Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87oasj4raq.fsf@hope.eyrie.org>
Date: Thu, 06 Nov 2014 19:34:37 -0800
From: Russ Allbery <eagle@...ie.org>
To: Andreas Barth <aba@...us.org>
Cc: oss-security@...ts.openwall.com,  742140@...s.debian.org
Subject: Re: Re: Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded

Andreas Barth <aba@...us.org> writes:

> we have the following debian bug report about an security isuse in
> libpam-oath (source oath-toolkit, upstream web page
> http://www.nongnu.org/oath-toolkit/ ).

> What is the appropriate process to get an CVE number on it? This issue
> is already public, as it is documented in the debian bug tracking
> system.

Is not checking memory allocations for failure in this fashion considered
CVE-worthy?  I'm probably missing something, but this seems difficult to
exploit: the first strdup is only trying to allocate a byte of memory, and
the second will not allocate more than MAX_OTP_LEN memory due to an
earlier check.  This means the attacker would have to have essentially
exhausted system memory already to force strdup to return NULL.

And, even if that happens, strdup returns NULL, which leads immediately to
a NULL pointer dereference and presumably a process crash.  But to create
this situation, the attacker has to nearly exhaust all process memory, and
could just go a step farther and exhaust all memory, which would almost
certainly result in a process crash anyway, or an OOM kill.

Am I overlooking something?

-- 
Russ Allbery (eagle@...ie.org)              <http://www.eyrie.org/~eagle/>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.