Bug#714219: libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software

To: 714219@bugs.debian.org
Cc: debian-security@lists.debian.org, mancha@lavabit.com
Subject: Bug#714219: libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software
From: "mancha" <mancha1@hush.com>
Date: Wed, 03 Jul 2013 19:18:03 +0000
Message-id: <[🔎] 20130703191803.CA04F601B8@smtp.hushmail.com>
Reply-to: mancha1@hush.com, 714219@bugs.debian.org

Dear all:

You might be interested in a project of mine which humbly began
as helping the Slackware Linux team patch their Shadow tools
suite to properly handle possible NULL returns from glibc 2.17+
crypt().

It since has evolved into a larger project where I have been
working with developers to introduce needed checks to prevent
possible NULL pointer dereference situations in their programs.

My progress is being documented in Slackware's de facto bug &
discussion forum (linuxquestions.org). You can view thread here: 
https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-
current%5D-glibc-2-17-shadow-and-other-penumbrae-4175461061/

Additionally, I have placed all patch files along with a signed
digest file in a sourceforge project:
https://sourceforge.net/projects/miscellaneouspa/files/glibc217/

The Debian security team might be interested in this given the
security implications of some of these fixes. Please CC: me in
any such correspondence.

--mancha

PGP Key ID: 0xB5ABF4FFF7048E92
Key fingerprint = 7F1F E9BF 77CF 15AC 8F6B  C934 B5AB F4FF F704 
8E92

Reply to:

Prev by Date: Bug#714219: libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software
Next by Date: Bug#704623: eglibc: CVE-2013-1914: getaddrinfo() stack overflow
Previous by thread: Bug#714219: libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software
Next by thread: [bts-link] source package eglibc
Index(es):
- Date
- Thread