Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 05 Jul 2013 18:25:03 +0000
From: "mancha" <mancha1@...h.com>
To: oss-security@...ts.openwall.com
Subject: NULL pointer dereferences; multiple issues

At the suggestion of Marcus Meissner from OpenSUSE, I am posting
here.

---
Background:
Beginning with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
(w/ NULL return) if the salt violates specifications. Additionally,
on FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords
passed to crypt() fail with EPERM (w/ NULL return).
---

A project of mine, which began with helping the Slackware Linux team
patch their Shadow tools suite to properly handle possible NULL
returns from glibc 2.17+ crypt(), has since evolved into a larger
project where I have been working with developers to introduce
needed protections to prevent crypt() NULL pointer dereference
situations. So far the list includes: cvs, gdm, KDE/kdm,
KDE/kcheckpass, shadow-tools, slim, tcsh, Xorg/xdm, and yp-tools.

My policy has been to make public my fixes once upstream
developers had a chance to commit fixes. The only exceptions
are: cvs (inactive project), shadow-tools (Christian Perrier let
me know Shadow-tools development is temporarily halted), and
yp-tools (I have been repeatedly unable to contact Thorsten Kukuk).
The gdm 2.20.11 fix was not shared with Gnome because gdm, as of
2.21, no longer supports non-PAM authentication.

The security implications of these issues vary in nature and
severity. So far, only xdm has an associated CVE: CVE-2013-2179.

My progress is being documented in Slackware's de facto bug &
discussion forum (linuxquestions.org). You can view thread here: 
https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-
current%5D-glibc-2-17-shadow-and-other-penumbrae-4175461061/

Finally, I am placing patch files along with a signed digest file
in a sourceforge project:
https://sourceforge.net/projects/miscellaneouspa/files/glibc217/

Cheers,

--mancha

P.S. I was not involved with the fixes for screen, ppp, dropbear,
and popa3d. I documented the upstream fixes, however, for
Slackware's benefit.

==
PGP Key ID: 0xB5ABF4FFF7048E92
Key fingerprint = 7F1F E9BF 77CF 15AC 8F6B  C934 B5AB F4FF F704 8E92
==

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.