[openstack-keystone/f16] Extremely long passwords can crash Keystone
Pádraig Brady
pbrady at fedoraproject.org
Tue Mar 27 14:22:20 UTC 2012
commit 175fb1aef0986b6c4f26fcbe48c51e7886a5ac0b
Author: Alan Pevec <apevec at redhat.com>
Date: Tue Mar 27 01:12:30 2012 +0200
Extremely long passwords can crash Keystone
CVE-2012-1572
large_password_crash.patch | 84 ++++++++++++++++++++++++++++++++++++++++++++
openstack-keystone.spec | 9 ++++-
2 files changed, 92 insertions(+), 1 deletions(-)
---
diff --git a/large_password_crash.patch b/large_password_crash.patch
new file mode 100644
index 0000000..cbeb76f
--- /dev/null
+++ b/large_password_crash.patch
@@ -0,0 +1,84 @@
+diff --git a/AUTHORS b/AUTHORS
+index cad5c2b..84027e5 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -3,7 +3,7 @@ Alex Silva <alex.silva at M1BPAGY.(none)>
+ Anne Gentle <anne at openstack.org>
+ Anthony Young <sleepsonthefloor at gmail.com>
+ Brian Lamar <brian.lamar at gmail.com>
+-Dan Prince <dan.prince at rackspace.com>
++Dan Prince <dprince at redhat.com>
+ Dolph Mathews <dolph.mathews at gmail.com>
+ gholt <gholt at brim.net>
+ jabdul <abdulkader.j at hcl.com>
+diff --git a/keystone/backends/backendutils.py b/keystone/backends/backendutils.py
+index 02970b3..54dd496 100644
+--- a/keystone/backends/backendutils.py
++++ b/keystone/backends/backendutils.py
+@@ -2,6 +2,8 @@ from keystone.backends import models
+ import keystone.backends as backends
+ from passlib.hash import sha512_crypt as sc
+
++MAX_PASSWORD_LENGTH = 4096
++
+
+ def __get_hashed_password(password):
+ if password != None and len(password) > 0:
+@@ -28,6 +30,8 @@ def check_password(raw_password, enc_password):
+ if not raw_password:
+ return False
+ if backends.SHOULD_HASH_PASSWORD:
++ if len(raw_password) > MAX_PASSWORD_LENGTH:
++ raw_password = raw_password[:MAX_PASSWORD_LENGTH]
+ return sc.verify(raw_password, enc_password)
+ else:
+ return enc_password == raw_password
+@@ -39,6 +43,8 @@ def __make_password(raw_password):
+ """
+ if raw_password is None:
+ return None
++ if len(raw_password) > MAX_PASSWORD_LENGTH:
++ raw_password = raw_password[:MAX_PASSWORD_LENGTH]
+ hsh = __get_hexdigest(raw_password)
+ return '%s' % (hsh)
+
+diff --git a/keystone/test/unit/test_backendutils.py b/keystone/test/unit/test_backendutils.py
+new file mode 100644
+index 0000000..c90a47f
+--- /dev/null
++++ b/keystone/test/unit/test_backendutils.py
+@@ -0,0 +1,33 @@
++# vim: tabstop=4 shiftwidth=4 softtabstop=4
++# Copyright (c) 2010-2011 OpenStack, LLC.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
++# implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++
++import unittest2 as unittest
++import keystone.backends.backendutils as backendutils
++import keystone.backends as backends
++
++
++class BackendUtilsTest(unittest.TestCase):
++
++ def setUp(self):
++ backends.SHOULD_HASH_PASSWORD = True
++
++ def test_check_long_password(self):
++ bigboy = '0' * 9999999
++ values = {'password': bigboy}
++ backendutils.set_hashed_password(values)
++ hashed_pw = values['password']
++ self.assertTrue(backendutils.check_password(bigboy, hashed_pw))
+
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index 6ad88f8..7784f0a 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -9,7 +9,7 @@
Name: openstack-keystone
Version: 2011.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: OpenStack Identity Service
License: ASL 2.0
@@ -18,6 +18,9 @@ Source0: http://keystone.openstack.org/tarballs/keystone-%{version}%{snap
Source1: openstack-keystone.logrotate
Source2: openstack-keystone.service
+# CVE-2012-1572
+Patch1: large_password_crash.patch
+
BuildArch: noarch
BuildRequires: python2-devel
BuildRequires: python-sphinx >= 1.0
@@ -61,6 +64,7 @@ Services included are:
%prep
%setup -q -n keystone-%{version}
+%patch1 -p1
# log_file is ignored, use log_dir instead
# https://bugs.launchpad.net/keystone/+bug/844959/comments/3
@@ -156,6 +160,9 @@ fi
%dir %attr(-, keystone, keystone) %{_localstatedir}/log/keystone
%changelog
+* Tue Mar 27 2012 Alan Pevec <apevec at redhat.com> 2011.3.1-3
+- Extremely long passwords can crash Keystone CVE-2012-1572
+
* Thu Nov 24 2011 Alan Pevec <apevec at redhat.com> 2011.3.1-2
- include LICENSE, update package description from README.md
More information about the scm-commits
mailing list