Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

sles 15.1
crypto weakness #10

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

perl-5.26.1/reentr.h

Context:

The highlighted line of code below is the trigger point of this particular Sles 15.1 crypto weakness.

 #  if defined(PERL_REENTR_API) && (PERL_REENTR_API+0 == 1)
#   undef asctime
#   if !defined(asctime) && ASCTIME_R_PROTO == REENTRANT_PROTO_B_SB
#       define asctime(a) asctime_r(a, PL_reentrant_buffer->_asctime_buffer)
#   endif
#   if !defined(asctime) && ASCTIME_R_PROTO == REENTRANT_PROTO_B_SBI
#       define asctime(a) asctime_r(a, PL_reentrant_buffer->_asctime_buffer, PL_reentrant_buffer->_asctime_size)
#   endif
#   if !defined(asctime) && ASCTIME_R_PROTO == REENTRANT_PROTO_I_SB
#       define asctime(a) (asctime_r(a, PL_reentrant_buffer->_asctime_buffer) == 0 ? PL_reentrant_buffer->_asctime_buffer : 0)
#   endif
#   if !defined(asctime) && ASCTIME_R_PROTO == REENTRANT_PROTO_I_SBI
#       define asctime(a) (asctime_r(a, PL_reentrant_buffer->_asctime_buffer, PL_reentrant_buffer->_asctime_size) == 0 ? PL_reentrant_buffer->_asctime_buffer : 0)
#   endif
#  endif
#endif /* HAS_ASCTIME_R */

#ifdef HAS_CRYPT_R
#  if defined(PERL_REENTR_API) && (PERL_REENTR_API+0 == 1)
#   undef crypt
#   if !defined(crypt) && CRYPT_R_PROTO == REENTRANT_PROTO_B_CCS
#       define crypt(a, b) crypt_r(a, b, PL_reentrant_buffer->_crypt_struct_buffer)
#   endif
#   if !defined(crypt) && CRYPT_R_PROTO == REENTRANT_PROTO_B_CCD
#       define crypt(a, b) crypt_r(a, b, &PL_reentrant_buffer->_crypt_data)
#   endif
#  endif
#endif /* HAS_CRYPT_R */

#ifdef HAS_CTERMID_R
#  if defined(PERL_REENTR_API) && (PERL_REENTR_API+0 == 1)
#   undef ctermid
#   if !defined(ctermid) && CTERMID_R_PROTO == REENTRANT_PROTO_B_B
#       define ctermid(a) ctermid_r(a)
#   endif
#  endif
#endif /* HAS_CTERMID_R */

#ifdef HAS_CTIME_R
#  if defined(PERL_REENTR_API) && (PERL_REENTR_API+0 == 1)
#   undef ctime
#   if !defined(ctime) && CTIME_R_PROTO == REENTRANT_PROTO_B_SB
#       define ctime(a) ctime_r(a, PL_reentrant_buffer->_ctime_buffer)
#   endif
#   if !defined(ctime) && CTIME_R_PROTO == REENTRANT_PROTO_B_SBI
#       define ctime(a) ctime_r(a, PL_reentrant_buffer->_ctime_buffer, PL_reentrant_buffer->_ctime_size)
#   endif
#   if !defined(ctime) && CTIME_R_PROTO == REENTRANT_PROTO_I_SB
#       define ctime(a) (ctime_r(a, PL_reentrant_buffer->_ctime_buffer) == 0 ? PL_reentrant_buffer->_ctime_buffer : 0)
#   endif 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.