'Re: [oss-security] cracklib: Stack-based buffer overflow when parsing large GECOS field'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] cracklib: Stack-based buffer overflow when parsing large GECOS field
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2016-08-23 20:04:44
Message-ID: 20160823200444.rcze3xsa6vjxyiws () eldamar ! local
[Download RAW message or body]

Hi,

On Tue, Aug 16, 2016 at 03:34:54PM +0530, Huzaifa Sidhpurwala wrote:
> Hi All,
> 
> A security flaw was reported to us by CSG Labs, details as follows:
> 
> A stack-based overflow was found in the way cracklib, a library used to
> stop users from choosing easy to guess passwords, handled large GECOS
> field in the /etc/passwd file. When an application compiled against the
> cracklib libary, such as "passwd" is used to parse the GECOS field, it
> could cause the application to crash or execute arbitary code with the
> permissions of the user running such an application.
> 
> To trigger the flaw, you need a specially-crafted "long" GECOS field,
> which can be done by a local user on the system. The attacker then needs
> to run some utility which uses cracklib to process this long GECOS field
> on the system. (such as "passwd" application which runs suid root)
> 
> All versions of the cracklib library shipped with Red Hat Enterprise
> Linux are compiled with FORTIFY_SOURCE, which detects the
> buffer-overflow and aborts the application safely.
> 
> Therefore the maximum impact of this flaw is application crash.
> 
> However, there may be other applications, distributions which dont
> compile cracklib with FORTIFY_SOURCE, and this can lead to easy code
> exec or even privsec.
> 
> A proposed patch is available at:
> https://bugzilla.redhat.com/attachment.cgi?id=1188599
> 
> This flaw was assigned CVE-2016-6318 and it was previously disclosed via
> linux-distros mailing list.

In the SuSE Bugzilla, it was noted that there is still another buffer
overflow present, cf. 

https://bugzilla.novell.com/show_bug.cgi?id=992966#c14

and the patch

https://build.opensuse.org/request/show/419768

> - Add patch 0004-overflow-processing-long-words.patch
>  to fix a new buffer overflow identified together with bsc#992966.
[...]
> The input word is guaranteed to be at most STRINGSIZE-1 in length.
> One of the mangle operations involves duplicating the input word,
> resulting in a string twice the length to be accommodated by both
> area variables.

https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch

was applied.

Should that possibly get a further CVE id for reference?

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic