is all you need, and you have no
> requirement for copying encrypted passwords from different hosts (Suns,
> DEC machines, etc) into FreeBSD password entries, then FreeBSD's MD5
> based security may be all you require! We feel that our default security
> model is more than a match for DES, and without any messy export issues
> to deal with. If you're outside (or even inside) the U.S., give it a
> try!
>
> We are reversing 20+ years of FreeBSD progress.
>
> - JimP
>
> On Oct 24, 2014, at 8:11 AM, Ronald Klop <ronald-lists at klop.ws> wrote:
>
>> See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192277
>>
>> Regards,
>> Ronald.
>>
>> On Fri, 24 Oct 2014 13:14:20 +0200, Jim Pirzyk <pirzyk at freebsd.org>
>> wrote:
>>
>>> Hi,
>>>
>>> I was wondering if there is more information about this change?
>>> FreeBSD changed the default away from DES to MD5 back in the 1.1.5 ->
>>> 2.0 transition. It seems to me a downgrade and rewarding bad
>>> programming to be changing back to DES now. Also the proper course of
>>> action is to correct programs that make the wrong assumption about
>>> what crypt() changes.
>>>
>>> Thanks
>>>
>>> - JimP
>>>
>>> On Oct 22, 2014, at 4:07 PM, FreeBSD Errata Notices
>>> <errata-notices at freebsd.org> wrote:
>>>
>>>> Signed PGP part
>>>> =============================================================================
>>>> FreeBSD-EN-14:11.crypt
>>>> Errata Notice
>>>> The FreeBSD
>>>> Project
>>>>
>>>> Topic: crypt(3) default hashing algorithm
>>>>
>>>> Category: core
>>>> Module: libcrypt
>>>> Announced: 2014-10-22
>>>> Affects: FreeBSD 9.3 and FreeBSD 10.0-STABLE after 2014-05-11
>>>> and
>>>> before 2014-10-16.
>>>> Corrected: 2014-10-13 15:56:47 UTC (stable/10, 10.1-PRERELEASE)
>>>> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC3)
>>>> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC2-p2)
>>>> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC1-p2)
>>>> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-BETA3-p2)
>>>> 2014-10-21 21:09:54 UTC (stable/9, 9.3-STABLE)
>>>> 2014-10-21 23:50:46 UTC (releng/9.3, 9.3-RELEASE-p4)
>>>>
>>>> For general information regarding FreeBSD Errata Notices and Security
>>>> Advisories, including descriptions of the fields above, security
>>>> branches, and the following sections, please visit
>>>> <URL:http://security.freebsd.org/>.
>>>>
>>>> I. Background
>>>>
>>>> The crypt(3) function performs password hashing. Different algorithms
>>>> of varying strength are available, with older, weaker algorithms being
>>>> retained for compatibility.
>>>>
>>>> The crypt(3) function was originally based on the DES encryption
>>>> algorithm and generated a 13-character hash from an eight-character
>>>> password (longer passwords were truncated) and a two-character salt.
>>>>
>>>> II. Problem Description
>>>>
>>>> In recent FreeBSD releases, the default algorithm for crypt(3) was
>>>> changed to SHA-512, which generates a much longer hash than the
>>>> traditional DES-based algorithm.
>>>>
>>>> III. Impact
>>>>
>>>> Many applications assume that crypt(3) always returns a traditional
>>>> DES
>>>> hash, and blindly copy it into a short buffer without bounds checks.
>>>> This
>>>> may lead to a variety of undesirable results including, at worst,
>>>> crashing
>>>> the application.
>>>>
>>>> IV. Workaround
>>>>
>>>> No workaround is available.
>>>>
>>>> V. Solution
>>>>
>>>> Perform one of the following:
>>>>
>>>> 1) Upgrade your system to a supported FreeBSD stable or release /
>>>> security
>>>> branch (releng) dated after the correction date.
>>>>
>>>> 2) To update your present system via a source code patch:
>>>>
>>>> The following patches have been verified to apply to the applicable
>>>> FreeBSD release branches.
>>>>
>>>> a) Download the relevant patch from the location below, and verify the
>>>> detached PGP signature using your PGP utility.
>>>>
>>>> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch
>>>> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch.asc
>>>> # gpg --verify crypt.patch.asc
>>>>
>>>> b) Apply the patch. Execute the following commands as root:
>>>>
>>>> # cd /usr/src
>>>> # patch < /path/to/patch
>>>>
>>>> c) Recompile the operating system using buildworld and installworld as
>>>> described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
>>>>
>>>> Restart all deamons using the library, or reboot the system.
>>>>
>>>> 3) To update your system via a binary patch:
>>>>
>>>> Systems running a RELEASE version of FreeBSD on the i386 or amd64
>>>> platforms can be updated via the freebsd-update(8) utility:
>>>>
>>>> # freebsd-update fetch
>>>> # freebsd-update install
>>>>
>>>> VI. Correction details
>>>>
>>>> The following list contains the revision numbers of each file that was
>>>> corrected in FreeBSD.
>>>>
>>>> Branch/path
>>>> Revision
>>>> -------------------------------------------------------------------------
>>>> stable/9/
>>>> r273425
>>>> releng/9.3/
>>>> r273438
>>>> stable/10/
>>>> r273043
>>>> releng/10.1/
>>>> r273187
>>>> -------------------------------------------------------------------------
>>>>
>>>> To see which files were modified by a particular revision, run the
>>>> following command, replacing NNNNNN with the revision number, on a
>>>> machine with Subversion installed:
>>>>
>>>> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>>>>
>>>> Or visit the following URL, replacing NNNNNN with the revision number:
>>>>
>>>> <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>>>>
>>>> VII. References
>>>>
>>>> The latest revision of this Errata Notice is available at
>>>> http://security.FreeBSD.org/advisories/FreeBSD-EN-14:11.crypt.asc
>>>>
>>>> _______________________________________________
>>>> freebsd-announce at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
>>>> To unsubscribe, send any mail to
>>>> "freebsd-announce-unsubscribe at freebsd.org"
>>>
>>> --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk Exp $
>>> __o jim at pirzyk.org
>>> --------------------------------------------------
>>> _'\<,_
>>> (*)/ (*) I'd rather be out biking.
>
> --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk Exp $
> __o jim at pirzyk.org
> --------------------------------------------------
> _'\<,_
> (*)/ (*) I'd rather be out biking.
More information about the freebsd-stable
mailing list