fix CVE-2016-6318 - avoid overflows in GECOS handling and mangling password (#1364944)
This commit is contained in:
		
							parent
							
								
									aff542331c
								
							
						
					
					
						commit
						345a730d45
					
				
							
								
								
									
										144
									
								
								cracklib-2.9.6-cve-2016-6318.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										144
									
								
								cracklib-2.9.6-cve-2016-6318.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,144 @@ | ||||
| diff -up cracklib-2.9.6/lib/fascist.c.overflow cracklib-2.9.6/lib/fascist.c
 | ||||
| --- cracklib-2.9.6/lib/fascist.c.overflow	2015-10-23 16:58:38.403319225 +0200
 | ||||
| +++ cracklib-2.9.6/lib/fascist.c	2016-12-08 17:28:41.490101358 +0100
 | ||||
| @@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c
 | ||||
|      char gbuffer[STRINGSIZE]; | ||||
|      char tbuffer[STRINGSIZE]; | ||||
|      char *uwords[STRINGSIZE]; | ||||
| -    char longbuffer[STRINGSIZE * 2];
 | ||||
| +    char longbuffer[STRINGSIZE];
 | ||||
|   | ||||
|      if (gecos == NULL) | ||||
|  	gecos = ""; | ||||
| @@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c
 | ||||
|      { | ||||
|  	for (i = 0; i < j; i++) | ||||
|  	{ | ||||
| -	    strcpy(longbuffer, uwords[i]);
 | ||||
| -	    strcat(longbuffer, uwords[j]);
 | ||||
| -
 | ||||
| -	    if (GTry(longbuffer, password))
 | ||||
| +	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
 | ||||
|  	    { | ||||
| -		return _("it is derived from your password entry");
 | ||||
| -	    }
 | ||||
| -
 | ||||
| -	    strcpy(longbuffer, uwords[j]);
 | ||||
| -	    strcat(longbuffer, uwords[i]);
 | ||||
| +		strcpy(longbuffer, uwords[i]);
 | ||||
| +		strcat(longbuffer, uwords[j]);
 | ||||
|   | ||||
| -	    if (GTry(longbuffer, password))
 | ||||
| -	    {
 | ||||
| -		return _("it's derived from your password entry");
 | ||||
| +		if (GTry(longbuffer, password))
 | ||||
| +		{
 | ||||
| +		    return _("it is derived from your password entry");
 | ||||
| +		}
 | ||||
| +
 | ||||
| +		strcpy(longbuffer, uwords[j]);
 | ||||
| +		strcat(longbuffer, uwords[i]);
 | ||||
| +
 | ||||
| +		if (GTry(longbuffer, password))
 | ||||
| +		{
 | ||||
| +		   return _("it's derived from your password entry");
 | ||||
| +		}
 | ||||
|  	    } | ||||
|   | ||||
| -	    longbuffer[0] = uwords[i][0];
 | ||||
| -	    longbuffer[1] = '\0';
 | ||||
| -	    strcat(longbuffer, uwords[j]);
 | ||||
| -
 | ||||
| -	    if (GTry(longbuffer, password))
 | ||||
| +	    if (strlen(uwords[j]) < STRINGSIZE - 1)
 | ||||
|  	    { | ||||
| -		return _("it is derivable from your password entry");
 | ||||
| +		longbuffer[0] = uwords[i][0];
 | ||||
| +		longbuffer[1] = '\0';
 | ||||
| +		strcat(longbuffer, uwords[j]);
 | ||||
| +
 | ||||
| +		if (GTry(longbuffer, password))
 | ||||
| +		{
 | ||||
| +		    return _("it is derivable from your password entry");
 | ||||
| +		}
 | ||||
|  	    } | ||||
|   | ||||
| -	    longbuffer[0] = uwords[j][0];
 | ||||
| -	    longbuffer[1] = '\0';
 | ||||
| -	    strcat(longbuffer, uwords[i]);
 | ||||
| -
 | ||||
| -	    if (GTry(longbuffer, password))
 | ||||
| +	    if (strlen(uwords[i]) < STRINGSIZE - 1)
 | ||||
|  	    { | ||||
| -		return _("it's derivable from your password entry");
 | ||||
| +		longbuffer[0] = uwords[j][0];
 | ||||
| +		longbuffer[1] = '\0';
 | ||||
| +		strcat(longbuffer, uwords[i]);
 | ||||
| +
 | ||||
| +		if (GTry(longbuffer, password))
 | ||||
| +		{
 | ||||
| +		    return _("it's derivable from your password entry");
 | ||||
| +		}
 | ||||
|  	    } | ||||
|  	} | ||||
|      } | ||||
| diff -up cracklib-2.9.6/lib/rules.c.overflow cracklib-2.9.6/lib/rules.c
 | ||||
| --- cracklib-2.9.6/lib/rules.c.overflow	2015-10-23 16:58:38.000000000 +0200
 | ||||
| +++ cracklib-2.9.6/lib/rules.c	2016-12-08 18:03:27.041941297 +0100
 | ||||
| @@ -158,6 +158,8 @@ Pluralise(string, area)		/* returns a po
 | ||||
|      register int length; | ||||
|      length = strlen(string); | ||||
|      strcpy(area, string); | ||||
| +    if (length > STRINGSIZE - 3) /* we add 2 characters at worst */
 | ||||
| +	return (area);
 | ||||
|   | ||||
|      if (!Suffix(string, "ch") || | ||||
|  	!Suffix(string, "ex") || | ||||
| @@ -462,11 +464,11 @@ Mangle(input, control, area)		/* returns
 | ||||
|  	    Pluralise(area2, area); | ||||
|  	    break; | ||||
|  	case RULE_REFLECT: | ||||
| -	    strcat(area, Reverse(area, area2));
 | ||||
| +	    strncat(area, Reverse(area, area2), STRINGSIZE - strlen(area) - 1);
 | ||||
|  	    break; | ||||
|  	case RULE_DUPLICATE: | ||||
|  	    strcpy(area2, area); | ||||
| -	    strcat(area, area2);
 | ||||
| +	    strncat(area, area2, STRINGSIZE - strlen(area) - 1);
 | ||||
|  	    break; | ||||
|  	case RULE_GT: | ||||
|  	    if (!ptr[1]) | ||||
| @@ -514,7 +516,8 @@ Mangle(input, control, area)		/* returns
 | ||||
|  	    } else | ||||
|  	    { | ||||
|  		area2[0] = *(++ptr); | ||||
| -		strcpy(area2 + 1, area);
 | ||||
| +		strncpy(area2 + 1, area, STRINGSIZE - 2);
 | ||||
| +		area2[STRINGSIZE - 1] = '\0';
 | ||||
|  		strcpy(area, area2); | ||||
|  	    } | ||||
|  	    break; | ||||
| @@ -528,8 +531,10 @@ Mangle(input, control, area)		/* returns
 | ||||
|  		register char *string; | ||||
|  		string = area; | ||||
|  		while (*(string++)); | ||||
| -		string[-1] = *(++ptr);
 | ||||
| -		*string = '\0';
 | ||||
| +		if (string < area + STRINGSIZE) {
 | ||||
| +			string[-1] = *(++ptr);
 | ||||
| +			*string = '\0';
 | ||||
| +		}
 | ||||
|  	    } | ||||
|  	    break; | ||||
|  	case RULE_EXTRACT: | ||||
| @@ -600,6 +605,10 @@ Mangle(input, control, area)		/* returns
 | ||||
|  		} | ||||
|  		p1 = area; | ||||
|  		p2 = area2; | ||||
| +		if (strlen(p1) > STRINGSIZE - 2) {
 | ||||
| +			/* truncate */
 | ||||
| +			p1[STRINGSIZE - 2] = '\0';
 | ||||
| +		}
 | ||||
|  		while (i && *p1) | ||||
|  		{ | ||||
|  		    i--; | ||||
| @ -5,7 +5,7 @@ | ||||
| Summary: A password-checking library | ||||
| Name: cracklib | ||||
| Version: 2.9.6 | ||||
| Release: 3%{?dist} | ||||
| Release: 4%{?dist} | ||||
| Group: System Environment/Libraries | ||||
| Source0: https://github.com/cracklib/cracklib/releases/download/cracklib-%{version}/cracklib-%{version}.tar.gz | ||||
| Source1: https://github.com/cracklib/cracklib/releases/download/cracklib-%{version}/cracklib-words-%{version}.gz | ||||
| @ -25,6 +25,7 @@ Patch2: cracklib-2.9.0-python-gzdicts.patch | ||||
| Patch4: cracklib-2.9.6-packlib-reentrant.patch | ||||
| Patch6: cracklib-2.9.6-simplistic.patch | ||||
| Patch7: cracklib-2.9.6-translation-updates.patch | ||||
| Patch8: cracklib-2.9.6-cve-2016-6318.patch | ||||
| URL: http://sourceforge.net/projects/cracklib/ | ||||
| License: LGPLv2+ | ||||
| Buildroot: %{_tmppath}/%{name}-%{version}-root | ||||
| @ -97,6 +98,7 @@ install -p -m 644 %{SOURCE3} po/zh_CN.po | ||||
| %patch4 -p1 -b .reentrant | ||||
| %patch6 -p1 -b .simplistic | ||||
| %patch7 -p1 -b .translations | ||||
| %patch8 -p1 -b .overflow | ||||
| 
 | ||||
| mkdir cracklib-dicts | ||||
| for dict in %{SOURCE10} %{SOURCE1} | ||||
| @ -219,6 +221,9 @@ EOF | ||||
| %{_libdir}/python*/site-packages/*.py* | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Dec  8 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.6-4 | ||||
| - fix CVE-2016-6318 - avoid overflows in GECOS handling and mangling password (#1364944) | ||||
| 
 | ||||
| * Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.6-3 | ||||
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user