ID: 45430 Updated by: [EMAIL PROTECTED] Reported By: alex at all-dynamics dot de Status: Critical Bug Type: *Encryption and hash functions Operating System: Win32 PHP Version: 5.2.6 Assigned To: pajoye New Comment:
Final patch: http://pierre.libgd.org/patches/add_crypt_r_blowfish_extdes.txt It not only fixes windows but it adds blowfish, extended DES, std DES and MD5 to all platforms as soon as one of them is not available or when crypt_r is not present either. Doing so PHP can't be affected anymore by this problem. Previous Comments: ------------------------------------------------------------------------ [2008-07-19 22:22:16] [EMAIL PROTECTED] Patch updated to the latest DES implementation ported to Windows. Blowfish support added (with salt generation). http://news.php.net/php.internals.win/94 ------------------------------------------------------------------------ [2008-07-17 22:44:11] [EMAIL PROTECTED] Here is the patch (windows only): http://pierre.libgd.org/patches/crypt_r_win32.patch.txt Will be committed asap. ------------------------------------------------------------------------ [2008-07-15 09:19:20] [EMAIL PROTECTED] Taking the hand on it for the windows part. As part of the win32 improvement effort, I already wrote a patch to drop our win32's md5_crypt implementation and add support for other algorithms (just like crypt_r + DES). ------------------------------------------------------------------------ [2008-07-15 02:28:46] [EMAIL PROTECTED] See also: http://blog.php-security.org/archives/82-Suhosin-0.9.20-and-crypt-Thread-Safety-Vulnerability.html ------------------------------------------------------------------------ [2008-07-04 08:50:38] alex at all-dynamics dot de Description: ------------ crypt () seems not to be thread-safe when using a threaded webserver (Windows, ISAPI). Maybe this has something to do with win32/md5crypt.c / md5_crypt: static char passwd[120] (static buffer which is returned to the calling function). Reproduce code: --------------- Run this code with two or more simultaneous requests on a threaded server: set_time_limit (0); $passwd1 = "testtesttest"; $passwd2 = "passwordpassword"; for ($i = 0; $i < 3000; $i++) { $crypted = crypt ($passwd1); if ($crypted != crypt ($passwd1, $crypted)) die ("no match"); $crypted = crypt ($passwd2); if ($crypted != crypt ($passwd2, $crypted)) die ("no match"); } echo "ok"; Expected result: ---------------- "ok" on all requests Actual result: -------------- one request may end with "no match", the other request will display "ok" ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=45430&edit=1