[Openstack-security] [Bug 1175905] Re: passlib failure to sanitize env variables PASSLIB_MAX_PASSWORD_SIZE
David Stanek
dstanek at dstanek.com
Fri Mar 28 01:07:59 UTC 2014
How should we proceed here? The patch submitted for this just hard codes
the value of PASSLIB_MAX_PASSWORD_SIZE to 4096. Is that the correct
thing to do or should we allow it to be configured?
If it can be configured do we need to have boundaries we can validate
against (like a lower bounds of 1024 and and upper bounds of 16384)?
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1175905
Title:
passlib failure to sanitize env variables PASSLIB_MAX_PASSWORD_SIZE
Status in OpenStack Identity (Keystone):
Confirmed
Bug description:
Grant Murphy originally reported:
* Usage of passlib
The keystone server does not appear to sanitize the environment when
starting. This means that an unintended value can be set for
PASSLIB_MAX_PASSWORD_SIZE. Which will overwrite the default value of
4096 and potentially cause an unhandled passlib.exc.PasswordSizeError.
We should ensure sensible defaults are applied here prior to loading passlib.
If this is exploitable it will need a CVE, if not we should still
harden it so it can't be monkeyed with in the future.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175905/+subscriptions
More information about the Openstack-security
mailing list