Date: Fri, 05 Sep 2014 23:18:00 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 193355] New: OPIE may not generate passwds from the dictionary correctly Message-ID: <bug-193355-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193355 Bug ID: 193355 Summary: OPIE may not generate passwds from the dictionary correctly Product: Base System Version: 10.0-RELEASE Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: dan.turner@york.ac.uk contrib/opie/libopie/btoe.c contains a dictionary, Wp. Wp is _not_ sorted lexicographically. for instance, "YOU" is immediately before "ABED", line . The function wsrch (impl. starts at line 2203) implements a binary search over Wp, using strncmp as the comparison method. The call strncmp uses lexicographic ordering, in which "ABED" is considered to be less than "YOU". Unfortunately, this dictionary is from RFC 2289 & RFC 1760, and is specified in this order. As such, I don't know how modifying this dictionary order (or the search order) would behave in relation to these standards. I cannot spot any location where Wp is being sorted prior to being used, but I also have not produced proof-of-concept that fails or returns the wrong value, this code looks suspicious to me though, as I think the pre-conditions of the binary search are being violated. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-193355-8>