Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Update to jBCrypt 0.4 to correct an integer overflow #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
reedloden wants to merge 1 commit into from
Closed

Update to jBCrypt 0.4 to correct an integer overflow #112

reedloden wants to merge 1 commit into from

Conversation

@reedloden
Copy link

@reedloden reedloden commented Feb 12, 2015

reedloden
reedloden reviewed Feb 12, 2015
View reviewed changes
ext/jruby/bcrypt_jruby/BCrypt.java
Copy link
Author

@reedloden reedloden Feb 12, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Oscil8, does the below change end up fixing #82? Haven't had a chance to test yet, but if so, awesome...

Copy link

@Oscil8 Oscil8 Feb 13, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem with character encoding has already failed by this point -- JRuby => Java conversion of the string has already turned out of range characters into 0xfffd (Replacement character); and the use of getBytes("UTF-8") at https://github.com/reedloden/bcrypt-ruby/blob/jBCrypt-0.4/ext/jruby/bcrypt_jruby/BCrypt.java#L676 further distorts the byte values. We've implemented a workaround here https://github.com/lookout/bcrypt-ruby/tree/lookout

@reedloden
Copy link
Author

reedloden commented Jul 25, 2015

The upstream issue is CVE-2015-0886 (also see http://osvdb.org/show/osvdb/119055).

@tjschuck
Copy link
Collaborator

tjschuck commented Jan 4, 2019

As of #182, we no longer use the original jBCrypt — we now use the spring-security fork, which has since drifted away from jBCrypt 0.3 or 0.4.

@tjschuck tjschuck closed this Jan 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reedloden @tjschuck @Oscil8
Morty Proxy This is a proxified and sanitized view of the page, visit original site.