yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1175905] Re: passlib failure to sanitize env variables PASSLIB_MAX_PASSWORD_SIZE

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Thu, 03 Sep 2015 18:14:59 -0000
Reply-to: Bug 1175905 <1175905@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => liberty-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1175905

Title:
  passlib failure to sanitize env variables PASSLIB_MAX_PASSWORD_SIZE

Status in Keystone:
  Fix Released

Bug description:
  Grant Murphy originally reported:

  * Usage of passlib

    The keystone server does not appear to sanitize the environment when 
    starting. This means that an unintended value can be set for 
    PASSLIB_MAX_PASSWORD_SIZE. Which will overwrite the default value of 
    4096 and potentially cause an unhandled passlib.exc.PasswordSizeError.  
    We should ensure sensible defaults are applied here prior to loading passlib.

  If this is exploitable it will need a CVE, if not we should still
  harden it so it can't be monkeyed with in the future.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175905/+subscriptions