Bug 1034591 - (CVE-2017-7252) VUL-0: CVE-2017-7252: Botan: Botans implementation of bcrypt password hashing scheme truncated longpasswords at 56 characters, ...
(CVE-2017-7252)
VUL-0: CVE-2017-7252: Botan: Botans implementation of bcrypt password hashing...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/183662/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-18 09:05 UTC by Marcus Meissner
Modified: 2017-05-08 11:55 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-04-18 09:05:46 UTC
CVE-2017-7252

Botan’s implementation of bcrypt password hashing scheme truncated long
passwords at 56 characters, instead of at bcrypt’s standard 72 characters
limit. Passwords with lengths between these two bounds could be cracked more
easily than should be the case due to the final password bytes being ignored.

References
https://botan.randombit.net/security.html#id1
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7252.html
Comment 1 Marcus Meissner 2017-04-18 09:06:52 UTC
2017-03-23 (CVE-2017-7252): Incorrect bcrypt computation

Botan’s implementation of bcrypt password hashing scheme truncated long passwords at 56 characters, instead of at bcrypt’s standard 72 characters limit. Passwords with lengths between these two bounds could be cracked more easily than should be the case due to the final password bytes being ignored. Found and reported by Solar Designer.

Bug introduced in 1.11.0, fixed in 2.1.0.
Comment 2 Marcus Meissner 2017-04-18 09:15:04 UTC
sle12 has 1.10.x , so SLE not affected.
Comment 3 Daniel Molkentin 2017-04-25 09:57:17 UTC
Factory has 1.10.16, and and 2.1.0 is pending for submission to Factory (separate package). Both are unaffected.
Comment 4 Daniel Molkentin 2017-04-25 09:58:46 UTC
Back to security team for further processing.
Comment 5 Marcus Meissner 2017-05-08 11:55:21 UTC
if its in factory -> good