Bug 805551 (CVE-2012-1572) - CVE-2012-1572 openstack-keystone: extremely long passwords can crash Keystone
Summary: CVE-2012-1572 openstack-keystone: extremely long passwords can crash Keystone
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-1572
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 807336 807340 807346
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-21 15:02 UTC by Vincent Danen
Modified: 2019-09-29 12:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-09 04:33:03 UTC
Embargoed:

Attachments (Terms of Use)
preliminary patch to fix the flaw (3.15 KB, patch)
2012-03-21 15:18 UTC, Vincent Danen 		no flags Details | Diff
View All

Description Vincent Danen 2012-03-21 15:02:47 UTC 
A vulnerability in how Keystone handles extremely long passwords was discovered.  When Keystone is validating a password, glibc allocated space on the stack for the entire password.  If the password is long enough, stack space can be exhausted which will lead to a crash.  A remote attacker could use this to cause a crash in Keystone by submitting a long password when attempting to log into an existing account; an attacker must know an existing account name to attempt the login with for this attack to be successful.
Comment 1 Vincent Danen 2012-03-21 15:12:41 UTC 
This flaw is embargoed until 20120327.
Comment 2 Vincent Danen 2012-03-21 15:18:31 UTC 
Created attachment 571739 [details]
preliminary patch to fix the flaw
Comment 3 Pádraig Brady 2012-03-27 15:08:03 UTC 
Hi Vincent. Distro bugs have been created and block this one.
Corresponding updates have been pushed.
I can't make this public.
Can you please?

cheers.
Note You need to log in before you can comment on or make changes to this bug.