Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 23 Aug 2016 22:04:44 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Howard Guo <hguo@...e.com>, Marcus Meissner <meissner@...e.de>,
	CVE Assignments MITRE <cve-assign@...re.org>
Subject: Re: cracklib: Stack-based buffer overflow when
 parsing large GECOS field

Hi,

On Tue, Aug 16, 2016 at 03:34:54PM +0530, Huzaifa Sidhpurwala wrote:
> Hi All,
> 
> A security flaw was reported to us by CSG Labs, details as follows:
> 
> A stack-based overflow was found in the way cracklib, a library used to
> stop users from choosing easy to guess passwords, handled large GECOS
> field in the /etc/passwd file. When an application compiled against the
> cracklib libary, such as "passwd" is used to parse the GECOS field, it
> could cause the application to crash or execute arbitary code with the
> permissions of the user running such an application.
> 
> To trigger the flaw, you need a specially-crafted "long" GECOS field,
> which can be done by a local user on the system. The attacker then needs
> to run some utility which uses cracklib to process this long GECOS field
> on the system. (such as "passwd" application which runs suid root)
> 
> All versions of the cracklib library shipped with Red Hat Enterprise
> Linux are compiled with FORTIFY_SOURCE, which detects the
> buffer-overflow and aborts the application safely.
> 
> Therefore the maximum impact of this flaw is application crash.
> 
> However, there may be other applications, distributions which dont
> compile cracklib with FORTIFY_SOURCE, and this can lead to easy code
> exec or even privsec.
> 
> A proposed patch is available at:
> https://bugzilla.redhat.com/attachment.cgi?id=1188599
> 
> This flaw was assigned CVE-2016-6318 and it was previously disclosed via
> linux-distros mailing list.

In the SuSE Bugzilla, it was noted that there is still another buffer
overflow present, cf. 

https://bugzilla.novell.com/show_bug.cgi?id=992966#c14

and the patch

https://build.opensuse.org/request/show/419768

> - Add patch 0004-overflow-processing-long-words.patch
>  to fix a new buffer overflow identified together with bsc#992966.
[...]
> The input word is guaranteed to be at most STRINGSIZE-1 in length.
> One of the mangle operations involves duplicating the input word,
> resulting in a string twice the length to be accommodated by both
> area variables.

https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch

was applied.

Should that possibly get a further CVE id for reference?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ