oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

NULL pointer dereferences; multiple issues

From: "mancha" <mancha1 () hush com>
Date: Fri, 05 Jul 2013 18:25:03 +0000
At the suggestion of Marcus Meissner from OpenSUSE, I am posting
here.

---
Background:
Beginning with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
(w/ NULL return) if the salt violates specifications. Additionally,
on FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords
passed to crypt() fail with EPERM (w/ NULL return).
---

A project of mine, which began with helping the Slackware Linux team
patch their Shadow tools suite to properly handle possible NULL
returns from glibc 2.17+ crypt(), has since evolved into a larger
project where I have been working with developers to introduce
needed protections to prevent crypt() NULL pointer dereference
situations. So far the list includes: cvs, gdm, KDE/kdm,
KDE/kcheckpass, shadow-tools, slim, tcsh, Xorg/xdm, and yp-tools.

My policy has been to make public my fixes once upstream
developers had a chance to commit fixes. The only exceptions
are: cvs (inactive project), shadow-tools (Christian Perrier let
me know Shadow-tools development is temporarily halted), and
yp-tools (I have been repeatedly unable to contact Thorsten Kukuk).
The gdm 2.20.11 fix was not shared with Gnome because gdm, as of
2.21, no longer supports non-PAM authentication.

The security implications of these issues vary in nature and
severity. So far, only xdm has an associated CVE: CVE-2013-2179.

My progress is being documented in Slackware's de facto bug &
discussion forum (linuxquestions.org). You can view thread here: 
https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-
current%5D-glibc-2-17-shadow-and-other-penumbrae-4175461061/

Finally, I am placing patch files along with a signed digest file
in a sourceforge project:
https://sourceforge.net/projects/miscellaneouspa/files/glibc217/

Cheers,

--mancha

P.S. I was not involved with the fixes for screen, ppp, dropbear,
and popa3d. I documented the upstream fixes, however, for
Slackware's benefit.

==
PGP Key ID: 0xB5ABF4FFF7048E92
Key fingerprint = 7F1F E9BF 77CF 15AC 8F6B  C934 B5AB F4FF F704 8E92
==
Previous By Date Next
Previous By Thread Next

Current thread: