Libcrypt 'crypt () 'password encryption Vulnerability

Release date:
Updated on:

Affected Systems:
Sourceforge libcrypt
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53729
Cve id: CVE-2012-2143

Libcrypt is an ansi c encrypted library.

Libcrypt has the password encryption vulnerability in implementation. When processing characters that cannot be represented by 7-bit ASCII, The DES implementation used in the crypt () function has a programming error, attackers can exploit this vulnerability to bypass the application verification mechanism that uses the affected crypt () function to encrypt their user passwords. When the input contains only characters with the highest valid bit (0x80, both the character and its suffix are ignored. The system does not use crypt () or only uses crypt () to process 7-bit ASCII.

<* Source: Rubin Xu

Link: http://git.postgresql.org/gitweb? P = postgresql. git & a = commitdiff & h = 932ded2ed51e8333852e370c7a6dad75d9f236f9
Http://www.securityfocus.com/archive/1/522919
Https://bugzilla.redhat.com/show_bug.cgi? CVE-2012-2143
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Sourceforge
-----------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://jocr.sourceforge.net/index.html