alpine 3.8
crypto weakness #600

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

cups/src/cups-2.2.10/scheduler/auth.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.8 crypto weakness.

 	      */

	      cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username);
	      return;
	    }

	    if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0])
#  else
	    if (!pw->pw_passwd[0])
#  endif /* HAVE_SHADOW_H */
	    {
	     /*
	      * Don't allow blank passwords!
	      */

	      cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username);
	      return;
	    }

	   /*
	    * OK, the password isn't blank, so compare with what came from the
	    * client...
	    */

	    pass = crypt(password, pw->pw_passwd);

	    if (!pass || strcmp(pw->pw_passwd, pass))
	    {
#  ifdef HAVE_SHADOW_H
	      if (spw)
	      {
		pass = crypt(password, spw->sp_pwdp);

		if (pass == NULL || strcmp(spw->sp_pwdp, pass))
		{
	          cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
		  return;
        	}
	      }
	      else
#  endif /* HAVE_SHADOW_H */
	      {
		cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
		return;
              }
	    }
#endif /* HAVE_LIBPAM */
          }

	  cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.