OSSA-2012-002: Extremely long passwords can crash Keystone

OSSA-2012-002: Extremely long passwords can crash Keystone¶

Date:: March 27, 2012
CVE:: CVE-2012-1572

Affects¶

Keystone: All versions

Description¶

Dan Prince reported a vulnerability in Keystone. He discovered that you can remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonablelimit on password length (4 kB).

Patches¶

https://review.openstack.org/#/c/5865 (Diablo)
https://review.openstack.org/#/c/5507 (Essex)

Credits¶

Dan Prince from Red Hat (CVE-2012-1572)

References¶

https://launchpad.net/bugs/957359
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1572

this page last updated: 2022-06-02 16:08:24

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.