[openstack-keystone/f16] Extremely long passwords can crash Keystone

Pádraig Brady pbrady at fedoraproject.org
Tue Mar 27 14:22:20 UTC 2012 

commit 175fb1aef0986b6c4f26fcbe48c51e7886a5ac0b
Author: Alan Pevec <apevec at redhat.com>
Date:   Tue Mar 27 01:12:30 2012 +0200

    Extremely long passwords can crash Keystone
    
    CVE-2012-1572

 large_password_crash.patch |   84 ++++++++++++++++++++++++++++++++++++++++++++
 openstack-keystone.spec    |    9 ++++-
 2 files changed, 92 insertions(+), 1 deletions(-)
---
diff --git a/large_password_crash.patch b/large_password_crash.patch
new file mode 100644
index 0000000..cbeb76f
--- /dev/null
+++ b/large_password_crash.patch
@@ -0,0 +1,84 @@
+diff --git a/AUTHORS b/AUTHORS
+index cad5c2b..84027e5 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -3,7 +3,7 @@ Alex Silva <alex.silva at M1BPAGY.(none)>
+ Anne Gentle <anne at openstack.org>
+ Anthony Young <sleepsonthefloor at gmail.com>
+ Brian Lamar <brian.lamar at gmail.com>
+-Dan Prince <dan.prince at rackspace.com>
++Dan Prince <dprince at redhat.com>
+ Dolph Mathews <dolph.mathews at gmail.com>
+ gholt <gholt at brim.net>
+ jabdul <abdulkader.j at hcl.com>
+diff --git a/keystone/backends/backendutils.py b/keystone/backends/backendutils.py
+index 02970b3..54dd496 100644
+--- a/keystone/backends/backendutils.py
++++ b/keystone/backends/backendutils.py
+@@ -2,6 +2,8 @@ from keystone.backends import models
+ import keystone.backends as backends
+ from passlib.hash import sha512_crypt as sc
+ 
++MAX_PASSWORD_LENGTH = 4096
++
+ 
+ def __get_hashed_password(password):
+     if password != None and len(password) > 0:
+@@ -28,6 +30,8 @@ def check_password(raw_password, enc_password):
+     if not raw_password:
+         return False
+     if backends.SHOULD_HASH_PASSWORD:
++        if len(raw_password) > MAX_PASSWORD_LENGTH:
++            raw_password = raw_password[:MAX_PASSWORD_LENGTH]
+         return sc.verify(raw_password, enc_password)
+     else:
+         return enc_password == raw_password
+@@ -39,6 +43,8 @@ def __make_password(raw_password):
+     """
+     if raw_password is None:
+         return None
++    if len(raw_password) > MAX_PASSWORD_LENGTH:
++        raw_password = raw_password[:MAX_PASSWORD_LENGTH]
+     hsh = __get_hexdigest(raw_password)
+     return '%s' % (hsh)
+ 
+diff --git a/keystone/test/unit/test_backendutils.py b/keystone/test/unit/test_backendutils.py
+new file mode 100644
+index 0000000..c90a47f
+--- /dev/null
++++ b/keystone/test/unit/test_backendutils.py
+@@ -0,0 +1,33 @@
++# vim: tabstop=4 shiftwidth=4 softtabstop=4
++# Copyright (c) 2010-2011 OpenStack, LLC.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#    http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
++# implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++
++import unittest2 as unittest
++import keystone.backends.backendutils as backendutils
++import keystone.backends as backends
++
++
++class BackendUtilsTest(unittest.TestCase):
++
++    def setUp(self):
++        backends.SHOULD_HASH_PASSWORD = True
++
++    def test_check_long_password(self):
++        bigboy = '0' * 9999999
++        values = {'password': bigboy}
++        backendutils.set_hashed_password(values)
++        hashed_pw = values['password']
++        self.assertTrue(backendutils.check_password(bigboy, hashed_pw))
+
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index 6ad88f8..7784f0a 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -9,7 +9,7 @@
 
 Name:           openstack-keystone
 Version:        2011.3.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        OpenStack Identity Service
 
 License:        ASL 2.0
@@ -18,6 +18,9 @@ Source0:        http://keystone.openstack.org/tarballs/keystone-%{version}%{snap
 Source1:        openstack-keystone.logrotate
 Source2:        openstack-keystone.service
 
+# CVE-2012-1572
+Patch1:         large_password_crash.patch
+
 BuildArch:      noarch
 BuildRequires:  python2-devel
 BuildRequires:  python-sphinx >= 1.0
@@ -61,6 +64,7 @@ Services included are:
 
 %prep
 %setup -q -n keystone-%{version}
+%patch1 -p1
 
 # log_file is ignored, use log_dir instead
 # https://bugs.launchpad.net/keystone/+bug/844959/comments/3
@@ -156,6 +160,9 @@ fi
 %dir %attr(-, keystone, keystone) %{_localstatedir}/log/keystone
 
 %changelog
+* Tue Mar 27 2012 Alan Pevec <apevec at redhat.com> 2011.3.1-3
+- Extremely long passwords can crash Keystone CVE-2012-1572
+
 * Thu Nov 24 2011 Alan Pevec <apevec at redhat.com> 2011.3.1-2
 - include LICENSE, update package description from README.md

More information about the scm-commits mailing list