From 345a730d4538bde4b6d47348adc6dd294ccdf098 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 8 Dec 2016 18:09:03 +0100 Subject: [PATCH] fix CVE-2016-6318 - avoid overflows in GECOS handling and mangling password (#1364944) --- cracklib-2.9.6-cve-2016-6318.patch | 144 +++++++++++++++++++++++++++++ cracklib.spec | 7 +- 2 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 cracklib-2.9.6-cve-2016-6318.patch diff --git a/cracklib-2.9.6-cve-2016-6318.patch b/cracklib-2.9.6-cve-2016-6318.patch new file mode 100644 index 0000000..370b403 --- /dev/null +++ b/cracklib-2.9.6-cve-2016-6318.patch @@ -0,0 +1,144 @@ +diff -up cracklib-2.9.6/lib/fascist.c.overflow cracklib-2.9.6/lib/fascist.c +--- cracklib-2.9.6/lib/fascist.c.overflow 2015-10-23 16:58:38.403319225 +0200 ++++ cracklib-2.9.6/lib/fascist.c 2016-12-08 17:28:41.490101358 +0100 +@@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c + char gbuffer[STRINGSIZE]; + char tbuffer[STRINGSIZE]; + char *uwords[STRINGSIZE]; +- char longbuffer[STRINGSIZE * 2]; ++ char longbuffer[STRINGSIZE]; + + if (gecos == NULL) + gecos = ""; +@@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c + { + for (i = 0; i < j; i++) + { +- strcpy(longbuffer, uwords[i]); +- strcat(longbuffer, uwords[j]); +- +- if (GTry(longbuffer, password)) ++ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) + { +- return _("it is derived from your password entry"); +- } +- +- strcpy(longbuffer, uwords[j]); +- strcat(longbuffer, uwords[i]); ++ strcpy(longbuffer, uwords[i]); ++ strcat(longbuffer, uwords[j]); + +- if (GTry(longbuffer, password)) +- { +- return _("it's derived from your password entry"); ++ if (GTry(longbuffer, password)) ++ { ++ return _("it is derived from your password entry"); ++ } ++ ++ strcpy(longbuffer, uwords[j]); ++ strcat(longbuffer, uwords[i]); ++ ++ if (GTry(longbuffer, password)) ++ { ++ return _("it's derived from your password entry"); ++ } + } + +- longbuffer[0] = uwords[i][0]; +- longbuffer[1] = '\0'; +- strcat(longbuffer, uwords[j]); +- +- if (GTry(longbuffer, password)) ++ if (strlen(uwords[j]) < STRINGSIZE - 1) + { +- return _("it is derivable from your password entry"); ++ longbuffer[0] = uwords[i][0]; ++ longbuffer[1] = '\0'; ++ strcat(longbuffer, uwords[j]); ++ ++ if (GTry(longbuffer, password)) ++ { ++ return _("it is derivable from your password entry"); ++ } + } + +- longbuffer[0] = uwords[j][0]; +- longbuffer[1] = '\0'; +- strcat(longbuffer, uwords[i]); +- +- if (GTry(longbuffer, password)) ++ if (strlen(uwords[i]) < STRINGSIZE - 1) + { +- return _("it's derivable from your password entry"); ++ longbuffer[0] = uwords[j][0]; ++ longbuffer[1] = '\0'; ++ strcat(longbuffer, uwords[i]); ++ ++ if (GTry(longbuffer, password)) ++ { ++ return _("it's derivable from your password entry"); ++ } + } + } + } +diff -up cracklib-2.9.6/lib/rules.c.overflow cracklib-2.9.6/lib/rules.c +--- cracklib-2.9.6/lib/rules.c.overflow 2015-10-23 16:58:38.000000000 +0200 ++++ cracklib-2.9.6/lib/rules.c 2016-12-08 18:03:27.041941297 +0100 +@@ -158,6 +158,8 @@ Pluralise(string, area) /* returns a po + register int length; + length = strlen(string); + strcpy(area, string); ++ if (length > STRINGSIZE - 3) /* we add 2 characters at worst */ ++ return (area); + + if (!Suffix(string, "ch") || + !Suffix(string, "ex") || +@@ -462,11 +464,11 @@ Mangle(input, control, area) /* returns + Pluralise(area2, area); + break; + case RULE_REFLECT: +- strcat(area, Reverse(area, area2)); ++ strncat(area, Reverse(area, area2), STRINGSIZE - strlen(area) - 1); + break; + case RULE_DUPLICATE: + strcpy(area2, area); +- strcat(area, area2); ++ strncat(area, area2, STRINGSIZE - strlen(area) - 1); + break; + case RULE_GT: + if (!ptr[1]) +@@ -514,7 +516,8 @@ Mangle(input, control, area) /* returns + } else + { + area2[0] = *(++ptr); +- strcpy(area2 + 1, area); ++ strncpy(area2 + 1, area, STRINGSIZE - 2); ++ area2[STRINGSIZE - 1] = '\0'; + strcpy(area, area2); + } + break; +@@ -528,8 +531,10 @@ Mangle(input, control, area) /* returns + register char *string; + string = area; + while (*(string++)); +- string[-1] = *(++ptr); +- *string = '\0'; ++ if (string < area + STRINGSIZE) { ++ string[-1] = *(++ptr); ++ *string = '\0'; ++ } + } + break; + case RULE_EXTRACT: +@@ -600,6 +605,10 @@ Mangle(input, control, area) /* returns + } + p1 = area; + p2 = area2; ++ if (strlen(p1) > STRINGSIZE - 2) { ++ /* truncate */ ++ p1[STRINGSIZE - 2] = '\0'; ++ } + while (i && *p1) + { + i--; diff --git a/cracklib.spec b/cracklib.spec index cf8ba09..6fbadac 100644 --- a/cracklib.spec +++ b/cracklib.spec @@ -5,7 +5,7 @@ Summary: A password-checking library Name: cracklib Version: 2.9.6 -Release: 3%{?dist} +Release: 4%{?dist} Group: System Environment/Libraries Source0: https://github.com/cracklib/cracklib/releases/download/cracklib-%{version}/cracklib-%{version}.tar.gz Source1: https://github.com/cracklib/cracklib/releases/download/cracklib-%{version}/cracklib-words-%{version}.gz @@ -25,6 +25,7 @@ Patch2: cracklib-2.9.0-python-gzdicts.patch Patch4: cracklib-2.9.6-packlib-reentrant.patch Patch6: cracklib-2.9.6-simplistic.patch Patch7: cracklib-2.9.6-translation-updates.patch +Patch8: cracklib-2.9.6-cve-2016-6318.patch URL: http://sourceforge.net/projects/cracklib/ License: LGPLv2+ Buildroot: %{_tmppath}/%{name}-%{version}-root @@ -97,6 +98,7 @@ install -p -m 644 %{SOURCE3} po/zh_CN.po %patch4 -p1 -b .reentrant %patch6 -p1 -b .simplistic %patch7 -p1 -b .translations +%patch8 -p1 -b .overflow mkdir cracklib-dicts for dict in %{SOURCE10} %{SOURCE1} @@ -219,6 +221,9 @@ EOF %{_libdir}/python*/site-packages/*.py* %changelog +* Thu Dec 8 2016 Fedora Release Engineering - 2.9.6-4 +- fix CVE-2016-6318 - avoid overflows in GECOS handling and mangling password (#1364944) + * Tue Jul 19 2016 Fedora Release Engineering - 2.9.6-3 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages