> The Firebird developers basically say that there is no possibility of
> exploitation on their own hash comparisons
If you wanted to pin them down, I would ask that they certify that
their MatchesMatcher::matches method doesn't short-circuit, because if
my C++ memory serves (iffy) it does. (Please note that this is not a
bug report and not a cause for alarm, simply a recommendation for
further looking.)
Also keep in mind that "their own hash comparisons" suggests areas of
their code that specially treats hash data. But when dealing with a
database, a VAR/CHAR field can be used for hash storage, and in turn
hash comparison, without the db having any idea of the purpose.
-- S.