[Pkg-cracklib-commits] [pkg-cracklib] 02/03: Fix "CVE-2016-6318: Stack-based buffer overflow when parsing large GECOS field" by applying patch by Salvatore Bonaccorso (Closes: #834502)

Jan Dittberner jandd at moszumanska.debian.org
Tue Aug 23 16:56:18 UTC 2016 

This is an automated email from the git hooks/post-receive script.

jandd pushed a commit to branch master
in repository pkg-cracklib.

commit f654d4e1ce79360889dd741460d9ea5d45938931
Author: Jan Dittberner <jandd at debian.org>
Date:   Tue Aug 23 17:53:33 2016 +0200

    Fix "CVE-2016-6318: Stack-based buffer overflow when parsing large GECOS field" by applying patch by Salvatore Bonaccorso (Closes: #834502)
---
 debian/changelog                   |  4 +--
 debian/patches/CVE-2016-6318.patch | 70 +++++++++++---------------------------
 2 files changed, 22 insertions(+), 52 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 127f964..a8155b4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,7 @@
 cracklib2 (2.9.2-2) UNRELEASED; urgency=medium
 
-  * CVE-2016-6318: Fix stack-based buffer overflow when parsing large GECOS
-    fields. (Closes: #834502) thanks to Chris Lamb for the patch
+  * Fix "CVE-2016-6318: Stack-based buffer overflow when parsing large
+    GECOS field" by applying patch by Salvatore Bonaccorso (Closes: #834502)
 
  -- Jan Dittberner <jandd at debian.org>  Tue, 23 Aug 2016 17:45:10 +0200
 
diff --git a/debian/patches/CVE-2016-6318.patch b/debian/patches/CVE-2016-6318.patch
index e7a11ac..e564440 100644
--- a/debian/patches/CVE-2016-6318.patch
+++ b/debian/patches/CVE-2016-6318.patch
@@ -1,15 +1,25 @@
---- cracklib2-2.8.19.orig/lib/fascist.c
-+++ cracklib2-2.8.19/lib/fascist.c
-@@ -509,7 +509,7 @@ FascistGecos(password, uid)
-     size_t sbufferlen = LINE_MAX;
- #endif
+Description: CVE-2016-6318: Stack-based buffer overflow when parsing large GECOS field
+ It is not safe to pass words longer than STRINGSIZE further to cracklib
+ so the longbuffer cannot be longer than STRINGSIZE.
+Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=1188599
+Bug-Debian: https://bugs.debian.org/834502
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1364944
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-08-16
+
+--- a/lib/fascist.c
++++ b/lib/fascist.c
+@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c
+     char gbuffer[STRINGSIZE];
+     char tbuffer[STRINGSIZE];
      char *uwords[STRINGSIZE];
 -    char longbuffer[STRINGSIZE * 2];
 +    char longbuffer[STRINGSIZE];
  
- #ifdef HAVE_GETPWUID_R
-     sbuffer = malloc(sbufferlen);
-@@ -636,58 +636,67 @@ FascistGecos(password, uid)
+     if (gecos == NULL)
+ 	gecos = "";
+@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const c
      {
  	for (i = 0; i < j; i++)
  	{
@@ -19,11 +29,6 @@
 -	    if (GTry(longbuffer, password))
 +	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
  	    {
--	        if (sbuffer)
--	        {
--	       	    free(sbuffer);
--		    sbuffer = NULL;
--	        }
 -		return _("it is derived from your password entry");
 -	    }
 -
@@ -34,19 +39,9 @@
  
 -	    if (GTry(longbuffer, password))
 -	    {
--	        if (sbuffer)
--	        {
--	       	    free(sbuffer);
--		    sbuffer = NULL;
--	        }
 -		return _("it's derived from your password entry");
 +		if (GTry(longbuffer, password))
 +		{
-+		    if (sbuffer)
-+		    {
-+			free(sbuffer);
-+			sbuffer = NULL;
-+		    }
 +		    return _("it is derived from your password entry");
 +		}
 +
@@ -55,12 +50,7 @@
 +
 +		if (GTry(longbuffer, password))
 +		{
-+		    if (sbuffer)
-+		    {
-+			free(sbuffer);
-+			sbuffer = NULL;
-+		    }
-+		    return _("it's derived from your password entry");
++		   return _("it's derived from your password entry");
 +		}
  	    }
  
@@ -71,23 +61,13 @@
 -	    if (GTry(longbuffer, password))
 +	    if (strlen(uwords[j]) < STRINGSIZE - 1)
  	    {
--	        if (sbuffer)
--	        {
--	       	    free(sbuffer);
--		    sbuffer = NULL;
--	        }
 -		return _("it is derivable from your password entry");
 +		longbuffer[0] = uwords[i][0];
 +		longbuffer[1] = '\0';
-+	    	strcat(longbuffer, uwords[j]);
++		strcat(longbuffer, uwords[j]);
 +
 +		if (GTry(longbuffer, password))
 +		{
-+		    if (sbuffer)
-+		    {
-+			free(sbuffer);
-+			sbuffer = NULL;
-+		    }
 +		    return _("it is derivable from your password entry");
 +		}
  	    }
@@ -99,11 +79,6 @@
 -	    if (GTry(longbuffer, password))
 +	    if (strlen(uwords[i]) < STRINGSIZE - 1)
  	    {
--	        if (sbuffer)
--	        {
--	       	    free(sbuffer);
--		    sbuffer = NULL;
--	        }
 -		return _("it's derivable from your password entry");
 +		longbuffer[0] = uwords[j][0];
 +		longbuffer[1] = '\0';
@@ -111,11 +86,6 @@
 +
 +		if (GTry(longbuffer, password))
 +		{
-+		    if (sbuffer)
-+		    {
-+			free(sbuffer);
-+			sbuffer = NULL;
-+		    }
 +		    return _("it's derivable from your password entry");
 +		}
  	    }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cracklib/pkg-cracklib.git

More information about the Pkg-cracklib-commits mailing list