Make WordPress Core

Opened 5 months ago

Last modified 3 weeks ago

#61258 new defect (bug)

class-phpass.php uses old '2a' prefix for crypt_blowfish hashes

Reported by: timrutter's profile timrutter Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.8
Component: External Libraries Keywords: has-patch
Focuses: Cc:

Description

class-phpass.php currently uses the old '2a' prefix for crypt_blowfish hashes

Since PHP 5.3.7 (crypt_blowfish 1.2) the prefix of '2y' has been recommended.

The prefix '$2y$' is used to identify correctly computed hashes from the older potentially weak '$2a$' hashes from CVE-2011-2483

Attachments (1)

class-phpass.patch (1.7 KB) - added by timrutter 5 months ago.
class-phpass.patch

Download all attachments as: .zip

Change History (4)

@timrutter
5 months ago

class-phpass.patch

This ticket was mentioned in PR #6593 on WordPress/wordpress-develop by t-rutter.


5 months ago
#1

Updated gensalt_blowfish() to use the prefix '$2y' for PHP versions 5.2.7 and later Added backwards compatible define for PHP_VERSION_ID Removed duplicate PHPDOC comment

Trac ticket: https://core.trac.wordpress.org/ticket/61258

#2 @hellofromTonya
5 weeks ago

  • Component changed from Security to External Libraries
  • Version changed from 6.6 to 5.8

In scrubbing tickets for 6.6.x minor cycle, noticed this ticket is flagged for Version of 6.6. There were no changes made to PHPass during 6.6 cycle. PHPass was upgraded to 0.5 during the 5.8 cycle in #51549 via [51008].

#3 @jrf
3 weeks ago

PHPass is an external library and still externally maintained. This should not be handled here, but reported upstream: https://github.com/openwall/phpass

If this would lead to a new release of the upstream library, WordPress should update (if and when).

Note: See TracTickets for help on using tickets.