[Pkg-cracklib-commits] [pkg-cracklib] 02/03: Fix "CVE-2016-6318: Stack-based buffer overflow when parsing large GECOS field" by applying patch by Salvatore Bonaccorso (Closes: #834502)
Jan Dittberner
jandd at moszumanska.debian.org
Tue Aug 23 16:56:18 UTC 2016
This is an automated email from the git hooks/post-receive script.
jandd pushed a commit to branch master
in repository pkg-cracklib.
commit f654d4e1ce79360889dd741460d9ea5d45938931
Author: Jan Dittberner <jandd at debian.org>
Date: Tue Aug 23 17:53:33 2016 +0200
Fix "CVE-2016-6318: Stack-based buffer overflow when parsing large GECOS field" by applying patch by Salvatore Bonaccorso (Closes: #834502)
---
debian/changelog | 4 +--
debian/patches/CVE-2016-6318.patch | 70 +++++++++++---------------------------
2 files changed, 22 insertions(+), 52 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 127f964..a8155b4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,7 @@
cracklib2 (2.9.2-2) UNRELEASED; urgency=medium
- * CVE-2016-6318: Fix stack-based buffer overflow when parsing large GECOS
- fields. (Closes: #834502) thanks to Chris Lamb for the patch
+ * Fix "CVE-2016-6318: Stack-based buffer overflow when parsing large
+ GECOS field" by applying patch by Salvatore Bonaccorso (Closes: #834502)
-- Jan Dittberner <jandd at debian.org> Tue, 23 Aug 2016 17:45:10 +0200
diff --git a/debian/patches/CVE-2016-6318.patch b/debian/patches/CVE-2016-6318.patch
index e7a11ac..e564440 100644
--- a/debian/patches/CVE-2016-6318.patch
+++ b/debian/patches/CVE-2016-6318.patch
@@ -1,15 +1,25 @@
---- cracklib2-2.8.19.orig/lib/fascist.c
-+++ cracklib2-2.8.19/lib/fascist.c
-@@ -509,7 +509,7 @@ FascistGecos(password, uid)
- size_t sbufferlen = LINE_MAX;
- #endif
+Description: CVE-2016-6318: Stack-based buffer overflow when parsing large GECOS field
+ It is not safe to pass words longer than STRINGSIZE further to cracklib
+ so the longbuffer cannot be longer than STRINGSIZE.
+Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=1188599
+Bug-Debian: https://bugs.debian.org/834502
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1364944
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-08-16
+
+--- a/lib/fascist.c
++++ b/lib/fascist.c
+@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c
+ char gbuffer[STRINGSIZE];
+ char tbuffer[STRINGSIZE];
char *uwords[STRINGSIZE];
- char longbuffer[STRINGSIZE * 2];
+ char longbuffer[STRINGSIZE];
- #ifdef HAVE_GETPWUID_R
- sbuffer = malloc(sbufferlen);
-@@ -636,58 +636,67 @@ FascistGecos(password, uid)
+ if (gecos == NULL)
+ gecos = "";
+@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const c
{
for (i = 0; i < j; i++)
{
@@ -19,11 +29,6 @@
- if (GTry(longbuffer, password))
+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
{
-- if (sbuffer)
-- {
-- free(sbuffer);
-- sbuffer = NULL;
-- }
- return _("it is derived from your password entry");
- }
-
@@ -34,19 +39,9 @@
- if (GTry(longbuffer, password))
- {
-- if (sbuffer)
-- {
-- free(sbuffer);
-- sbuffer = NULL;
-- }
- return _("it's derived from your password entry");
+ if (GTry(longbuffer, password))
+ {
-+ if (sbuffer)
-+ {
-+ free(sbuffer);
-+ sbuffer = NULL;
-+ }
+ return _("it is derived from your password entry");
+ }
+
@@ -55,12 +50,7 @@
+
+ if (GTry(longbuffer, password))
+ {
-+ if (sbuffer)
-+ {
-+ free(sbuffer);
-+ sbuffer = NULL;
-+ }
-+ return _("it's derived from your password entry");
++ return _("it's derived from your password entry");
+ }
}
@@ -71,23 +61,13 @@
- if (GTry(longbuffer, password))
+ if (strlen(uwords[j]) < STRINGSIZE - 1)
{
-- if (sbuffer)
-- {
-- free(sbuffer);
-- sbuffer = NULL;
-- }
- return _("it is derivable from your password entry");
+ longbuffer[0] = uwords[i][0];
+ longbuffer[1] = '\0';
-+ strcat(longbuffer, uwords[j]);
++ strcat(longbuffer, uwords[j]);
+
+ if (GTry(longbuffer, password))
+ {
-+ if (sbuffer)
-+ {
-+ free(sbuffer);
-+ sbuffer = NULL;
-+ }
+ return _("it is derivable from your password entry");
+ }
}
@@ -99,11 +79,6 @@
- if (GTry(longbuffer, password))
+ if (strlen(uwords[i]) < STRINGSIZE - 1)
{
-- if (sbuffer)
-- {
-- free(sbuffer);
-- sbuffer = NULL;
-- }
- return _("it's derivable from your password entry");
+ longbuffer[0] = uwords[j][0];
+ longbuffer[1] = '\0';
@@ -111,11 +86,6 @@
+
+ if (GTry(longbuffer, password))
+ {
-+ if (sbuffer)
-+ {
-+ free(sbuffer);
-+ sbuffer = NULL;
-+ }
+ return _("it's derivable from your password entry");
+ }
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cracklib/pkg-cracklib.git
More information about the Pkg-cracklib-commits
mailing list