Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20130705182503.7C34E600EF@smtp.hushmail.com>
Date: Fri, 05 Jul 2013 18:25:03 +0000
From: "mancha" <mancha1@...h.com>
To: oss-security@...ts.openwall.com
Subject: NULL pointer dereferences; multiple issues

At the suggestion of Marcus Meissner from OpenSUSE, I am posting
here.

---
Background:
Beginning with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
(w/ NULL return) if the salt violates specifications. Additionally,
on FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords
passed to crypt() fail with EPERM (w/ NULL return).
---

A project of mine, which began with helping the Slackware Linux team
patch their Shadow tools suite to properly handle possible NULL
returns from glibc 2.17+ crypt(), has since evolved into a larger
project where I have been working with developers to introduce
needed protections to prevent crypt() NULL pointer dereference
situations. So far the list includes: cvs, gdm, KDE/kdm,
KDE/kcheckpass, shadow-tools, slim, tcsh, Xorg/xdm, and yp-tools.

My policy has been to make public my fixes once upstream
developers had a chance to commit fixes. The only exceptions
are: cvs (inactive project), shadow-tools (Christian Perrier let
me know Shadow-tools development is temporarily halted), and
yp-tools (I have been repeatedly unable to contact Thorsten Kukuk).
The gdm 2.20.11 fix was not shared with Gnome because gdm, as of
2.21, no longer supports non-PAM authentication.

The security implications of these issues vary in nature and
severity. So far, only xdm has an associated CVE: CVE-2013-2179.

My progress is being documented in Slackware's de facto bug &
discussion forum (linuxquestions.org). You can view thread here: 
https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-
current%5D-glibc-2-17-shadow-and-other-penumbrae-4175461061/

Finally, I am placing patch files along with a signed digest file
in a sourceforge project:
https://sourceforge.net/projects/miscellaneouspa/files/glibc217/

Cheers,

--mancha

P.S. I was not involved with the fixes for screen, ppp, dropbear,
and popa3d. I documented the upstream fixes, however, for
Slackware's benefit.

==
PGP Key ID: 0xB5ABF4FFF7048E92
Key fingerprint = 7F1F E9BF 77CF 15AC 8F6B  C934 B5AB F4FF F704 8E92
==

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.