Bug 1017430 (CVE-2013-4412)

Summary: CVE-2013-4412 slim: malformed or unsupported salts can crash login daemon
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: pahan, pertusus
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: slim 1.3.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:41:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2013-10-09 21:00:12 UTC 
It was reported [1] that slim 1.3.6 corrected [2] a potential security related to a potential NULL pointer dereference when using crypt() from glibc 2.17+.  If using this version of glibc with older versions of slim, the login daemon could crash when processing malformed or unsupported salts.

Although Fedora 18 ships this version of slim, it does not use a version of glibc that exposes this issue (Fedora 18 ships with glibc 2.16).

[1] http://www.openwall.com/lists/oss-security/2013/10/09/4
[2] http://git.berlios.de/cgi-bin/cgit.cgi/slim/commit/?id=fbdfae3b406b1bb6f4e5e440e79b9b8bb8f071fb