13-Year-Old Password Security Bug Fixed

arglebargle_xiv writes "In a sign that many eyes don't really make (security) bugs shallow, a thirteen-year-old password-hashing bug that affects (at least) PHP, some Linux distros (Owl, ALT Linux, SUSE), and a variety of other apps has just been patched. This problem had been present in widely-used code since 1998 without anyone noticing it." Better late than never; reader Trailrunner7 points to this article outlining the dangers of old exploits, given old code for them to toy with.

Re:No shit

[mangu]

It only holds water if people are actively looking at the code and noticing the bugs, which in many cases they are not.

But you must admit that in some cases people are looking at the code, while in commercial code no one but those who developed it can take a look.

If you have ever developed code you must have noticed how often you spend hours looking at your code trying to find a bug and then someone comes looking over your shoulder and points out the obvious error.

Re:At least it was fixed

[LordLucless]

Uh-huh. Because "In a sign that many eyes don't really make (security) bugs shallow" is such an unbiased opening for the story.

Come on, it's PHP

[A beautiful mind]

What the fuck did you expect, excellent design practices and high quality code?

Re:At least it was fixed

[Anonymous Coward]

And why is that not a reasonable opening for the summary?

Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

The correct answer for what makes a product secure: Proper coding practices combined with proper configuration.

IMO, Apache is certainly a better choice for a web server, but my opinion is not based on that fact that it is open source and instead based on the fact that it is actually more secure than IIS. Apache appears to be less often compromised, therefore I trust it more. However, if IIS one day holds the mantle of least compromised, then I will certainly consider it (I'm holding my breath though).

Re:Yikes, how do you roll out a fix for that.

[Firehed]

Have a setting in the tools that call it to use the legacy/broken implementation, and enable it by default in the next patch. See: MySQL old passwords [mysql.com]. Or some sort of option that you can set on the function, similar idea.

The better but less compatible way is to put a huge warning on the patch, telling people that if the password doesn't match, check again with the USE_BROKEN_BLOWFISH_IMPLEMENTATION flag passed into the function and if that matches, update your data with the good hash and continue on as normal. That will inevitably piss off a lot of people on shared hosting and/or unmaintained applications but from a security standpoint it's the better option.

no reason to conclude open source is not secure

[binarstu]

Concluding, from this bug, "that many eyes don't really make (security) bugs shallow" is absolutely not justified. This is a single anecdote (sample size = 1), and there is no good or easy way to compare this to what would have happened had the code been closed. One could just as easily claim that if the code were not open, it would have been 10 more years before the bug was uncovered.

Re:Come on, it's PHP

[Firehed]

To be fair, it's hardly PHP's fault that the shared library's implementation was broken. The primary benefits of using a library (not reinventing the wheel, wisdom of many, etc.) are generally outweighed by occasionally inheriting one of their bugs. Especially since you also inherit their bugfixes. While the core PHP team is actually quite well accomplished at security (even if PHP enables any idiot to make insecure sites by virtue of being easy to learn), I'd still rather them use widely adopted libraries than come up with their own implementation.

Blowing things out of proportion

[Anonymous Coward]

A flaw in an obscure blowfish implementation that isn't used by any of the major distributions is not the dire situation implied here (considering SUSE basically irrelevant anymore). This incident actually reaffirms the many eyes philosophy. Few eyes had the motive to look at this particular code, so the flaw was simply not seen.

Re:So if I understand this right?

[simcop2387]

They mean the british pound sign, not the octothorpe # . Ain't language fun?

Re:At least it was fixed

[MobileTatsu-NJG]

How many bugs are there in commercial software that we don't know?

Heh.

Monday:

"Really old bug finally patched in some popular Microsoft software!"

This shows how terrible proprietary software is!

Tuesday:

"Really old bug finally patched in some popular OSS!"

This shows how terrible proprietary software is!