openstack team mailing list archive

[Russell Bryant <rbryant@xxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenStack Security Advisory: 2012-002
CVE: CVE-2012-1572
Date: March 27, 2012
Title: Extremely long passwords can crash Keystone
Impact: High
Reporter: Dan Prince <dprince@xxxxxxxxxx>
Products: Keystone
Affects: All versions

Description:
Dan Prince reported a vulnerability in Keystone. He discovered that
you can remotely trigger a crash in Keystone by sending an extremely
long password. When Keystone is validating the password, glibc
allocates space on the stack for the entire password. If the password
is long enough, stack space can be exhausted, resulting in a crash.
This vulnerability is mitigated by a patch to impose a reasonable
limit on password length (4 kB).

Fixes:
Essex:
https://github.com/openstack/keystone/commit/239e4f64c2134338b32ffd6d42c0b6ff70cd040c
2011.3:
https://github.com/dprince/keystone/commit/7b07f870702de5675d4423042e8b018e3fc4b931

Note that the stable/diablo commit is still pending the resolution of
some issues on jenkins.  The patch will be identical to the one linked
to from dprince's github repository.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1572
https://bugs.launchpad.net/keystone/+bug/957359

Notes:
This fix will be included in the Essex rc2 development milestone and in
a future Diablo release.

- -- 
Russell Bryant
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9yDWoACgkQFg9ft4s9SAas5gCglqproiXDUgrbvqUjEr2JlCaa
1DAAni1Bf4rWeD9Emli/4K3cljxMq1z/
=z2UX
-----END PGP SIGNATURE-----