Comment 19 for bug 957359

The report to glibc was deemed to not be a security issue, so we can proceed. Here is a proposed vulnerability description:

Title: Extremely long passwords can crash Keystone
Impact: High
Reporter: Dan Prince <email address hidden>
Products: Keystone
Affects: All versions

Description:
Dan Prince reported a vulnerability in Keystone. He discovered that you can remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB).