[Pkg-cracklib-commits] [pkg-cracklib] 01/01: CVE-2016-6318: Fix stack-based buffer overflow when parsing large GECOS fields. (Closes: #834502)

Jan Dittberner jandd at moszumanska.debian.org
Tue Aug 23 15:40:15 UTC 2016 

This is an automated email from the git hooks/post-receive script.

jandd pushed a commit to branch wheezy-sec
in repository pkg-cracklib.

commit 05b6b2bd982aa3095b213eaa446e6e69a2377ce8
Author: Jan Dittberner <jandd at debian.org>
Date:   Tue Aug 23 17:38:51 2016 +0200

    CVE-2016-6318: Fix stack-based buffer overflow when parsing large GECOS fields. (Closes: #834502)
---
 debian/changelog                  |   7 +++
 debian/patches/CVE-2016-6318patch | 123 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series             |   1 +
 3 files changed, 131 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 603de8f..56a0022 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cracklib2 (2.8.19-3+deb7u1) wheezy-security; urgency=high
+
+  * CVE-2016-6318: Fix stack-based buffer overflow when parsing large GECOS
+    fields. (Closes: #834502)
+
+ -- Chris Lamb <lamby at debian.org>  Sat, 20 Aug 2016 17:40:02 +0100
+
 cracklib2 (2.8.19-3) unstable; urgency=low
 
   * update debian/patches/libcrack2-error-safer-check-variant.patch with
diff --git a/debian/patches/CVE-2016-6318patch b/debian/patches/CVE-2016-6318patch
new file mode 100644
index 0000000..e7a11ac
--- /dev/null
+++ b/debian/patches/CVE-2016-6318patch
@@ -0,0 +1,123 @@
+--- cracklib2-2.8.19.orig/lib/fascist.c
++++ cracklib2-2.8.19/lib/fascist.c
+@@ -509,7 +509,7 @@ FascistGecos(password, uid)
+     size_t sbufferlen = LINE_MAX;
+ #endif
+     char *uwords[STRINGSIZE];
+-    char longbuffer[STRINGSIZE * 2];
++    char longbuffer[STRINGSIZE];
+ 
+ #ifdef HAVE_GETPWUID_R
+     sbuffer = malloc(sbufferlen);
+@@ -636,58 +636,67 @@ FascistGecos(password, uid)
+     {
+ 	for (i = 0; i < j; i++)
+ 	{
+-	    strcpy(longbuffer, uwords[i]);
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+ 	    {
+-	        if (sbuffer)
+-	        {
+-	       	    free(sbuffer);
+-		    sbuffer = NULL;
+-	        }
+-		return _("it is derived from your password entry");
+-	    }
+-
+-	    strcpy(longbuffer, uwords[j]);
+-	    strcat(longbuffer, uwords[i]);
++		strcpy(longbuffer, uwords[i]);
++		strcat(longbuffer, uwords[j]);
+ 
+-	    if (GTry(longbuffer, password))
+-	    {
+-	        if (sbuffer)
+-	        {
+-	       	    free(sbuffer);
+-		    sbuffer = NULL;
+-	        }
+-		return _("it's derived from your password entry");
++		if (GTry(longbuffer, password))
++		{
++		    if (sbuffer)
++		    {
++			free(sbuffer);
++			sbuffer = NULL;
++		    }
++		    return _("it is derived from your password entry");
++		}
++
++		strcpy(longbuffer, uwords[j]);
++		strcat(longbuffer, uwords[i]);
++
++		if (GTry(longbuffer, password))
++		{
++		    if (sbuffer)
++		    {
++			free(sbuffer);
++			sbuffer = NULL;
++		    }
++		    return _("it's derived from your password entry");
++		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[i][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[j]) < STRINGSIZE - 1)
+ 	    {
+-	        if (sbuffer)
+-	        {
+-	       	    free(sbuffer);
+-		    sbuffer = NULL;
+-	        }
+-		return _("it is derivable from your password entry");
++		longbuffer[0] = uwords[i][0];
++		longbuffer[1] = '\0';
++	    	strcat(longbuffer, uwords[j]);
++
++		if (GTry(longbuffer, password))
++		{
++		    if (sbuffer)
++		    {
++			free(sbuffer);
++			sbuffer = NULL;
++		    }
++		    return _("it is derivable from your password entry");
++		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[j][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[i]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) < STRINGSIZE - 1)
+ 	    {
+-	        if (sbuffer)
+-	        {
+-	       	    free(sbuffer);
+-		    sbuffer = NULL;
+-	        }
+-		return _("it's derivable from your password entry");
++		longbuffer[0] = uwords[j][0];
++		longbuffer[1] = '\0';
++		strcat(longbuffer, uwords[i]);
++
++		if (GTry(longbuffer, password))
++		{
++		    if (sbuffer)
++		    {
++			free(sbuffer);
++			sbuffer = NULL;
++		    }
++		    return _("it's derivable from your password entry");
++		}
+ 	    }
+ 	}
+     }
diff --git a/debian/patches/series b/debian/patches/series
index cd64245..232db9b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 install-debian-python-modules.patch
 pass-dict-to-cracklib-test.patch
 libcrack2-error-safer-check-variant.patch
+CVE-2016-6318patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cracklib/pkg-cracklib.git

More information about the Pkg-cracklib-commits mailing list