Bug 805551 (CVE-2012-1572) - CVE-2012-1572 openstack-keystone: extremely long passwords can crash Keystone
Summary: CVE-2012-1572 openstack-keystone: extremely long passwords can crash Keystone
Alias: CVE-2012-1572
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 807336 807340 807346
TreeView+ depends on / blocked
Reported: 2012-03-21 15:02 UTC by Vincent Danen
Modified: 2019-09-29 12:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-08-09 04:33:03 UTC

Attachments (Terms of Use)
preliminary patch to fix the flaw (3.15 KB, patch)
2012-03-21 15:18 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2012-03-21 15:02:47 UTC
A vulnerability in how Keystone handles extremely long passwords was discovered.  When Keystone is validating a password, glibc allocated space on the stack for the entire password.  If the password is long enough, stack space can be exhausted which will lead to a crash.  A remote attacker could use this to cause a crash in Keystone by submitting a long password when attempting to log into an existing account; an attacker must know an existing account name to attempt the login with for this attack to be successful.

Comment 1 Vincent Danen 2012-03-21 15:12:41 UTC
This flaw is embargoed until 20120327.

Comment 2 Vincent Danen 2012-03-21 15:18:31 UTC
Created attachment 571739 [details]
preliminary patch to fix the flaw

Comment 3 Pádraig Brady 2012-03-27 15:08:03 UTC
Hi Vincent. Distro bugs have been created and block this one.
Corresponding updates have been pushed.
I can't make this public.
Can you please?


Note You need to log in before you can comment on or make changes to this bug.