HEADS UP: fix for password truncation when using crypt(3) with DES
aoiko at cc.ece.ntua.gr
Wed May 30 07:07:28 PDT 2012
The patch just committed to master (258ad0e) fixes CVE-2012-2143. This
bug manifests for UTF-8 encoded passwords that contain a 0x80 byte (for
instance, the "Ã?" character). This fix restores proper behavior, which
means that authentication will break for such passwords. To our
knowledge, nothing in base uses DES for authentication purposes.
Passwords impacted by this change are likely to be weak because of the
truncation and should be reset.
Please see the CVE text for more information.
More information about the Users