A stack-based overflow was found in the way cracklib, a library used to stop users from choosing easy to guess passwords, handled large GECOS field in the /etc/passwd file. When an application compiled against the cracklib libary, such as "passwd" is used to parse the GECOS field, it could cause the application to crash or execute arbitary code with the permissions of the user running such an application.
Created attachment 1188599 [details]
The buffer overflow problem is present in RHEL-5 and RHEL-6 too however there the overflow will be in static data not on stack I believe so it might not crash there as easily.
The move of some buffers from static data to stack is not upstream so upstream situation is the same as RHEL-5,6.
To trigger the flaw, you need a specially-crafted "long" GECOS field, which can be done by a local user on the system. (A user can change his GECOS only). The attacker then needs to run some utility which uses cracklib to process this long GECOS field on the system. (such as "passwd" application which runs suid root)
All versions of the cracklib library shipped with Red Hat Enterprise Linux are compiled with FORTIFY_SOURCE, which detects the buffer-overflow and aborts the application safely.
Therefore the maximum impact of this flaw is application crash.
(In reply to Tomas Mraz from comment #3)
> The buffer overflow problem is present in RHEL-5 and RHEL-6 too however
> there the overflow will be in static data not on stack I believe so it might
> not crash there as easily.
My testing says otherwise. Both on rhel-5 and rhel-6, the library is compiled with FORTIFY_SOURCE, which crashes the binary (passwd in my case) when there is a buffer overflow.
Hmm, you're right. This kind of overflow should be always detectable by FORTIFY_SOURCE. So the impact is low (if there is possible service that could be DoSed by it) or almost none if cracklib is compiled with it. I do not currently know of service that would be DoSed by crash in pam_chauthtok though.
Name: CSG Labs
Created cracklib tracking bugs for this issue:
Affects: fedora-all [bug 1367380]
There is a further patch augmenting this one at OpenSUSE:
External tracker discussion:
This doesn't change the above analysis, but noting it here to accompany the attached patch.
I think it is much better to modify Mangle() so it does not ever overflow the original buffer size.