Re: [Openstack] [OSSA 2012-002] Extremely long passwords can crash Keystone (CVE-2012-1572)
On Tue, Mar 27, 2012 at 02:56:42PM -0400, Russell Bryant wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenStack Security Advisory: 2012-002 CVE: CVE-2012-1572 Date: March 27, 2012 Title: Extremely long passwords can crash Keystone Impact: High Reporter: Dan Prince dpri...@redhat.com Products: Keystone Affects: All versions Description: Dan Prince reported a vulnerability in Keystone. He discovered that you can remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). What about raising an exception back to the callers, rather than silently accepting it with truncation ? Regards, Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [OSSA 2012-002] Extremely long passwords can crash Keystone (CVE-2012-1572)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenStack Security Advisory: 2012-002 CVE: CVE-2012-1572 Date: March 27, 2012 Title: Extremely long passwords can crash Keystone Impact: High Reporter: Dan Prince dpri...@redhat.com Products: Keystone Affects: All versions Description: Dan Prince reported a vulnerability in Keystone. He discovered that you can remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). Fixes: Essex: https://github.com/openstack/keystone/commit/239e4f64c2134338b32ffd6d42c0b6ff70cd040c 2011.3: https://github.com/dprince/keystone/commit/7b07f870702de5675d4423042e8b018e3fc4b931 Note that the stable/diablo commit is still pending the resolution of some issues on jenkins. The patch will be identical to the one linked to from dprince's github repository. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1572 https://bugs.launchpad.net/keystone/+bug/957359 Notes: This fix will be included in the Essex rc2 development milestone and in a future Diablo release. - -- Russell Bryant OpenStack Vulnerability Management Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9yDWoACgkQFg9ft4s9SAas5gCglqproiXDUgrbvqUjEr2JlCaa 1DAAni1Bf4rWeD9Emli/4K3cljxMq1z/ =z2UX -END PGP SIGNATURE- ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp