fix CVE-2016-6318 - avoid overflows in GECOS handling and mangling password (#1364944)

2016-12-08 18:09:03 +01:00 · 2016-12-08 18:09:03 +01:00 · 345a730d45
commit 345a730d45
parent aff542331c
2 changed files with 150 additions and 1 deletions
--- a/cracklib-2.9.6-cve-2016-6318.patch
+++ b/cracklib-2.9.6-cve-2016-6318.patch
@ -0,0 +1,144 @@
+diff -up cracklib-2.9.6/lib/fascist.c.overflow cracklib-2.9.6/lib/fascist.c
+--- cracklib-2.9.6/lib/fascist.c.overflow	2015-10-23 16:58:38.403319225 +0200
+++ cracklib-2.9.6/lib/fascist.c	2016-12-08 17:28:41.490101358 +0100
+@@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c
+     char gbuffer[STRINGSIZE];
+     char tbuffer[STRINGSIZE];
+     char *uwords[STRINGSIZE];
+-    char longbuffer[STRINGSIZE * 2];
+    char longbuffer[STRINGSIZE];
+ 
+     if (gecos == NULL)
+ 	gecos = "";
+@@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c
+     {
+ 	for (i = 0; i < j; i++)
+ 	{
+-	    strcpy(longbuffer, uwords[i]);
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
+	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+ 	    {
+-		return _("it is derived from your password entry");
+-	    }
+-
+-	    strcpy(longbuffer, uwords[j]);
+-	    strcat(longbuffer, uwords[i]);
+		strcpy(longbuffer, uwords[i]);
+		strcat(longbuffer, uwords[j]);
+ 
+-	    if (GTry(longbuffer, password))
+-	    {
+-		return _("it's derived from your password entry");
+		if (GTry(longbuffer, password))
+		{
+		    return _("it is derived from your password entry");
+		}
+
+		strcpy(longbuffer, uwords[j]);
+		strcat(longbuffer, uwords[i]);
+
+		if (GTry(longbuffer, password))
+		{
+		   return _("it's derived from your password entry");
+		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[i][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
+	    if (strlen(uwords[j]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it is derivable from your password entry");
+		longbuffer[0] = uwords[i][0];
+		longbuffer[1] = '\0';
+		strcat(longbuffer, uwords[j]);
+
+		if (GTry(longbuffer, password))
+		{
+		    return _("it is derivable from your password entry");
+		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[j][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[i]);
+-
+-	    if (GTry(longbuffer, password))
+	    if (strlen(uwords[i]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it's derivable from your password entry");
+		longbuffer[0] = uwords[j][0];
+		longbuffer[1] = '\0';
+		strcat(longbuffer, uwords[i]);
+
+		if (GTry(longbuffer, password))
+		{
+		    return _("it's derivable from your password entry");
+		}
+ 	    }
+ 	}
+     }
+diff -up cracklib-2.9.6/lib/rules.c.overflow cracklib-2.9.6/lib/rules.c
+--- cracklib-2.9.6/lib/rules.c.overflow	2015-10-23 16:58:38.000000000 +0200
+++ cracklib-2.9.6/lib/rules.c	2016-12-08 18:03:27.041941297 +0100
+@@ -158,6 +158,8 @@ Pluralise(string, area)		/* returns a po
+     register int length;
+     length = strlen(string);
+     strcpy(area, string);
+    if (length > STRINGSIZE - 3) /* we add 2 characters at worst */
+	return (area);
+ 
+     if (!Suffix(string, "ch") ||
+ 	!Suffix(string, "ex") ||
+@@ -462,11 +464,11 @@ Mangle(input, control, area)		/* returns
+ 	    Pluralise(area2, area);
+ 	    break;
+ 	case RULE_REFLECT:
+-	    strcat(area, Reverse(area, area2));
+	    strncat(area, Reverse(area, area2), STRINGSIZE - strlen(area) - 1);
+ 	    break;
+ 	case RULE_DUPLICATE:
+ 	    strcpy(area2, area);
+-	    strcat(area, area2);
+	    strncat(area, area2, STRINGSIZE - strlen(area) - 1);
+ 	    break;
+ 	case RULE_GT:
+ 	    if (!ptr[1])
+@@ -514,7 +516,8 @@ Mangle(input, control, area)		/* returns
+ 	    } else
+ 	    {
+ 		area2[0] = *(++ptr);
+-		strcpy(area2 + 1, area);
+		strncpy(area2 + 1, area, STRINGSIZE - 2);
+		area2[STRINGSIZE - 1] = '\0';
+ 		strcpy(area, area2);
+ 	    }
+ 	    break;
+@@ -528,8 +531,10 @@ Mangle(input, control, area)		/* returns
+ 		register char *string;
+ 		string = area;
+ 		while (*(string++));
+-		string[-1] = *(++ptr);
+-		*string = '\0';
+		if (string < area + STRINGSIZE) {
+			string[-1] = *(++ptr);
+			*string = '\0';
+		}
+ 	    }
+ 	    break;
+ 	case RULE_EXTRACT:
+@@ -600,6 +605,10 @@ Mangle(input, control, area)		/* returns
+ 		}
+ 		p1 = area;
+ 		p2 = area2;
+		if (strlen(p1) > STRINGSIZE - 2) {
+			/* truncate */
+			p1[STRINGSIZE - 2] = '\0';
+		}
+ 		while (i && *p1)
+ 		{
+ 		    i--;
--- a/cracklib.spec
+++ b/cracklib.spec
@ -5,7 +5,7 @@
 Summary: A password-checking library
 Name: cracklib
 Version: 2.9.6
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: System Environment/Libraries
 Source0: https://github.com/cracklib/cracklib/releases/download/cracklib-%{version}/cracklib-%{version}.tar.gz
 Source1: https://github.com/cracklib/cracklib/releases/download/cracklib-%{version}/cracklib-words-%{version}.gz
@ -25,6 +25,7 @@ Patch2: cracklib-2.9.0-python-gzdicts.patch
 Patch4: cracklib-2.9.6-packlib-reentrant.patch
 Patch6: cracklib-2.9.6-simplistic.patch
 Patch7: cracklib-2.9.6-translation-updates.patch
+Patch8: cracklib-2.9.6-cve-2016-6318.patch
 URL: http://sourceforge.net/projects/cracklib/
 License: LGPLv2+
 Buildroot: %{_tmppath}/%{name}-%{version}-root
@ -97,6 +98,7 @@ install -p -m 644 %{SOURCE3} po/zh_CN.po
 %patch4 -p1 -b .reentrant
 %patch6 -p1 -b .simplistic
 %patch7 -p1 -b .translations
+%patch8 -p1 -b .overflow

 mkdir cracklib-dicts
 for dict in %{SOURCE10} %{SOURCE1}
@ -219,6 +221,9 @@ EOF
 %{_libdir}/python*/site-packages/*.py*

 %changelog
+* Thu Dec  8 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.6-4
+- fix CVE-2016-6318 - avoid overflows in GECOS handling and mangling password (#1364944)
+
 * Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.6-3
 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages