Bug 1364944 (CVE-2016-6318) - CVE-2016-6318 cracklib: Stack-based buffer overflow when parsing large GECOS field
Summary: CVE-2016-6318 cracklib: Stack-based buffer overflow when parsing large GECOS ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-6318
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20160816,reported=2...
Depends On: 1367380
Blocks: 1364939
TreeView+ depends on / blocked
 
Reported: 2016-08-08 09:26 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-06-08 21:23 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:57:22 UTC


Attachments (Terms of Use)
Proposed patch (2.37 KB, patch)
2016-08-08 10:13 UTC, Tomas Mraz
no flags Details | Diff

Description Huzaifa S. Sidhpurwala 2016-08-08 09:26:02 UTC
A stack-based overflow was found in the way cracklib, a library used to stop users from choosing easy to guess passwords, handled large GECOS field in the /etc/passwd file. When an application compiled against the cracklib libary, such as "passwd" is used to parse the GECOS field, it could cause the application to crash or execute arbitary code with the permissions of the user running such an application.

Comment 2 Tomas Mraz 2016-08-08 10:13:54 UTC
Created attachment 1188599 [details]
Proposed patch

Comment 3 Tomas Mraz 2016-08-08 10:17:29 UTC
The buffer overflow problem is present in RHEL-5 and RHEL-6 too however there the overflow will be in static data not on stack I believe so it might not crash there as easily.

Comment 4 Tomas Mraz 2016-08-08 10:22:32 UTC
The move of some buffers from static data to stack is not upstream so upstream situation is the same as RHEL-5,6.

Comment 5 Huzaifa S. Sidhpurwala 2016-08-09 06:25:00 UTC
Security Impact:

To trigger the flaw, you need a specially-crafted "long" GECOS field, which can be done by a local user on the system. (A user can change his GECOS only). The attacker then needs to run some utility which uses cracklib to process this long GECOS field on the system. (such as "passwd" application which runs suid root)

All versions of the cracklib library shipped with Red Hat Enterprise Linux are compiled with FORTIFY_SOURCE, which detects the buffer-overflow and aborts the application safely.


Therefore the maximum impact of this flaw is application crash.

Comment 6 Huzaifa S. Sidhpurwala 2016-08-09 07:38:39 UTC
(In reply to Tomas Mraz from comment #3)
> The buffer overflow problem is present in RHEL-5 and RHEL-6 too however
> there the overflow will be in static data not on stack I believe so it might
> not crash there as easily.

My testing says otherwise. Both on rhel-5 and rhel-6, the library is compiled with FORTIFY_SOURCE, which crashes the binary (passwd in my case) when there is a buffer overflow.

Comment 7 Tomas Mraz 2016-08-09 08:25:19 UTC
Hmm, you're right. This kind of overflow should be always detectable by FORTIFY_SOURCE. So the impact is low (if there is possible service that could be DoSed by it) or almost none if cracklib is compiled with it. I do not currently know of service that would be DoSed by crash in pam_chauthtok though.

Comment 9 Huzaifa S. Sidhpurwala 2016-08-11 04:45:42 UTC
Acknowledgements:

Name: CSG Labs

Comment 10 Huzaifa S. Sidhpurwala 2016-08-16 10:10:11 UTC
Created cracklib tracking bugs for this issue:

Affects: fedora-all [bug 1367380]

Comment 11 Huzaifa S. Sidhpurwala 2016-08-16 10:17:18 UTC
Public via:

http://seclists.org/oss-sec/2016/q3/290

Comment 12 Doran Moppert 2016-08-25 00:55:39 UTC
There is a further patch augmenting this one at OpenSUSE:

https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch

External tracker discussion:

https://bugzilla.novell.com/show_bug.cgi?id=992966#c14

oss-sec mention:

http://seclists.org/oss-sec/2016/q3/370

This doesn't change the above analysis, but noting it here to accompany the attached patch.

Comment 13 Tomas Mraz 2016-12-08 17:27:07 UTC
I think it is much better to modify Mangle() so it does not ever overflow the original buffer size.


Note You need to log in before you can comment on or make changes to this bug.