[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] cracklib: Stack-based buffer overflow when parsing large GECOS field
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2016-08-23 20:04:44
Message-ID: 20160823200444.rcze3xsa6vjxyiws () eldamar ! local
[Download RAW message or body]
Hi,
On Tue, Aug 16, 2016 at 03:34:54PM +0530, Huzaifa Sidhpurwala wrote:
> Hi All,
>
> A security flaw was reported to us by CSG Labs, details as follows:
>
> A stack-based overflow was found in the way cracklib, a library used to
> stop users from choosing easy to guess passwords, handled large GECOS
> field in the /etc/passwd file. When an application compiled against the
> cracklib libary, such as "passwd" is used to parse the GECOS field, it
> could cause the application to crash or execute arbitary code with the
> permissions of the user running such an application.
>
> To trigger the flaw, you need a specially-crafted "long" GECOS field,
> which can be done by a local user on the system. The attacker then needs
> to run some utility which uses cracklib to process this long GECOS field
> on the system. (such as "passwd" application which runs suid root)
>
> All versions of the cracklib library shipped with Red Hat Enterprise
> Linux are compiled with FORTIFY_SOURCE, which detects the
> buffer-overflow and aborts the application safely.
>
> Therefore the maximum impact of this flaw is application crash.
>
> However, there may be other applications, distributions which dont
> compile cracklib with FORTIFY_SOURCE, and this can lead to easy code
> exec or even privsec.
>
> A proposed patch is available at:
> https://bugzilla.redhat.com/attachment.cgi?id=1188599
>
> This flaw was assigned CVE-2016-6318 and it was previously disclosed via
> linux-distros mailing list.
In the SuSE Bugzilla, it was noted that there is still another buffer
overflow present, cf.
https://bugzilla.novell.com/show_bug.cgi?id=992966#c14
and the patch
https://build.opensuse.org/request/show/419768
> - Add patch 0004-overflow-processing-long-words.patch
> to fix a new buffer overflow identified together with bsc#992966.
[...]
> The input word is guaranteed to be at most STRINGSIZE-1 in length.
> One of the mangle operations involves duplicating the input word,
> resulting in a string twice the length to be accommodated by both
> area variables.
https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
was applied.
Should that possibly get a further CVE id for reference?
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic