[Bug crypt/25441] DOS attack risk caused by incomplete system password check function

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug crypt/25441] DOS attack risk caused by incomplete system password check function
       [not found] <bug-25441-131@http.sourceware.org/bugzilla/>
@ 2020-04-21  1:51 ` weinull at outlook dot com
  0 siblings, 0 replies; only message in thread
From: weinull at outlook dot com @ 2020-04-21  1:51 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=25441

weinull <weinull at outlook dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |UNCONFIRMED
         Resolution|WONTFIX                     |---

--- Comment #2 from weinull <weinull at outlook dot com> ---
(In reply to Carlos O'Donell from comment #1)
> Yes, it can take a long time to cryptographically hash long password. I
> don't see this issue as a security issue unless we have concrete examples of
> specific DoS issues impacting real applications. The API imposes no limits,
> and so we should not either. Instead the limits need to be imposed by remote
> login interfaces like ssh (disable passwords) or pam (limit maximum password
> size). Limiting this at the lowest level API will not work well because we
> have no way to propagate a complex failure up the software stack e.g. failed
> because of policy reasons for too long password.
> 
> I'm marking this as RESOLVED/WONTFIX.
> 
> Please review:
> https://sourceware.org/glibc/wiki/Security%20Process
> 
> Note: In Fedora we have moved from libcrypt.so (provided by glibc) to
> libxcrypt (provided by the libxcrypt project:
> https://github.com/besser82/libxcrypt). We accomplish this by building glibc
> with --disable-crypt, and then building libxcrypt in the compatibility mode
> to provide all the backwards compatibility required for older applications.
> We should continue to move forward with libxcrypt and newer one-way hashing
> algorithms. Fedora 30 fully removes the deprecated interfaces
> (https://fedoraproject.org/wiki/Changes/
> FullyRemoveDeprecatedAndUnsafeFunctionsFromLibcrypt).


Hi, there are already actual applications that have caused DoS due to this
crypt function problem. I reported this problem and obtained CVE. You can view
CVE-2020-11650. At the same time, I also found the same in VMware related
products. DoS vulnerability, VMware confirmed the existence of the problem, and
is currently releasing a patch to fix it, so the crypt function has problems
and affects multiple applications. You should fix the problem from glibc to
limit the length and solve the problem from the source.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-04-21  1:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <bug-25441-131@http.sourceware.org/bugzilla/>
2020-04-21  1:51 ` [Bug crypt/25441] DOS attack risk caused by incomplete system password check function weinull at outlook dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).