[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
security patch for libraries/liblutil/passwd.c (ITS#3020)
Full_Name: Mordy Ovits
Version: CVS HEAD and earlier
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (141.149.42.30)
While reading the source for libraries/liblutil/passwd.c, I found a
security bug. I'm skeptical that it's exploitable, because getting a null into
the presented credential seems hard. But I don't know the source well enough to
be sure, but if it is, it repesents a critical remote hole. slapd needs to be
compiled w/ SLAPD_CRYPT for it to be vulnerable, and the user the attacker is
authenticating as must have their userPassword stored using the {CRYPT} scheme.
The bug is still in CVS. Here's the patch against 2.2.6:
===========
--- passwd.c.orig 2004-03-08 18:33:37.000000000 -0500
+++ passwd.c 2004-03-08 18:34:54.000000000 -0500
@@ -1079,7 +1079,7 @@
for( i=0; i<cred->bv_len; i++) {
if(cred->bv_val[i] == '\0') {
- return 1; /* NUL character in password */
+ return -1; /* NUL character in password */
}
}
============
Do you see how the logic was reversed? It means to reject it if a NUL
was found, but instead, it OKs it. If it is exploitable, you really
should put out a security advisory and update.
Thanks,
Mordy