On Tue, Mar 27, 2012 at 02:56:42PM -0400, Russell Bryant wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > OpenStack Security Advisory: 2012-002 > CVE: CVE-2012-1572 > Date: March 27, 2012 > Title: Extremely long passwords can crash Keystone > Impact: High > Reporter: Dan Prince <dpri...@redhat.com> > Products: Keystone > Affects: All versions > > Description: > Dan Prince reported a vulnerability in Keystone. He discovered that > you can remotely trigger a crash in Keystone by sending an extremely > long password. When Keystone is validating the password, glibc > allocates space on the stack for the entire password. If the password > is long enough, stack space can be exhausted, resulting in a crash. > This vulnerability is mitigated by a patch to impose a reasonable > limit on password length (4 kB).
What about raising an exception back to the callers, rather than silently accepting it with truncation ? Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
