php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #45430 crypt () not thread-safe when crypt_r is not available!
Submitted: 2008-07-04 08:50 UTC Modified: 2008-07-28 12:00 UTC
From: alex at all-dynamics dot de Assigned: pajoye (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.2.6 OS: Win32
Private report: No CVE-ID: None
View Developer Edit
 [2008-07-04 08:50 UTC] alex at all-dynamics dot de 
Description:
------------
crypt () seems not to be thread-safe when using a threaded webserver (Windows, ISAPI). Maybe this has something to do with win32/md5crypt.c /  md5_crypt: static char passwd[120] (static buffer which is returned to the calling function).

Reproduce code:
---------------
Run this code with two or more simultaneous requests on a threaded server:


set_time_limit (0);

$passwd1 = "testtesttest";
$passwd2 = "passwordpassword";

for ($i = 0; $i < 3000; $i++) {

  $crypted = crypt ($passwd1);
  if ($crypted != crypt ($passwd1, $crypted)) die ("no match");

  $crypted = crypt ($passwd2);
  if ($crypted != crypt ($passwd2, $crypted)) die ("no match");

}

echo "ok";


Expected result:
----------------
"ok" on all requests

Actual result:
--------------
one request may end with "no match", the other request will display "ok"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-15 02:28 UTC] jani@php.net 
See also:
http://blog.php-security.org/archives/82-Suhosin-0.9.20-and-crypt-Thread-Safety-Vulnerability.html
 [2008-07-15 09:19 UTC] pajoye@php.net 
Taking the hand on it for the windows part. As part of the win32 improvement effort, I already wrote a patch to drop our win32's md5_crypt implementation and add support for other algorithms (just like crypt_r + DES).
 [2008-07-17 22:44 UTC] pajoye@php.net 
Here is the patch (windows only):

http://pierre.libgd.org/patches/crypt_r_win32.patch.txt

Will be committed asap.
 [2008-07-19 22:22 UTC] pajoye@php.net 
Patch updated to the latest DES implementation ported to Windows.
Blowfish support added (with salt generation).

http://news.php.net/php.internals.win/94
 [2008-07-26 18:19 UTC] pajoye@php.net 
Final patch:

http://pierre.libgd.org/patches/add_crypt_r_blowfish_extdes.txt

It not only fixes windows but it adds blowfish, extended DES, std DES and MD5 to all platforms as soon as one of them is not available or when crypt_r is not present either. Doing so PHP can't be affected anymore by this problem.
 [2008-07-28 12:00 UTC] pajoye@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.3 and HEAD (6.x)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 16:00:02 2025 UTC