oss-sec mailing list archives
NULL pointer dereferences; multiple issues
From: "mancha" <mancha1 () hush com>
Date: Fri, 05 Jul 2013 18:25:03 +0000
At the suggestion of Marcus Meissner from OpenSUSE, I am posting here. --- Background: Beginning with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/ NULL return) if the salt violates specifications. Additionally, on FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to crypt() fail with EPERM (w/ NULL return). --- A project of mine, which began with helping the Slackware Linux team patch their Shadow tools suite to properly handle possible NULL returns from glibc 2.17+ crypt(), has since evolved into a larger project where I have been working with developers to introduce needed protections to prevent crypt() NULL pointer dereference situations. So far the list includes: cvs, gdm, KDE/kdm, KDE/kcheckpass, shadow-tools, slim, tcsh, Xorg/xdm, and yp-tools. My policy has been to make public my fixes once upstream developers had a chance to commit fixes. The only exceptions are: cvs (inactive project), shadow-tools (Christian Perrier let me know Shadow-tools development is temporarily halted), and yp-tools (I have been repeatedly unable to contact Thorsten Kukuk). The gdm 2.20.11 fix was not shared with Gnome because gdm, as of 2.21, no longer supports non-PAM authentication. The security implications of these issues vary in nature and severity. So far, only xdm has an associated CVE: CVE-2013-2179. My progress is being documented in Slackware's de facto bug & discussion forum (linuxquestions.org). You can view thread here: https://www.linuxquestions.org/questions/slackware-14/%5Bslackware- current%5D-glibc-2-17-shadow-and-other-penumbrae-4175461061/ Finally, I am placing patch files along with a signed digest file in a sourceforge project: https://sourceforge.net/projects/miscellaneouspa/files/glibc217/ Cheers, --mancha P.S. I was not involved with the fixes for screen, ppp, dropbear, and popa3d. I documented the upstream fixes, however, for Slackware's benefit. == PGP Key ID: 0xB5ABF4FFF7048E92 Key fingerprint = 7F1F E9BF 77CF 15AC 8F6B C934 B5AB F4FF F704 8E92 ==
Current thread:
- NULL pointer dereferences; multiple issues mancha (Jul 05)