CVE-2004-2392
Description
libuser 0.51.7 contains multiple programming bugs that can lead to denial of service via crash or disk consumption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libuser 0.51.7 contains multiple programming bugs that can lead to denial of service via crash or disk consumption.
## Vulnerability libuser 0.51.7 contains several serious programming bugs discovered during code review [2]. These include failure to validate read results from configuration files and /dev/urandom, leading to use of invalid buffers; an unsigned variable capturing the return value of read() that can cause write() to output 4294967295 bytes of data; and passing NULL pointers to fclose() in many places [2]. The bugs affect libuser-0.51.7-7.1.1 and likely prior versions.
Exploitation
An attacker may trigger these bugs through unknown attack vectors, but the bugs are reachable during normal libuser operations such as reading configuration or generating password salts [2]. No special privileges are required; the bugs can be triggered by any user or process that invokes libuser functions.
Impact
Successful exploitation leads to denial of service: either a crash due to NULL pointer dereference or fclose(NULL), or disk consumption from writing an enormous amount of data (up to 4 GB) [2]. The impact is limited to denial of service; no code execution or privilege escalation is indicated.
Mitigation
Red Hat released an advisory RHSA-2005-770 [1] which includes updated packages that fix these bugs. Users should update to the corrected version of libuser. No workaround is documented; applying the patch from the bug report [2] or upgrading is recommended.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:mandrakesoft:mandrake_linux:9.1:*:*:*:*:*:*:*
- cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:*:*:*:*:*:*:*
- cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:*:amd64:*:*:*:*:*
- cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:*:ppc:*:*:*:*:*
cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:*:*:*:*:*:*
- cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:x86_64:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Multiple programming bugs including unchecked read failures, unsigned variable capturing read return values, and NULL pointer passes to fclose()."
Attack vector
An attacker can cause a denial of service (crash or disk consumption) by triggering read failures in libuser. For example, if a read from /dev/urandom fails, the salt buffer is treated as valid and may be mostly zeros, weakening cryptographic operations. More critically, the read() return value is stored in an unsigned variable, so a failure returning -1 becomes 4294967295, causing write() to output that many bytes and exhaust disk space [ref_id=1]. The advisory notes these bugs were found during code review and the exact attack vectors are not fully specified.
Affected code
The advisory [ref_id=1] identifies multiple programming bugs across libuser 0.51.7, including failures in reading config data, reading /dev/urandom for salt generation, unlock operations passing a structure by value to a variadic function, and read() return values stored in an unsigned variable that could cause massive writes. The patch also addresses NULL pointer passes to fclose() in many places.
What the fix does
The patch (applied in libuser-0.51.10-1) fixes each bug identified in the code review [ref_id=1]. It adds proper error checking after read() calls so that buffers are only used when reads succeed, changes the read return variable to a signed type so that -1 is not misinterpreted as a huge positive value, corrects the variadic function call to pass a pointer instead of a struct by value, and adds NULL checks before calling fclose(). The maintainer also fixed additional leaks and properly initialized struct lu_error with a message, and handled the other lu_make_crypted() call in modules/ldap.c to prevent empty passwords when /dev/urandom is unavailable [ref_id=1].
Preconditions
- inputAttacker must be able to trigger read failures (e.g., from /dev/urandom or config files) on the target system
- authNo authentication required; the bugs are triggered during normal libuser operations
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- www.mandriva.com/security/advisoriesnvdPatchVendor Advisory
- www.securityfocus.com/bid/10368nvdPatch
- bugzilla.redhat.com/bugzilla/show_bug.cginvdPatchVendor Advisory
- www.redhat.com/support/errata/RHSA-2005-770.htmlnvdVendor Advisory
- securitytracker.com/idnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/16188nvd
News mentions
0No linked articles in our index yet.