-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenStack Security Advisory: 2012-002 CVE: CVE-2012-1572 Date: March 27, 2012 Title: Extremely long passwords can crash Keystone Impact: High Reporter: Dan Prince <dpri...@redhat.com> Products: Keystone Affects: All versions
Description: Dan Prince reported a vulnerability in Keystone. He discovered that you can remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). Fixes: Essex: https://github.com/openstack/keystone/commit/239e4f64c2134338b32ffd6d42c0b6ff70cd040c 2011.3: https://github.com/dprince/keystone/commit/7b07f870702de5675d4423042e8b018e3fc4b931 Note that the stable/diablo commit is still pending the resolution of some issues on jenkins. The patch will be identical to the one linked to from dprince's github repository. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1572 https://bugs.launchpad.net/keystone/+bug/957359 Notes: This fix will be included in the Essex rc2 development milestone and in a future Diablo release. - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9yDWoACgkQFg9ft4s9SAas5gCglqproiXDUgrbvqUjEr2JlCaa 1DAAni1Bf4rWeD9Emli/4K3cljxMq1z/ =z2UX -----END PGP SIGNATURE----- _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
