Bugzilla – Bug 992966
VUL-0: CVE-2016-6318: cracklib: stack overflow
Last modified: 2016-11-08 14:58:11 UTC
Hello Vendors, Raed Albuliwi reported a security flaw in cracklib, details as follows: cracklib: Stack-based buffer overflow when parsing large GECOS field A stack-based overflow was found in the way cracklib, a library used to stop users from choosing easy to guess passwords, handled large GECOS field in the /etc/passwd file. When an application compiled against the cracklib libary, such as "passwd" is used to parse the GECOS field, it could cause the application to crash or execute arbitary code with the permissions of the user running such an application. Steps to reproduce: [user@localhost Documents]$ uname -a Linux localhost.localdomain 3.10.0-327.28.2.el7.x86_64 #1 SMP Mon Jun 27 14:48:28 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux [user@localhost Documents]$ chfn -f `perl -e 'print "A"x256'` -o `perl -e 'print "B"x256'` -p `perl -e 'print "C"x256'` -h `perl -e 'print "D"x256'` Changing finger information for user. Password: Finger information changed. [user@localhost Documents]$ passwd Changing password for user user. Changing password for user. (current) UNIX password: New password: *** buffer overflow detected ***: passwd terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f8700700597] /lib64/libc.so.6(+0x10c750)[0x7f87006fe750] ... ... ... 7f86f81ee000-7f86f81ef000 r--p 000140 We have assigned CVE-2016-6318 to this issue. Security Impact: To trigger the flaw, you need a specially-crafted "long" GECOS field, which can be done by a local user on the system. (A user can change his GECOS only). The attacker then needs to run some utility which uses cracklib to process this long GECOS field on the system. (such as "passwd" application which runs suid root) All versions of the cracklib library shipped with Red Hat Enterprise Linux are compiled with FORTIFY_SOURCE, which detects the buffer-overflow and aborts the application safely. Therefore the maximum impact of this flaw is application crash. However, there may be other applications, distributions which dont compile cracklib with FORTIFY_SOURCE, and this can lead to easy code exec or even privsec. We plan to make this issue public on 16-Aug-2016 10:00 UTC Proposed patch is attached: Regards, Huzaifa Sidhpurwala / Red Hat Product Security Team.
CRD: 2016-08-16
Created attachment 687494 [details] the mail as being attached, containing patch
Looks like users are not allowed to change their GECOS field. So this issue would be mitigated on our dists.
(In reply to Sebastian Krahmer from comment #3) > Looks like users are not allowed to change their GECOS field. Of course users are allowed to change their GECOS field, at least at SLES12 SP1. I would be really surprised if that's different on Tumbleweed.
11 is not affected by the issue, only 12 is affected.
please also sbumit opensuse now if affected
Created attachment 688167 [details] CVE-2016-6318.c gcc -o CVE-2016-6318 CVE-2016-6318.c -lcrack should not abort with backtrace/segfault
hmpf, only works on opensuse now
I have the patch ready for tumbleweed, but the CVE has not yet been made public on mitre. Should I wait till it's made public before making the submission?
This issue was published on oss-security public list today, so it is considered public. The Mitre CVE DB will be updated after some days only.
sle11 has the same code in cracklib, so I do not see why you think it is not affected. the reproducing example does not trigger though.
I doubt that the Redhat patch alone is sufficient to fix the buffer overflow issue, the C test case still triggers a buffer overflow even with the patch applied. So I wrote a patch for the remaining buffer overflow and the C test case now works without any issue: https://build.suse.de/request/show/119735 Please double check.
the static needs to stay, this area must be a global variable
Good catch, many thanks.
Created attachment 688546 [details] CVE-2016-6318.c QA REPRODUCER: gcc -O2 -Wall -g -o CVE-2016-6318 CVE-2016-6318.c -lcrack ./CVE-2016-6318 should not crash/give fortify fail backtrace.
Last one is for SLE11, you need to replace the UID by the uid of the user with the bad GECOS field.
Created attachment 688547 [details] CVE-2016-6318-SLE12.c QA REPRODUCER for SLE12: gcc -O2 -o CVE-2016-6318-SLE12 CVE-2016-6318-SLE12.c -lcrack ./CVE-2016-6318-SLE12 should not result in: *** buffer overflow detected ***: ./CVE-2016-6318 terminated ======= Backtrace: ========= /lib64/libc.so.6(+0x7277f)[0x7f46f3e6c77f] ... (GOOD: just return with empty output)
SUSE-SU-2016:2107-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 992966 CVE References: CVE-2016-6318 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): cracklib-2.9.0-7.1 SUSE Linux Enterprise Server 12-SP1 (src): cracklib-2.9.0-7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): cracklib-2.9.0-7.1
Marcus, could you please submit https://build.opensuse.org/request/show/419768 to Factory?
This is an autogenerated message for OBS integration: This bug (992966) was mentioned in https://build.opensuse.org/request/show/420987 Factory / cracklib
openSUSE-SU-2016:2204-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 992966 CVE References: CVE-2016-6318 Sources used: openSUSE Leap 42.1 (src): cracklib-2.9.0-7.1, libpwquality-1.2.3-5.1
SUSE-SU-2016:2211-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 928923,992966 CVE References: CVE-2016-6318 Sources used: SUSE Studio Onsite 1.3 (src): cracklib-2.8.12-56.13.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): cracklib-2.8.12-56.13.1 SUSE Linux Enterprise Server 11-SP4 (src): cracklib-2.8.12-56.13.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): cracklib-2.8.12-56.13.1
updates have been released.