Date: Tue, 23 Aug 2016 22:04:44 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: Howard Guo <hguo@...e.com>, Marcus Meissner <meissner@...e.de>, CVE Assignments MITRE <cve-assign@...re.org> Subject: Re: cracklib: Stack-based buffer overflow when parsing large GECOS field Hi, On Tue, Aug 16, 2016 at 03:34:54PM +0530, Huzaifa Sidhpurwala wrote: > Hi All, > > A security flaw was reported to us by CSG Labs, details as follows: > > A stack-based overflow was found in the way cracklib, a library used to > stop users from choosing easy to guess passwords, handled large GECOS > field in the /etc/passwd file. When an application compiled against the > cracklib libary, such as "passwd" is used to parse the GECOS field, it > could cause the application to crash or execute arbitary code with the > permissions of the user running such an application. > > To trigger the flaw, you need a specially-crafted "long" GECOS field, > which can be done by a local user on the system. The attacker then needs > to run some utility which uses cracklib to process this long GECOS field > on the system. (such as "passwd" application which runs suid root) > > All versions of the cracklib library shipped with Red Hat Enterprise > Linux are compiled with FORTIFY_SOURCE, which detects the > buffer-overflow and aborts the application safely. > > Therefore the maximum impact of this flaw is application crash. > > However, there may be other applications, distributions which dont > compile cracklib with FORTIFY_SOURCE, and this can lead to easy code > exec or even privsec. > > A proposed patch is available at: > https://bugzilla.redhat.com/attachment.cgi?id=1188599 > > This flaw was assigned CVE-2016-6318 and it was previously disclosed via > linux-distros mailing list. In the SuSE Bugzilla, it was noted that there is still another buffer overflow present, cf. https://bugzilla.novell.com/show_bug.cgi?id=992966#c14 and the patch https://build.opensuse.org/request/show/419768 > - Add patch 0004-overflow-processing-long-words.patch > to fix a new buffer overflow identified together with bsc#992966. [...] > The input word is guaranteed to be at most STRINGSIZE-1 in length. > One of the mangle operations involves duplicating the input word, > resulting in a string twice the length to be accommodated by both > area variables. https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch was applied. Should that possibly get a further CVE id for reference? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ