...
 
Commits (2)
cracklib2 (2.8.19-3+deb7u1) wheezy-security; urgency=high
* CVE-2016-6318: Fix stack-based buffer overflow when parsing large GECOS
fields. (Closes: #834502)
-- Chris Lamb <lamby@debian.org> Sat, 20 Aug 2016 17:40:02 +0100
cracklib2 (2.8.19-3) unstable; urgency=low
* update debian/patches/libcrack2-error-safer-check-variant.patch with
fixed version from http://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=689588#29
-- Jan Dittberner <jandd@debian.org> Wed, 12 Dec 2012 22:56:46 +0100
cracklib2 (2.8.19-2) unstable; urgency=low
* add debian/patches/libcrack2-error-safer-check-variant.patch to provide
......
--- cracklib2-2.8.19.orig/lib/fascist.c
+++ cracklib2-2.8.19/lib/fascist.c
@@ -509,7 +509,7 @@ FascistGecos(password, uid)
size_t sbufferlen = LINE_MAX;
#endif
char *uwords[STRINGSIZE];
- char longbuffer[STRINGSIZE * 2];
+ char longbuffer[STRINGSIZE];
#ifdef HAVE_GETPWUID_R
sbuffer = malloc(sbufferlen);
@@ -636,58 +636,67 @@ FascistGecos(password, uid)
{
for (i = 0; i < j; i++)
{
- strcpy(longbuffer, uwords[i]);
- strcat(longbuffer, uwords[j]);
-
- if (GTry(longbuffer, password))
+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
{
- if (sbuffer)
- {
- free(sbuffer);
- sbuffer = NULL;
- }
- return _("it is derived from your password entry");
- }
-
- strcpy(longbuffer, uwords[j]);
- strcat(longbuffer, uwords[i]);
+ strcpy(longbuffer, uwords[i]);
+ strcat(longbuffer, uwords[j]);
- if (GTry(longbuffer, password))
- {
- if (sbuffer)
- {
- free(sbuffer);
- sbuffer = NULL;
- }
- return _("it's derived from your password entry");
+ if (GTry(longbuffer, password))
+ {
+ if (sbuffer)
+ {
+ free(sbuffer);
+ sbuffer = NULL;
+ }
+ return _("it is derived from your password entry");
+ }
+
+ strcpy(longbuffer, uwords[j]);
+ strcat(longbuffer, uwords[i]);
+
+ if (GTry(longbuffer, password))
+ {
+ if (sbuffer)
+ {
+ free(sbuffer);
+ sbuffer = NULL;
+ }
+ return _("it's derived from your password entry");
+ }
}
- longbuffer[0] = uwords[i][0];
- longbuffer[1] = '\0';
- strcat(longbuffer, uwords[j]);
-
- if (GTry(longbuffer, password))
+ if (strlen(uwords[j]) < STRINGSIZE - 1)
{
- if (sbuffer)
- {
- free(sbuffer);
- sbuffer = NULL;
- }
- return _("it is derivable from your password entry");
+ longbuffer[0] = uwords[i][0];
+ longbuffer[1] = '\0';
+ strcat(longbuffer, uwords[j]);
+
+ if (GTry(longbuffer, password))
+ {
+ if (sbuffer)
+ {
+ free(sbuffer);
+ sbuffer = NULL;
+ }
+ return _("it is derivable from your password entry");
+ }
}
- longbuffer[0] = uwords[j][0];
- longbuffer[1] = '\0';
- strcat(longbuffer, uwords[i]);
-
- if (GTry(longbuffer, password))
+ if (strlen(uwords[i]) < STRINGSIZE - 1)
{
- if (sbuffer)
- {
- free(sbuffer);
- sbuffer = NULL;
- }
- return _("it's derivable from your password entry");
+ longbuffer[0] = uwords[j][0];
+ longbuffer[1] = '\0';
+ strcat(longbuffer, uwords[i]);
+
+ if (GTry(longbuffer, password))
+ {
+ if (sbuffer)
+ {
+ free(sbuffer);
+ sbuffer = NULL;
+ }
+ return _("it's derivable from your password entry");
+ }
}
}
}
......@@ -13,7 +13,7 @@ Bug-Debian: http://bugs.debian.org/682735
+__DEBIAN_SPECIFIC__SafeFascistCheck(password, path, errstr)
+ const char *password;
+ const char *path;
+ char *errstr;
+ char **errstr;
+{
+ PWDICT *pwp;
+ char pwtrunced[STRINGSIZE];
......@@ -41,7 +41,7 @@ Bug-Debian: http://bugs.debian.org/682735
+ }
+
+ /* sure seems like we should close the database, since we're only likely to check one password */
+ errstr = FascistLook(pwp, pwtrunced);
+ *errstr = FascistLook(pwp, pwtrunced);
+
+ PWClose(pwp);
+ pwp = (PWDICT *)0;
......@@ -78,7 +78,7 @@ Bug-Debian: http://bugs.debian.org/682735
LOCK();
- result = FascistCheck(candidate, dict ? dict : defaultdict);
+ result = __DEBIAN_SPECIFIC__SafeFascistCheck(candidate,
+ dict ? dict : defaultdict, errmsg);
+ dict ? dict : defaultdict, &errmsg);
UNLOCK();
if (defaultdict != NULL)
......@@ -124,7 +124,7 @@ Bug-Debian: http://bugs.debian.org/682735
+ opening or reading the dictionary. In the later case, please check
+ errno. */
+extern int __DEBIAN_SPECIFIC__SafeFascistCheck(const char *pw,
+ const char *dictpath, char *errmsg);
+ const char *dictpath, char **errmsg);
+
/* This function returns the compiled in value for DEFAULT_CRACKLIB_DICT.
*/
......
install-debian-python-modules.patch
pass-dict-to-cracklib-test.patch
libcrack2-error-safer-check-variant.patch
CVE-2016-6318patch