ID: 45430 Updated by: [EMAIL PROTECTED] Reported By: alex at all-dynamics dot de -Status: Critical +Status: Closed Bug Type: *Encryption and hash functions Operating System: Win32 PHP Version: 5.2.6 Assigned To: pajoye New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Fixed in 5.3 and HEAD (6.x) Previous Comments: ------------------------------------------------------------------------ [2008-07-26 18:19:00] [EMAIL PROTECTED] Final patch: http://pierre.libgd.org/patches/add_crypt_r_blowfish_extdes.txt It not only fixes windows but it adds blowfish, extended DES, std DES and MD5 to all platforms as soon as one of them is not available or when crypt_r is not present either. Doing so PHP can't be affected anymore by this problem. ------------------------------------------------------------------------ [2008-07-19 22:22:16] [EMAIL PROTECTED] Patch updated to the latest DES implementation ported to Windows. Blowfish support added (with salt generation). http://news.php.net/php.internals.win/94 ------------------------------------------------------------------------ [2008-07-17 22:44:11] [EMAIL PROTECTED] Here is the patch (windows only): http://pierre.libgd.org/patches/crypt_r_win32.patch.txt Will be committed asap. ------------------------------------------------------------------------ [2008-07-15 09:19:20] [EMAIL PROTECTED] Taking the hand on it for the windows part. As part of the win32 improvement effort, I already wrote a patch to drop our win32's md5_crypt implementation and add support for other algorithms (just like crypt_r + DES). ------------------------------------------------------------------------ [2008-07-15 02:28:46] [EMAIL PROTECTED] See also: http://blog.php-security.org/archives/82-Suhosin-0.9.20-and-crypt-Thread-Safety-Vulnerability.html ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/45430 -- Edit this bug report at http://bugs.php.net/?id=45430&edit=1
