Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2006-1058

Source

Debian Bug report logs - #360578
busybox: passwd uses null salt (weak encryption) [CVE-2006-1058]

Package: busybox; Maintainer for busybox is Debian Install System Team <debian-boot@lists.debian.org>; Source for busybox is src:busybox (PTS, buildd, popcon).

Reported by: Martin Pitt <martin.pitt@ubuntu.com>

Date: Mon, 3 Apr 2006 12:33:02 UTC

Severity: normal

Tags: patch, security

Found in versions busybox/1.01-4, busybox/1:0.60.2-3.1, busybox/1:0.60.5-2.2, busybox/1:1.01-4

Fixed in version 1:1.1.3-1

Done: Frans Pop <elendil@planet.nl>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#360578; Package busybox. (full text, mbox, link).

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: busybox
Version: 1.01-4
Severity: normal
Tags: security yatch

busybox' passwd always uses an empty salt for md5 passwords, so that
passwords can be broken much faster (with fast table-based
approaches). Please see [1] for the upstream bug report and [2] for
the Ubuntu patch.

Thank you,

Martin

[1] http://bugs.busybox.net/view.php?id=604
[2] http://patches.ubuntu.com/patches/busybox.CVE-2006-1058.diff

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Alec Berryman <alec@thened.net> to control@bugs.debian.org. (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#360578; Package busybox. (full text, mbox, link).

Acknowledgement sent to Julien Goodwin <jgoodwin@studio442.com.au>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).

Message #12 received at 360578@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

The Ubuntu patch link from Martin's report is now a 404, and the busybox
 bug report is listed as being fixed on the 20th of April.

Relevent SVN commit: (trunk)
http://www.busybox.net/cgi-bin/viewcvs.cgi/trunk/busybox/loginutils/passwd.c?rev=14930&view=diff&r1=14930&r2=14929&p1=trunk/busybox/loginutils/passwd.c&p2=/trunk/busybox/loginutils/passwd.c
And from the 1.1.3 tag:
http://www.busybox.net/cgi-bin/viewcvs.cgi/tags/busybox_1_1_3/loginutils/passwd.c?rev=15117&view=log

As busybox 1.1.3 is now in unstable this bug should be marked fixed in 1.1.3

Thanks,
Julien

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Frans Pop <elendil@planet.nl>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Martin Pitt <martin.pitt@ubuntu.com>:
Bug acknowledged by developer. (full text, mbox, link).

Message #17 received at 360578-done@bugs.debian.org (full text, mbox, reply):

Version: 1:1.1.3-1

On Thursday 22 June 2006 20:14, Julien Goodwin wrote:
> As busybox 1.1.3 is now in unstable this bug should be marked fixed in
> 1.1.3

Done. Thanks.

Bug marked as found in version 1:0.60.2-3.1. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as found in version 1:0.60.5-2.2. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as found in version 1:1.01-4. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 16:27:05 GMT) (full text, mbox, link).

Bug unarchived. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 08:47:50 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:48:32 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:51:06 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

busybox: passwd uses null salt (weak encryption) [CVE-2006-1058]

Debian Bug report logs - #360578
busybox: passwd uses null salt (weak encryption) [CVE-2006-1058]

Vulmon Search

About

Products

Connect

busybox: passwd uses null salt (weak encryption) [CVE-2006-1058]

Debian Bug report logs - #360578 busybox: passwd uses null salt (weak encryption) [CVE-2006-1058]

Vulmon Search

About

Products

Connect

Debian Bug report logs - #360578
busybox: passwd uses null salt (weak encryption) [CVE-2006-1058]