alpine 3.9
crypto weakness #5

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

hylafax/src/hylafax-6.0.7/hfaxd/User.c++

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 crypto weakness.

 			    ;
		    }
		    if (*cp == ':') {	// :passwd[:adminwd]
			for (base = ++cp; *cp && *cp != ':'; cp++)
			    ;
			if (*cp == ':') {
			    passwd = fxStr(base, cp-base);
			    adminwd = cp+1;
			} else
			    passwd = base;
		    } else
			passwd = "";	// no password required
		}
		return (true);
	    }
	}
    }
    passwd = "*";
    return (false);
}

bool
HylaFAXServer::checkpasswdHosts (const char* pass)
{
    if (strcmp(crypt(pass,passwd),passwd) == 0)
        return true;

    return false;
}

fxDECLARE_PtrKeyDictionary(IDCache, u_int, fxStr)
fxIMPLEMENT_PtrKeyObjValueDictionary(IDCache, u_int, fxStr)

/*
 * Read the host access file and fill the ID cache
 * with entries that map fax UID to name.  We pick
 * names by stripping any host part from matching
 * regex's and by mapping ''.*'' user matches to a
 * generic ''anyone'' name.
 *
 * XXX Maybe should convert RE entries to numeric
 *     equivalent of ID to avoid funky names???
 */
void
HylaFAXServer::fillIDCache(void)
{
    idcache = new IDCache;
    FILE* db = fopen(fixPathname(userAccessFile), "r");
    if (db != NULL) {
	char line[1024]; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.