date: 2012-03-27

id: OSSA-2012-002

title: 'Extremely long passwords can crash Keystone'

description: 'Dan Prince reported a vulnerability in Keystone. He discovered that
  you can remotely trigger a crash in Keystone by sending an extremely long password.
  When Keystone is validating the password, glibc allocates space on the stack for
  the entire password. If the password is long enough, stack space can be exhausted,
  resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonablelimit
  on password length (4 kB).'

reference: https://lists.launchpad.net/openstack/msg09193.html

affected-products:

  - product: keystone
    version: All versions

vulnerabilities:

  - cve-id: CVE-2012-1572
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 5.0
        detail: AV:N/AC:L/Au:N/C:N/I:N/A:P
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Dan Prince'
    affiliation: 'Red Hat'
    reported:
      - CVE-2012-1572

issues:

  links:
    - https://launchpad.net/bugs/957359

  type: launchpad

reviews:

  essex:
    - https://review.openstack.org/#/c/5507

  diablo:
    - https://review.openstack.org/#/c/5865

  type: gerrit