php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78510 Partially uninitialized buffer returned by sodium_crypto_generichash_init()
Submitted: 2019-09-07 17:29 UTC Modified: 2019-09-09 13:36 UTC
From: security at paragonie dot com Assigned: cmb (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 7.3.9 OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: security at paragonie dot com
New email:
PHP Version: OS:

 

 [2019-09-07 17:29 UTC] security at paragonie dot com
Description:
------------
Fixed upstream:

https://github.com/jedisct1/libsodium-php/compare/751c625a0f5d2c097cc345eba39d25b450f7a194..68d7915b9ec21404da6e81472d893325fdc65a5c

(Discovered while trying to add the "salt" and "personal" parameters to the sodium_compat polyfill in order to add missing functions.)

Test script:
---------------
<?php
$key = hex2bin('36be2998c85757e98c1abf3687c8db3a849a393701c05454023d9aba1096fd47');
$y = sodium_crypto_generichash_init($key, 64);
var_dump(bin2hex($y));


Expected result:
----------------
If you run the test script repeatedly, you expect a deterministic result.

Actual result:
--------------
I ran this script 4 times.

scott@paragonie-test:~$ php test.php 
string(768) "48e9bdf267e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d182e6ad7f520e511f6c3e2b8c68059b6bbd41fbabd9831f79217e1319cde05b000000000000000000000000000000000000000000000000000000000000000036be2998c85757e98c1abf3687c8db3a849a393701c05454023d9aba1096fd47000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000052ba5cce550000a0da411e7f7f000080654b1e01ffff7f"
scott@paragonie-test:~$ php test.php 
string(768) "48e9bdf267e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d182e6ad7f520e511f6c3e2b8c68059b6bbd41fbabd9831f79217e1319cde05b000000000000000000000000000000000000000000000000000000000000000036be2998c85757e98c1abf3687c8db3a849a393701c05454023d9aba1096fd4700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000ae8bc4a7f00006005afaee55500008072c3ace5550000"
scott@paragonie-test:~$ php test.php 
string(768) "48e9bdf267e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d182e6ad7f520e511f6c3e2b8c68059b6bbd41fbabd9831f79217e1319cde05b000000000000000000000000000000000000000000000000000000000000000036be2998c85757e98c1abf3687c8db3a849a393701c05454023d9aba1096fd4700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000002220d4fd550000a0da01cdac7f000080650bcd01ffff7f"
scott@paragonie-test:~$ php test.php 
string(768) "48e9bdf267e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d182e6ad7f520e511f6c3e2b8c68059b6bbd41fbabd9831f79217e1319cde05b000000000000000000000000000000000000000000000000000000000000000036be2998c85757e98c1abf3687c8db3a849a393701c05454023d9aba1096fd4700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000a2841427f000060c5fc5ee555000080620d5de5550000"

The last few bytes were uninitialized memory.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-09 13:36 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 08 16:01:29 2024 UTC