oss-sec mailing list archives
Re: Re: Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded
From: Russ Allbery <eagle () eyrie org>
Date: Thu, 06 Nov 2014 19:34:37 -0800
Andreas Barth <aba () ayous org> writes:
we have the following debian bug report about an security isuse in libpam-oath (source oath-toolkit, upstream web page http://www.nongnu.org/oath-toolkit/ ).
What is the appropriate process to get an CVE number on it? This issue is already public, as it is documented in the debian bug tracking system.
Is not checking memory allocations for failure in this fashion considered CVE-worthy? I'm probably missing something, but this seems difficult to exploit: the first strdup is only trying to allocate a byte of memory, and the second will not allocate more than MAX_OTP_LEN memory due to an earlier check. This means the attacker would have to have essentially exhausted system memory already to force strdup to return NULL. And, even if that happens, strdup returns NULL, which leads immediately to a NULL pointer dereference and presumably a process crash. But to create this situation, the attacker has to nearly exhaust all process memory, and could just go a step farther and exhaust all memory, which would almost certainly result in a process crash anyway, or an OOM kill. Am I overlooking something? -- Russ Allbery (eagle () eyrie org) <http://www.eyrie.org/~eagle/>
Current thread:
- Re: Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded Andreas Barth (Nov 06)
- Re: Re: Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded Russ Allbery (Nov 06)