Bug 1364944 (CVE-2016-6318)
| Summary: | CVE-2016-6318 cracklib: Stack-based buffer overflow when parsing large GECOS field | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | dmoppert, nalin, security-response-team, tmraz | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-06-08 02:57:22 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1367380 | ||||||
| Bug Blocks: | 1364939 | ||||||
| Attachments: |
|
||||||
|
Description
Huzaifa S. Sidhpurwala
2016-08-08 09:26:02 UTC
Created attachment 1188599 [details]
Proposed patch
The buffer overflow problem is present in RHEL-5 and RHEL-6 too however there the overflow will be in static data not on stack I believe so it might not crash there as easily. The move of some buffers from static data to stack is not upstream so upstream situation is the same as RHEL-5,6. Security Impact: To trigger the flaw, you need a specially-crafted "long" GECOS field, which can be done by a local user on the system. (A user can change his GECOS only). The attacker then needs to run some utility which uses cracklib to process this long GECOS field on the system. (such as "passwd" application which runs suid root) All versions of the cracklib library shipped with Red Hat Enterprise Linux are compiled with FORTIFY_SOURCE, which detects the buffer-overflow and aborts the application safely. Therefore the maximum impact of this flaw is application crash. (In reply to Tomas Mraz from comment #3) > The buffer overflow problem is present in RHEL-5 and RHEL-6 too however > there the overflow will be in static data not on stack I believe so it might > not crash there as easily. My testing says otherwise. Both on rhel-5 and rhel-6, the library is compiled with FORTIFY_SOURCE, which crashes the binary (passwd in my case) when there is a buffer overflow. Hmm, you're right. This kind of overflow should be always detectable by FORTIFY_SOURCE. So the impact is low (if there is possible service that could be DoSed by it) or almost none if cracklib is compiled with it. I do not currently know of service that would be DoSed by crash in pam_chauthtok though. Acknowledgements: Name: CSG Labs Created cracklib tracking bugs for this issue: Affects: fedora-all [bug 1367380] Public via: http://seclists.org/oss-sec/2016/q3/290 There is a further patch augmenting this one at OpenSUSE: https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch External tracker discussion: https://bugzilla.novell.com/show_bug.cgi?id=992966#c14 oss-sec mention: http://seclists.org/oss-sec/2016/q3/370 This doesn't change the above analysis, but noting it here to accompany the attached patch. I think it is much better to modify Mangle() so it does not ever overflow the original buffer size. |