lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040228145434.2e60b8cd.timothy.demulder@tiscali.be>
From: timothy.demulder at tiscali.be (Timothy Demulder)
Subject: LOL, stupid calife maintainer - this can't be
 true

On Sat, 28 Feb 2004 14:18:20 +0100
"DownBload / Illegal Instruction Labs" <downbload@...mail.com> wrote:

> This can't be true...

...

> Vulnerable code ("glibc problem" ;-) ->
> /root/calife-2.8.4c/db.c
> ------------------------
>         ...
>         char    got_pass = 0;
>         char    * pt_pass, * pt_enc,
>                 * user_pass, * enc_pass, salt [10];
> 
>         user_pass = (char *) xalloc (l_size);
>         enc_pass = (char *) xalloc (l_size);
>         ...
>         for ( i = 0; i < 3; i ++ )
>         {
>             pt_pass = (char *) getpass ("Password:");
>             memset (user_pass, '\0', l_size);
>             strcpy (user_pass, pt_pass); // <- BAD CODE
>             pt_enc = (char *) crypt (user_pass, calife->pw_passwd);
>             memset (enc_pass, '\0', l_size);
>             strcpy (enc_pass, pt_enc);
>         }
>         ...
>         free (user_pass);    // <-  FUN CODE ;-)
>         free (enc_pass);     // <-  FUN CODE ;-)
>         ...


It's just plain sad, there should be capital punishement for people
who code like this.

Powered by blists - more mailing lists