[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7490) Security weakness in sha2 password module

--On Friday, January 11, 2013 6:19 AM +0000 mhardin@symas.com wrote:

> Full_Name: Matthew Hardin
> Version: 2.4.33+
> OS: All
> URL: ftp://ftp.openldap.org/incoming/sha2.c-diff.txt
> Submission from: (NULL) (
> contrib/slapd-modules/passwd/sha2/sha2.c uses a series of context buffers
> and zeros them out in several places using the following macro:
> MEMSET_BZERO(context, sizeof(context))
> The variable 'context' is a pointer to a context buffer, so sizeof will
> evaluate to the size of a pointer for the particular platform. As a
> result, the context buffer is only partially zeroed.
> The correct invocation is:
> MEMSET_BZERO(context, sizeof(*context))
> which will zero out the complete context buffer.
> The referenced diff details the changes to sha2.c that are necessary to
> correct this issue.
> Note this also cleans up warnings reported by MacOS's clang compiler.
> I, Matthew Hardin, hereby place the following modifications to OpenLDAP
> Software (and only these modifications) into the public domain. Hence,
> these modifications may be freely used and/or redistributed for any
> purpose with or without attribution and/or other notice.

Can you resubmit the patch using git-format-patch?  Or at least using 
unified diff format? ;)



Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration