HEADS UP: fix for password truncation when using crypt(3) with DES

Aggelos Economopoulos aoiko at cc.ece.ntua.gr
Wed May 30 07:07:28 PDT 2012

The patch just committed to master (258ad0e) fixes CVE-2012-2143. This 
bug manifests for UTF-8 encoded passwords that contain a 0x80 byte (for
instance, the "Ã?" character). This fix restores proper behavior, which 
means that authentication will break for such passwords. To our 
knowledge, nothing in base uses DES for authentication purposes. 
Passwords impacted by this change are likely to be weak because of the 
truncation and should be reset.

Please see the CVE text for more information.


More information about the Users mailing list