FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2012-2143

This CVE name corresponds to:

Entered	Topic
2012-06-27	FreeBSD -- Incorrect crypt() hashing
2012-05-30	databases/postgresql*-server -- crypt vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2012-2143 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2012-2143
Phase	Assigned(20120404)

Description

The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.

References

Source	Reference
CONFIRM	http://git.php.net/?p=php-src.git;a=commit;h=aab49e934de1fff046e659cbec46e3d053b41c34
CONFIRM	http://git.postgresql.org/gitweb/?p=postgresql.git&a=commit&h=932ded2ed51e8333852e370c7a6dad75d9f236f9
CONFIRM	http://www.postgresql.org/docs/8.3/static/release-8-3-19.html
CONFIRM	http://www.postgresql.org/docs/8.4/static/release-8-4-12.html
CONFIRM	http://www.postgresql.org/docs/9.0/static/release-9-0-8.html
CONFIRM	http://www.postgresql.org/docs/9.1/static/release-9-1-4.html
CONFIRM	http://www.postgresql.org/support/security/
CONFIRM	https://bugzilla.redhat.com/show_bug.cgi?id=816956
CONFIRM	http://support.apple.com/kb/HT5501
APPLE	APPLE-SA-2012-09-19-2
DEBIAN	DSA-2491
FEDORA	FEDORA-2012-8893
FEDORA	FEDORA-2012-8915
FEDORA	FEDORA-2012-8924
FREEBSD	FreeBSD-SA-12:02
MANDRIVA	MDVSA-2012:092
REDHAT	RHSA-2012:1037
SUSE	SUSE-SU-2012:0840
SUSE	openSUSE-SU-2012:1299
SUSE	openSUSE-SU-2012:1251
SUSE	openSUSE-SU-2012:1288
SECTRACK	1026995
SECUNIA	49304
SECUNIA	50718