Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 23 Aug 2016 22:04:44 +0200
From: Salvatore Bonaccorso <>
Cc: Howard Guo <>, Marcus Meissner <>,
	CVE Assignments MITRE <>
Subject: Re: cracklib: Stack-based buffer overflow when
 parsing large GECOS field


On Tue, Aug 16, 2016 at 03:34:54PM +0530, Huzaifa Sidhpurwala wrote:
> Hi All,
> A security flaw was reported to us by CSG Labs, details as follows:
> A stack-based overflow was found in the way cracklib, a library used to
> stop users from choosing easy to guess passwords, handled large GECOS
> field in the /etc/passwd file. When an application compiled against the
> cracklib libary, such as "passwd" is used to parse the GECOS field, it
> could cause the application to crash or execute arbitary code with the
> permissions of the user running such an application.
> To trigger the flaw, you need a specially-crafted "long" GECOS field,
> which can be done by a local user on the system. The attacker then needs
> to run some utility which uses cracklib to process this long GECOS field
> on the system. (such as "passwd" application which runs suid root)
> All versions of the cracklib library shipped with Red Hat Enterprise
> Linux are compiled with FORTIFY_SOURCE, which detects the
> buffer-overflow and aborts the application safely.
> Therefore the maximum impact of this flaw is application crash.
> However, there may be other applications, distributions which dont
> compile cracklib with FORTIFY_SOURCE, and this can lead to easy code
> exec or even privsec.
> A proposed patch is available at:
> This flaw was assigned CVE-2016-6318 and it was previously disclosed via
> linux-distros mailing list.

In the SuSE Bugzilla, it was noted that there is still another buffer
overflow present, cf.

and the patch

> - Add patch 0004-overflow-processing-long-words.patch
>  to fix a new buffer overflow identified together with bsc#992966.
> The input word is guaranteed to be at most STRINGSIZE-1 in length.
> One of the mangle operations involves duplicating the input word,
> resulting in a string twice the length to be accommodated by both
> area variables.

was applied.

Should that possibly get a further CVE id for reference?


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ