passlib segfaults when keystone is sent a large password
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Russell Bryant |
Bug Description
Using the latest keystone Essex builds (KSL).
I can segfault keystone by sending in a large value for password in the following request to http://
{"auth"
The issue appears to stem code in common/utils.py where we UTF8 encode the raw password string and then try to verify the hash via passlib.
--------
def check_password(
"""Check that a plaintext password matches hashed.
hashpw returns the salt value concatenated with the actual hash value.
It extracts the actual salt if this value is then passed as the salt.
"""
if password is None:
return False
password_utf8 = password.
val = passlib.
return val
--------
Sample Ruby script to reproduce the issue:
require 'rubygems'
require 'openstack/compute'
USERNAME=
API_KEY=
API_URL=
bigboy = "0" * 9999999
conn=OpenStack:
CVE References
Changed in keystone: | |
status: | In Progress → Fix Committed |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | none → 2012.1 |
The root cause appears to be a bug in passlib. We should write a simple reproducer and report it upstream.
We should still work around the bug in keystone, obviously. Since this version of keystone hasn't been "released" yet, I don't think we need to go through the information embargo and security advisory on this. Thoughts?
Also, is this function used anywhere else in OpenStack that may also need a workaround put in place?