openstack team mailing list archive

Thread
Date

Re: [OSSA 2012-002] Extremely long passwords can crash Keystone (CVE-2012-1572)

To: Russell Bryant <rbryant@xxxxxxxxxx>
From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Date: Wed, 28 Mar 2012 09:57:09 +0100
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4F720D6A.10600@redhat.com>
Reply-to: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

On Tue, Mar 27, 2012 at 02:56:42PM -0400, Russell Bryant wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> OpenStack Security Advisory: 2012-002
> CVE: CVE-2012-1572
> Date: March 27, 2012
> Title: Extremely long passwords can crash Keystone
> Impact: High
> Reporter: Dan Prince <dprince@xxxxxxxxxx>
> Products: Keystone
> Affects: All versions
> 
> Description:
> Dan Prince reported a vulnerability in Keystone. He discovered that
> you can remotely trigger a crash in Keystone by sending an extremely
> long password. When Keystone is validating the password, glibc
> allocates space on the stack for the entire password. If the password
> is long enough, stack space can be exhausted, resulting in a crash.
> This vulnerability is mitigated by a patch to impose a reasonable
> limit on password length (4 kB).

What about raising an exception back to the callers, rather than silently
accepting it with truncation ?

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

References

[OSSA 2012-002] Extremely long passwords can crash Keystone (CVE-2012-1572)
From: Russell Bryant, 2012-03-27