From 620dc687b7fde701fcfed6c43d4666c65a0eeadd Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Mon, 7 Mar 2022 20:04:01 -0500 Subject: [PATCH] update to 2.9.7 Mostly a security fix release for CVE 2016-6318 which was already fixed in Fedora. --- cracklib-2.9.7-packlib-reentrant.patch | 671 +++++++++++++++++++++++ cracklib-2.9.7-simplistic.patch | 217 ++++++++ cracklib-2.9.7-translation-updates.patch | 118 ++++ cracklib.spec | 8 +- 4 files changed, 1009 insertions(+), 5 deletions(-) create mode 100644 cracklib-2.9.7-packlib-reentrant.patch create mode 100644 cracklib-2.9.7-simplistic.patch create mode 100644 cracklib-2.9.7-translation-updates.patch diff --git a/cracklib-2.9.7-packlib-reentrant.patch b/cracklib-2.9.7-packlib-reentrant.patch new file mode 100644 index 0000000..0615aff --- /dev/null +++ b/cracklib-2.9.7-packlib-reentrant.patch @@ -0,0 +1,671 @@ +diff -Naur cracklib-2.9.7-orig/lib/fascist.c cracklib-2.9.7/lib/fascist.c +--- cracklib-2.9.7-orig/lib/fascist.c 2019-02-13 20:54:41.000000000 -0500 ++++ cracklib-2.9.7/lib/fascist.c 2022-03-07 14:48:53.348146748 -0500 +@@ -36,8 +36,8 @@ + #undef DEBUG + #undef DEBUG2 + +-extern char *Reverse(char *buf); +-extern char *Lowercase(char *buf); ++extern char *Reverse(char *buf, char *area); ++extern char *Lowercase(char *buf, char *area); + + static char *r_destructors[] = { + ":", /* noop - must do this to test raw word. */ +@@ -439,6 +439,8 @@ + int i; + int len; + char *mp; ++ char area[STRINGSIZE]; ++ char revarea[STRINGSIZE]; + + /* use destructors to turn password into rawtext */ + /* note use of Reverse() to save duplicating all rules */ +@@ -447,7 +449,7 @@ + + for (i = 0; r_destructors[i]; i++) + { +- if (!(mp = Mangle(password, r_destructors[i]))) ++ if (!(mp = Mangle(password, r_destructors[i], area))) + { + continue; + } +@@ -462,10 +464,10 @@ + } + + #ifdef DEBUG +- printf("%-16s = %-16s (destruct %s reversed)\n", Reverse(mp), rawtext, r_destructors[i]); ++ printf("%-16s = %-16s (destruct %s reversed)\n", Reverse(mp, revarea), rawtext, r_destructors[i]); + #endif + +- if (!strncmp(Reverse(mp), rawtext, len)) ++ if (!strncmp(Reverse(mp, revarea), rawtext, len)) + { + return (1); + } +@@ -473,7 +475,7 @@ + + for (i = 0; r_constructors[i]; i++) + { +- if (!(mp = Mangle(rawtext, r_constructors[i]))) ++ if (!(mp = Mangle(rawtext, r_constructors[i], area))) + { + continue; + } +@@ -520,7 +522,7 @@ + + strncpy(tbuffer, gecos, STRINGSIZE); + tbuffer[STRINGSIZE-1] = '\0'; +- strcpy(gbuffer, Lowercase(tbuffer)); ++ Lowercase(tbuffer, gbuffer); + + wc = 0; + ptr = gbuffer; +@@ -704,6 +706,7 @@ + char junk[STRINGSIZE]; + char *password; + char rpassword[STRINGSIZE]; ++ char area[STRINGSIZE]; + uint32_t notfound; + + notfound = PW_WORDS(pwp); +@@ -740,7 +743,7 @@ + return _("it does not contain enough DIFFERENT characters"); + } + +- strcpy(password, (char *)Lowercase(password)); ++ strcpy(password, (char *)Lowercase(password, area)); + + Trim(password); + +@@ -796,7 +799,7 @@ + { + char *a; + +- if (!(a = Mangle(password, r_destructors[i]))) ++ if (!(a = Mangle(password, r_destructors[i], area))) + { + continue; + } +@@ -811,13 +814,13 @@ + } + } + +- strcpy(password, (char *)Reverse(password)); ++ strcpy(password, (char *)Reverse(password, area)); + + for (i = 0; r_destructors[i]; i++) + { + char *a; + +- if (!(a = Mangle(password, r_destructors[i]))) ++ if (!(a = Mangle(password, r_destructors[i], area))) + { + continue; + } +diff -Naur cracklib-2.9.7-orig/lib/packer.h cracklib-2.9.7/lib/packer.h +--- cracklib-2.9.7-orig/lib/packer.h 2022-03-07 14:47:42.224763853 -0500 ++++ cracklib-2.9.7/lib/packer.h 2022-03-07 14:48:53.349146753 -0500 +@@ -82,7 +82,7 @@ + extern unsigned int FindPW(PWDICT *pwp, char *string); + extern int PutPW(PWDICT *pwp, char *string); + extern int PMatch(char *control, char *string); +-extern char *Mangle(char *input, char *control); ++extern char *Mangle(char *input, char *control, char *area); + extern char Chop(char *string); + extern char *Trim(char *string); + extern char *FascistLook(PWDICT *pwp, char *instring); +diff -Naur cracklib-2.9.7-orig/lib/packlib.c cracklib-2.9.7/lib/packlib.c +--- cracklib-2.9.7-orig/lib/packlib.c 2019-02-13 20:54:41.000000000 -0500 ++++ cracklib-2.9.7/lib/packlib.c 2022-03-07 14:48:53.349146753 -0500 +@@ -67,8 +67,8 @@ + char *mode; + { + int use64 = 0; +- static PWDICT pdesc; +- static PWDICT64 pdesc64; ++ PWDICT *pdesc; ++ PWDICT64 pdesc64; + char iname[STRINGSIZE]; + char dname[STRINGSIZE]; + char wname[STRINGSIZE]; +@@ -76,13 +76,11 @@ + void *ifp; + void *wfp; + +- if (pdesc.header.pih_magic == PIH_MAGIC) +- { +- fprintf(stderr, "%s: another dictionary already open\n", prefix); ++ pdesc = malloc(sizeof(*pdesc)); ++ if (pdesc == NULL) + return NULL; +- } + +- memset(&pdesc, '\0', sizeof(pdesc)); ++ memset(pdesc, '\0', sizeof(*pdesc)); + memset(&pdesc64, '\0', sizeof(pdesc64)); + + snprintf(iname, STRINGSIZE, "%s.pwi", prefix); +@@ -91,77 +89,80 @@ + + if (mode[0] == 'r') + { +- pdesc.flags &= ~PFOR_USEZLIB; ++ pdesc->flags &= ~PFOR_USEZLIB; + /* first try the normal db file */ +- if (!(pdesc.dfp = fopen(dname, mode))) ++ if (!(pdesc->dfp = fopen(dname, mode))) + { + #ifdef HAVE_ZLIB_H +- pdesc.flags |= PFOR_USEZLIB; ++ pdesc->flags |= PFOR_USEZLIB; + /* try extension .gz */ + snprintf(dname, STRINGSIZE, "%s.pwd.gz", prefix); +- if (!(pdesc.dfp = gzopen(dname, mode))) ++ if (!(pdesc->dfp = gzopen(dname, mode))) + { + perror(dname); ++ free(pdesc); + return NULL; + } + #else + perror(dname); ++ free(pdesc); + return NULL; + #endif + } + } + else + { +- pdesc.flags &= ~PFOR_USEZLIB; ++ pdesc->flags &= ~PFOR_USEZLIB; + /* write mode: use fopen */ +- if (!(pdesc.dfp = fopen(dname, mode))) ++ if (!(pdesc->dfp = fopen(dname, mode))) + { + perror(dname); ++ free(pdesc); + return NULL; + } + } + +- if (!(pdesc.ifp = fopen(iname, mode))) ++ if (!(pdesc->ifp = fopen(iname, mode))) + { + #ifdef HAVE_ZLIB_H +- if (pdesc.flags & PFOR_USEZLIB) +- gzclose(pdesc.dfp); ++ if(pdesc->flags & PFOR_USEZLIB) ++ gzclose(pdesc->dfp); + else + #endif +- fclose(pdesc.dfp); ++ fclose(pdesc->dfp); + perror(iname); ++ free(pdesc); + return NULL; + } + +- if ((pdesc.wfp = fopen(wname, mode))) ++ if ((pdesc->wfp = fopen(wname, mode))) + { +- pdesc.flags |= PFOR_USEHWMS; ++ pdesc->flags |= PFOR_USEHWMS; + } + +- ifp = pdesc.ifp; +- dfp = pdesc.dfp; +- wfp = pdesc.wfp; ++ ifp = pdesc->ifp; ++ dfp = pdesc->dfp; ++ wfp = pdesc->wfp; + + if (mode[0] == 'w') + { +- pdesc.flags |= PFOR_WRITE; +- pdesc.header.pih_magic = PIH_MAGIC; +- pdesc.header.pih_blocklen = NUMWORDS; +- pdesc.header.pih_numwords = 0; ++ pdesc->flags |= PFOR_WRITE; ++ pdesc->header.pih_magic = PIH_MAGIC; ++ pdesc->header.pih_blocklen = NUMWORDS; ++ pdesc->header.pih_numwords = 0; + +- fwrite((char *) &pdesc.header, sizeof(pdesc.header), 1, ifp); ++ fwrite((char *) &pdesc->header, sizeof(pdesc->header), 1, ifp); + } else + { +- pdesc.flags &= ~PFOR_WRITE; ++ pdesc->flags &= ~PFOR_WRITE; + +- if (!fread((char *) &pdesc.header, sizeof(pdesc.header), 1, ifp)) ++ if (!fread((char *) &pdesc->header, sizeof(pdesc->header), 1, ifp)) + { + fprintf(stderr, "%s: error reading header\n", prefix); + +- pdesc.header.pih_magic = 0; + fclose(ifp); + #ifdef HAVE_ZLIB_H +- if (pdesc.flags & PFOR_USEZLIB) ++ if(pdesc->flags & PFOR_USEZLIB) + gzclose(dfp); + else + #endif +@@ -170,10 +171,11 @@ + { + fclose(wfp); + } ++ free(pdesc); + return NULL; + } + +- if ((pdesc.header.pih_magic == 0) || (pdesc.header.pih_numwords == 0)) ++ if ((pdesc->header.pih_magic == 0) || (pdesc->header.pih_numwords == 0)) + { + /* uh-oh. either a broken "64-bit" file or a garbage file. */ + rewind (ifp); +@@ -181,10 +183,9 @@ + { + fprintf(stderr, "%s: error reading header\n", prefix); + +- pdesc.header.pih_magic = 0; + fclose(ifp); + #ifdef HAVE_ZLIB_H +- if (pdesc.flags & PFOR_USEZLIB) ++ if (pdesc->flags & PFOR_USEZLIB) + gzclose(dfp); + else + #endif +@@ -193,6 +194,7 @@ + { + fclose(wfp); + } ++ free(pdesc); + return NULL; + } + if (pdesc64.header.pih_magic != PIH_MAGIC) +@@ -200,10 +202,9 @@ + /* nope, not "64-bit" after all */ + fprintf(stderr, "%s: error reading header\n", prefix); + +- pdesc.header.pih_magic = 0; + fclose(ifp); + #ifdef HAVE_ZLIB_H +- if (pdesc.flags & PFOR_USEZLIB) ++ if (pdesc->flags & PFOR_USEZLIB) + gzclose(dfp); + else + #endif +@@ -213,23 +214,23 @@ + { + fclose(wfp); + } ++ free(pdesc); + return NULL; + } +- pdesc.header.pih_magic = pdesc64.header.pih_magic; +- pdesc.header.pih_numwords = pdesc64.header.pih_numwords; +- pdesc.header.pih_blocklen = pdesc64.header.pih_blocklen; +- pdesc.header.pih_pad = pdesc64.header.pih_pad; ++ pdesc->header.pih_magic = pdesc64.header.pih_magic; ++ pdesc->header.pih_numwords = pdesc64.header.pih_numwords; ++ pdesc->header.pih_blocklen = pdesc64.header.pih_blocklen; ++ pdesc->header.pih_pad = pdesc64.header.pih_pad; + use64 = 1; + } + +- if (pdesc.header.pih_magic != PIH_MAGIC) ++ if (pdesc->header.pih_magic != PIH_MAGIC) + { + fprintf(stderr, "%s: magic mismatch\n", prefix); + +- pdesc.header.pih_magic = 0; + fclose(ifp); + #ifdef HAVE_ZLIB_H +- if (pdesc.flags & PFOR_USEZLIB) ++ if (pdesc->flags & PFOR_USEZLIB) + gzclose(dfp); + else + #endif +@@ -239,17 +240,17 @@ + { + fclose(wfp); + } ++ free(pdesc); + return NULL; + } + +- if (pdesc.header.pih_numwords < 1) ++ if (pdesc->header.pih_numwords < 1) + { + fprintf(stderr, "%s: invalid word count\n", prefix); + +- pdesc.header.pih_magic = 0; + fclose(ifp); + #ifdef HAVE_ZLIB_H +- if (pdesc.flags & PFOR_USEZLIB) ++ if (pdesc->flags & PFOR_USEZLIB) + gzclose(dfp); + else + #endif +@@ -258,17 +259,17 @@ + { + fclose(wfp); + } ++ free(pdesc); + return NULL; + } + +- if (pdesc.header.pih_blocklen != NUMWORDS) ++ if (pdesc->header.pih_blocklen != NUMWORDS) + { + fprintf(stderr, "%s: size mismatch\n", prefix); + +- pdesc.header.pih_magic = 0; + fclose(ifp); + #ifdef HAVE_ZLIB_H +- if (pdesc.flags & PFOR_USEZLIB) ++ if (pdesc->flags & PFOR_USEZLIB) + gzclose(dfp); + else + #endif +@@ -277,10 +278,11 @@ + { + fclose(wfp); + } ++ free(pdesc); + return NULL; + } + +- if (pdesc.flags & PFOR_USEHWMS) ++ if (pdesc->flags & PFOR_USEHWMS) + { + int i; + +@@ -288,27 +290,27 @@ + { + if (fread(pdesc64.hwms, 1, sizeof(pdesc64.hwms), wfp) != sizeof(pdesc64.hwms)) + { +- pdesc.flags &= ~PFOR_USEHWMS; ++ pdesc->flags &= ~PFOR_USEHWMS; + } +- for (i = 0; i < sizeof(pdesc.hwms) / sizeof(pdesc.hwms[0]); i++) ++ for (i = 0; i < sizeof(pdesc->hwms) / sizeof(pdesc->hwms[0]); i++) + { +- pdesc.hwms[i] = pdesc64.hwms[i]; ++ pdesc->hwms[i] = pdesc64.hwms[i]; + } +- } +- else if (fread(pdesc.hwms, 1, sizeof(pdesc.hwms), wfp) != sizeof(pdesc.hwms)) ++ } ++ else if (fread(pdesc->hwms, 1, sizeof(pdesc->hwms), wfp) != sizeof(pdesc->hwms)) + { +- pdesc.flags &= ~PFOR_USEHWMS; ++ pdesc->flags &= ~PFOR_USEHWMS; + } + #if DEBUG + for (i=1; i<=0xff; i++) + { +- printf("hwm[%02x] = %d\n", i, pdesc.hwms[i]); ++ printf("hwm[%02x] = %d\n", i, pdesc->hwms[i]); + } + #endif + } + } + +- return (&pdesc); ++ return (pdesc); + } + + int +@@ -318,6 +320,7 @@ + if (pwp->header.pih_magic != PIH_MAGIC) + { + fprintf(stderr, "PWClose: close magic mismatch\n"); ++ /* we do not try to free memory that is probably corrupted */ + return (-1); + } + +@@ -329,12 +332,14 @@ + if (fseek(pwp->ifp, 0L, 0)) + { + fprintf(stderr, "index magic fseek failed\n"); ++ free(pwp); + return (-1); + } + + if (!fwrite((char *) &pwp->header, sizeof(pwp->header), 1, pwp->ifp)) + { + fprintf(stderr, "index magic fwrite failed\n"); ++ free(pwp); + return (-1); + } + +@@ -368,6 +373,7 @@ + } + + pwp->header.pih_magic = 0; ++ free(pwp); + + return (0); + } +diff -Naur cracklib-2.9.7-orig/lib/rules.c cracklib-2.9.7/lib/rules.c +--- cracklib-2.9.7-orig/lib/rules.c 2019-02-13 20:54:41.000000000 -0500 ++++ cracklib-2.9.7/lib/rules.c 2022-03-07 15:11:48.271298263 -0500 +@@ -82,12 +82,12 @@ + } + + char * +-Reverse(str) /* return a pointer to a reversal */ ++Reverse(str, area) /* return a pointer to a reversal */ + register char *str; ++ char *area; + { + register int i; + register int j; +- static char area[STRINGSIZE]; + j = i = strlen(str); + while (*str) + { +@@ -98,11 +98,11 @@ + } + + char * +-Uppercase(str) /* return a pointer to an uppercase */ ++Uppercase(str, area) /* return a pointer to an uppercase */ + register char *str; ++ char *area; + { + register char *ptr; +- static char area[STRINGSIZE]; + ptr = area; + while (*str) + { +@@ -115,11 +115,11 @@ + } + + char * +-Lowercase(str) /* return a pointer to an lowercase */ ++Lowercase(str, area) /* return a pointer to an lowercase */ + register char *str; ++ char *area; + { + register char *ptr; +- static char area[STRINGSIZE]; + ptr = area; + while (*str) + { +@@ -132,11 +132,11 @@ + } + + char * +-Capitalise(str) /* return a pointer to an capitalised */ ++Capitalise(str, area) /* return a pointer to an capitalised */ + register char *str; ++ char *area; + { + register char *ptr; +- static char area[STRINGSIZE]; + ptr = area; + + while (*str) +@@ -151,11 +151,11 @@ + } + + char * +-Pluralise(string) /* returns a pointer to a plural */ ++Pluralise(string, area) /* returns a pointer to a plural */ + register char *string; ++ char *area; + { + register int length; +- static char area[STRINGSIZE]; + length = strlen(string); + strcpy(area, string); + +@@ -192,13 +192,13 @@ + } + + char * +-Substitute(string, old, new) /* returns pointer to a swapped about copy */ ++Substitute(string, old, new, area) /* returns pointer to a swapped about copy */ + register char *string; + register char old; + register char new; ++ char *area; + { + register char *ptr; +- static char area[STRINGSIZE]; + ptr = area; + while (*string) + { +@@ -210,12 +210,12 @@ + } + + char * +-Purge(string, target) /* returns pointer to a purged copy */ ++Purge(string, target, area) /* returns pointer to a purged copy */ + register char *string; + register char target; ++ char *area; + { + register char *ptr; +- static char area[STRINGSIZE]; + ptr = area; + while (*string) + { +@@ -372,13 +372,13 @@ + } + + char * +-PolySubst(string, class, new) /* returns pointer to a swapped about copy */ ++PolySubst(string, class, new, area) /* returns pointer to a swapped about copy */ + register char *string; + register char class; + register char new; ++ char *area; + { + register char *ptr; +- static char area[STRINGSIZE]; + ptr = area; + while (*string) + { +@@ -390,12 +390,12 @@ + } + + char * +-PolyPurge(string, class) /* returns pointer to a purged copy */ ++PolyPurge(string, class, area) /* returns pointer to a purged copy */ + register char *string; + register char class; ++ char *area; + { + register char *ptr; +- static char area[STRINGSIZE]; + ptr = area; + while (*string) + { +@@ -428,39 +428,40 @@ + } + + char * +-Mangle(input, control) /* returns a pointer to a controlled Mangle */ ++Mangle(input, control, area) /* returns a pointer to a controlled Mangle */ + char *input; + char *control; ++ char *area; + { + int limit; + register char *ptr; +- static char area[STRINGSIZE * 2] = {0}; + char area2[STRINGSIZE * 2] = {0}; + strcpy(area, input); + + for (ptr = control; *ptr; ptr++) + { ++ strcpy(area2, area); + switch (*ptr) + { + case RULE_NOOP: + break; + case RULE_REVERSE: +- strcpy(area, Reverse(area)); ++ Reverse(area2, area); + break; + case RULE_UPPERCASE: +- strcpy(area, Uppercase(area)); ++ Uppercase(area2, area); + break; + case RULE_LOWERCASE: +- strcpy(area, Lowercase(area)); ++ Lowercase(area2, area); + break; + case RULE_CAPITALISE: +- strcpy(area, Capitalise(area)); ++ Capitalise(area2, area); + break; + case RULE_PLURALISE: +- strcpy(area, Pluralise(area)); ++ Pluralise(area2, area); + break; + case RULE_REFLECT: +- strcat(area, Reverse(area)); ++ strcat(area, Reverse(area, area2)); + break; + case RULE_DUPLICATE: + strcpy(area2, area); +@@ -547,7 +548,6 @@ + Debug(1, "Mangle: extract: weird argument in '%s'\n", control); + return NULL; + } +- strcpy(area2, area); + for (i = 0; length-- && area2[start + i]; i++) + { + area[i] = area2[start + i]; +@@ -618,10 +618,10 @@ + return NULL; + } else if (ptr[1] != RULE_CLASS) + { +- strcpy(area, Purge(area, *(++ptr))); ++ Purge(area2, *(++ptr), area); + } else + { +- strcpy(area, PolyPurge(area, ptr[2])); ++ PolyPurge(area2, ptr[2], area); + ptr += 2; + } + break; +@@ -632,11 +632,11 @@ + return NULL; + } else if (ptr[1] != RULE_CLASS) + { +- strcpy(area, Substitute(area, ptr[1], ptr[2])); ++ Substitute(area2, ptr[1], ptr[2], area); + ptr += 2; + } else + { +- strcpy(area, PolySubst(area, ptr[2], ptr[3])); ++ PolySubst(area2, ptr[2], ptr[3], area); + ptr += 3; + } + break; diff --git a/cracklib-2.9.7-simplistic.patch b/cracklib-2.9.7-simplistic.patch new file mode 100644 index 0000000..a711b6f --- /dev/null +++ b/cracklib-2.9.7-simplistic.patch @@ -0,0 +1,217 @@ +diff -Naur cracklib-2.9.7-orig/lib/fascist.c cracklib-2.9.7/lib/fascist.c +--- cracklib-2.9.7-orig/lib/fascist.c 2022-03-07 15:16:11.722225350 -0500 ++++ cracklib-2.9.7/lib/fascist.c 2022-03-07 15:17:54.598692721 -0500 +@@ -55,7 +55,6 @@ + + "/?p@?p", /* purging out punctuation/symbols/junk */ + "/?s@?s", +- "/?X@?X", + + /* attempt reverse engineering of password strings */ + +@@ -454,6 +453,12 @@ + continue; + } + ++ if (len - strlen(mp) >= 3) ++ { ++ /* purged too much */ ++ continue; ++ } ++ + #ifdef DEBUG + printf("%-16s = %-16s (destruct %s)\n", mp, rawtext, r_destructors[i]); + #endif +@@ -480,6 +485,12 @@ + continue; + } + ++ if (len - strlen(mp) >= 3) ++ { ++ /* purged too much */ ++ continue; ++ } ++ + #ifdef DEBUG + printf("%-16s = %-16s (construct %s)\n", mp, password, r_constructors[i]); + #endif +@@ -708,6 +719,7 @@ + char rpassword[STRINGSIZE]; + char area[STRINGSIZE]; + uint32_t notfound; ++ int len; + + notfound = PW_WORDS(pwp); + /* already truncated if from FascistCheck() */ +@@ -757,6 +769,7 @@ + return _("it is all whitespace"); + } + ++ len = strlen(password); + i = 0; + ptr = password; + while (ptr[0] && ptr[1]) +@@ -768,10 +781,9 @@ + ptr++; + } + +- /* Change by Ben Karsin from ITS at University of Hawaii at Manoa. Static MAXSTEP +- would generate many false positives for long passwords. */ +- maxrepeat = 3+(0.09*strlen(password)); +- if (i > maxrepeat) ++ /* We were still generating false positives for long passwords. ++ Just count systematic double as a single character. */ ++ if (len - i < MINLEN) + { + return _("it is too simplistic/systematic"); + } +@@ -804,6 +816,12 @@ + continue; + } + ++ if (len - strlen(a) >= 3) ++ { ++ /* purged too much */ ++ continue; ++ } ++ + #ifdef DEBUG + printf("%-16s (dict)\n", a); + #endif +@@ -824,6 +842,13 @@ + { + continue; + } ++ ++ if (len - strlen(a) >= 3) ++ { ++ /* purged too much */ ++ continue; ++ } ++ + #ifdef DEBUG + printf("%-16s (reversed dict)\n", a); + #endif +diff -Naur cracklib-2.9.7-orig/lib/fascist.c.orig cracklib-2.9.7/lib/fascist.c.orig +--- cracklib-2.9.7-orig/lib/fascist.c.orig 2022-03-07 15:16:11.722225350 -0500 ++++ cracklib-2.9.7/lib/fascist.c.orig 2022-03-07 15:16:11.722225350 -0500 +@@ -36,8 +36,8 @@ + #undef DEBUG + #undef DEBUG2 + +-extern char *Reverse(char *buf); +-extern char *Lowercase(char *buf); ++extern char *Reverse(char *buf, char *area); ++extern char *Lowercase(char *buf, char *area); + + static char *r_destructors[] = { + ":", /* noop - must do this to test raw word. */ +@@ -439,6 +439,8 @@ + int i; + int len; + char *mp; ++ char area[STRINGSIZE]; ++ char revarea[STRINGSIZE]; + + /* use destructors to turn password into rawtext */ + /* note use of Reverse() to save duplicating all rules */ +@@ -447,7 +449,7 @@ + + for (i = 0; r_destructors[i]; i++) + { +- if (!(mp = Mangle(password, r_destructors[i]))) ++ if (!(mp = Mangle(password, r_destructors[i], area))) + { + continue; + } +@@ -462,10 +464,10 @@ + } + + #ifdef DEBUG +- printf("%-16s = %-16s (destruct %s reversed)\n", Reverse(mp), rawtext, r_destructors[i]); ++ printf("%-16s = %-16s (destruct %s reversed)\n", Reverse(mp, revarea), rawtext, r_destructors[i]); + #endif + +- if (!strncmp(Reverse(mp), rawtext, len)) ++ if (!strncmp(Reverse(mp, revarea), rawtext, len)) + { + return (1); + } +@@ -473,7 +475,7 @@ + + for (i = 0; r_constructors[i]; i++) + { +- if (!(mp = Mangle(rawtext, r_constructors[i]))) ++ if (!(mp = Mangle(rawtext, r_constructors[i], area))) + { + continue; + } +@@ -520,7 +522,7 @@ + + strncpy(tbuffer, gecos, STRINGSIZE); + tbuffer[STRINGSIZE-1] = '\0'; +- strcpy(gbuffer, Lowercase(tbuffer)); ++ Lowercase(tbuffer, gbuffer); + + wc = 0; + ptr = gbuffer; +@@ -704,6 +706,7 @@ + char junk[STRINGSIZE]; + char *password; + char rpassword[STRINGSIZE]; ++ char area[STRINGSIZE]; + uint32_t notfound; + + notfound = PW_WORDS(pwp); +@@ -740,7 +743,7 @@ + return _("it does not contain enough DIFFERENT characters"); + } + +- strcpy(password, (char *)Lowercase(password)); ++ strcpy(password, (char *)Lowercase(password, area)); + + Trim(password); + +@@ -796,7 +799,7 @@ + { + char *a; + +- if (!(a = Mangle(password, r_destructors[i]))) ++ if (!(a = Mangle(password, r_destructors[i], area))) + { + continue; + } +@@ -811,13 +814,13 @@ + } + } + +- strcpy(password, (char *)Reverse(password)); ++ strcpy(password, (char *)Reverse(password, area)); + + for (i = 0; r_destructors[i]; i++) + { + char *a; + +- if (!(a = Mangle(password, r_destructors[i]))) ++ if (!(a = Mangle(password, r_destructors[i], area))) + { + continue; + } +diff -Naur cracklib-2.9.7-orig/util/cracklib-format cracklib-2.9.7/util/cracklib-format +--- cracklib-2.9.7-orig/util/cracklib-format 2019-02-13 20:54:41.000000000 -0500 ++++ cracklib-2.9.7/util/cracklib-format 2022-03-07 15:17:54.599692726 -0500 +@@ -3,8 +3,10 @@ + # This preprocesses a set of word lists into a suitable form for input + # into cracklib-packer + # ++LC_ALL=C ++export LC_ALL + gzip -cdf "$@" | +- grep -v '^\(#\|$\)' | +- tr '[A-Z]' '[a-z]' | +- tr -cd '\012[a-z][0-9]' | +- env LC_ALL=C sort -u ++ grep -a -E -v '^.{32,}$' | ++ tr '[:upper:]' '[:lower:]' | ++ tr -cd '\n[:graph:]' | ++ sort -u diff --git a/cracklib-2.9.7-translation-updates.patch b/cracklib-2.9.7-translation-updates.patch new file mode 100644 index 0000000..4b43134 --- /dev/null +++ b/cracklib-2.9.7-translation-updates.patch @@ -0,0 +1,118 @@ +diff -Naur cracklib-2.9.7-orig/po/as.po cracklib-2.9.7/po/as.po +--- cracklib-2.9.7-orig/po/as.po 2019-03-03 12:49:42.000000000 -0500 ++++ cracklib-2.9.7/po/as.po 2022-03-07 15:22:59.631245123 -0500 +@@ -76,7 +76,7 @@ + + #: lib/fascist.c:874 + msgid "error loading dictionary" +-msgstr "" ++msgstr "শব্দকোষ ল'ড কৰোতে ত্ৰুটি" + + #~ msgid "it's derived from your password entry" + #~ msgstr "ইয়াক আপোনাৰ গুপ্তশব্দৰ নিবেশৰ পৰা পোৱা হৈছে" +diff -Naur cracklib-2.9.7-orig/po/gu.po cracklib-2.9.7/po/gu.po +--- cracklib-2.9.7-orig/po/gu.po 2019-03-03 12:49:42.000000000 -0500 ++++ cracklib-2.9.7/po/gu.po 2022-03-07 15:32:12.444115364 -0500 +@@ -77,7 +77,7 @@ + + #: lib/fascist.c:874 + msgid "error loading dictionary" +-msgstr "" ++msgstr "શબ્દકોષને લાવી રહ્યા હોય ત્યારે ભૂલ" + + #~ msgid "it's derived from your password entry" + #~ msgstr "તમારા પાસવર્ડ પ્રવેશમાંથી તારવવામાં આવેલ છે" +diff -Naur cracklib-2.9.7-orig/po/hi.po cracklib-2.9.7/po/hi.po +--- cracklib-2.9.7-orig/po/hi.po 2019-03-03 12:49:42.000000000 -0500 ++++ cracklib-2.9.7/po/hi.po 2022-03-07 15:33:31.445561126 -0500 +@@ -78,7 +78,7 @@ + + #: lib/fascist.c:874 + msgid "error loading dictionary" +-msgstr "" ++msgstr "शब्दकोश लोड करने में त्रुटि" + + #~ msgid "it's derived from your password entry" + #~ msgstr "यह आपकी कूटशब्द प्रविष्टि से निकला हुआ है" +diff -Naur cracklib-2.9.7-orig/po/kn.po cracklib-2.9.7/po/kn.po +--- cracklib-2.9.7-orig/po/kn.po 2019-03-03 12:49:42.000000000 -0500 ++++ cracklib-2.9.7/po/kn.po 2022-03-07 15:36:06.001428084 -0500 +@@ -77,7 +77,7 @@ + + #: lib/fascist.c:874 + msgid "error loading dictionary" +-msgstr "" ++msgstr "ಕೋಶವನ್ನು ಲೋಡ್ ಮಾಡುವಲ್ಲಿ ದೋಷ" + + #~ msgid "it's derived from your password entry" + #~ msgstr "ಇದು ನಿಮ್ಮ ಗುಪ್ತಪದ ನಮೂದಿನಿಂದ ತೆಗೆದುಕೊಳ್ಳಲ್ಪಟ್ಟಿದೆ" +diff -Naur cracklib-2.9.7-orig/po/ml.po cracklib-2.9.7/po/ml.po +--- cracklib-2.9.7-orig/po/ml.po 2019-03-03 12:49:42.000000000 -0500 ++++ cracklib-2.9.7/po/ml.po 2022-03-07 15:37:59.048062855 -0500 +@@ -76,7 +76,7 @@ + + #: lib/fascist.c:874 + msgid "error loading dictionary" +-msgstr "" ++msgstr "നിഘണ്ടു ലഭ്യമാക്കുന്നതില്<200d> പിശക്" + + #~ msgid "it's derived from your password entry" + #~ msgstr "നിങ്ങളുടെ രഹസ്യവാക്കില്‍ നിന്നും ലഭ്യമാക്കുന്നു" +diff -Naur cracklib-2.9.7-orig/po/mr.po cracklib-2.9.7/po/mr.po +--- cracklib-2.9.7-orig/po/mr.po 2019-03-03 12:49:42.000000000 -0500 ++++ cracklib-2.9.7/po/mr.po 2022-03-07 15:38:30.812241798 -0500 +@@ -77,7 +77,7 @@ + + #: lib/fascist.c:874 + msgid "error loading dictionary" +-msgstr "" ++msgstr "शब्दकोष लोड करतेवेळी त्रुटी" + + #~ msgid "it's derived from your password entry" + #~ msgstr "तुमच्या पासवर्ड नोंद पासून प्राप्त" +diff -Naur cracklib-2.9.7-orig/po/or.po cracklib-2.9.7/po/or.po +--- cracklib-2.9.7-orig/po/or.po 2019-03-03 12:49:42.000000000 -0500 ++++ cracklib-2.9.7/po/or.po 2022-03-07 15:39:56.858728487 -0500 +@@ -77,7 +77,7 @@ + + #: lib/fascist.c:874 + msgid "error loading dictionary" +-msgstr "" ++msgstr "ଅଭିଧାନ ଧାରଣ କରିବାରେ ତ୍ରୁଟି" + + #~ msgid "it's derived from your password entry" + #~ msgstr "ଏହା ଆପଣଙ୍କର ପ୍ରବେଶ ସଂକେତ ଭରଣରୁ ଉତ୍ପନ୍ନ କରାହୋଇଥାଏ" +diff -Naur cracklib-2.9.7-orig/po/ta.po cracklib-2.9.7/po/ta.po +--- cracklib-2.9.7-orig/po/ta.po 2019-03-03 12:49:42.000000000 -0500 ++++ cracklib-2.9.7/po/ta.po 2022-03-07 15:44:53.857740705 -0500 +@@ -77,7 +77,7 @@ + + #: lib/fascist.c:874 + msgid "error loading dictionary" +-msgstr "" ++msgstr "அகராதியை ஏற்றுவதில் பிழை" + + #~ msgid "it's derived from your password entry" + #~ msgstr "இது உங்கள் கடவுச்சொல் உள்ளீடிலிருந்து வரையறுக்கப்பட்டது" +diff -Naur cracklib-2.9.7-orig/po/te.po cracklib-2.9.7/po/te.po +--- cracklib-2.9.7-orig/po/te.po 2019-03-03 12:49:42.000000000 -0500 ++++ cracklib-2.9.7/po/te.po 2022-03-07 15:45:23.810936770 -0500 +@@ -77,7 +77,7 @@ + + #: lib/fascist.c:874 + msgid "error loading dictionary" +-msgstr "" ++msgstr "నిఘంటువును లోడు చేయుటలో దోషం" + + #~ msgid "it's derived from your password entry" + #~ msgstr "ఇది మీ సంకేతపదము ప్రవేశమునుండి ఉత్పాదించబడింది" +diff -Naur cracklib-2.9.7-orig/po/zh_CN.po cracklib-2.9.7/po/zh_CN.po +--- cracklib-2.9.7-orig/po/zh_CN.po 2021-08-17 11:56:42.000000000 -0400 ++++ cracklib-2.9.7/po/zh_CN.po 2022-03-07 15:48:56.407302640 -0500 +@@ -76,3 +76,6 @@ + msgid "it is based on a (reversed) dictionary word" + msgstr "它基于(颠倒的)字典单词" + ++#: lib/fascist.c:865 ++msgid "error loading dictionary" ++msgstr "加载字典错误" diff --git a/cracklib.spec b/cracklib.spec index 2129bf3..efbccd8 100644 --- a/cracklib.spec +++ b/cracklib.spec @@ -21,10 +21,9 @@ Source10: missing-words.gz Patch1: cracklib-2.9.1-inttypes.patch Patch2: cracklib-2.9.0-python-gzdicts.patch -Patch4: cracklib-2.9.6-packlib-reentrant.patch -Patch6: cracklib-2.9.6-simplistic.patch -Patch7: cracklib-2.9.6-translation-updates.patch -Patch8: cracklib-2.9.6-cve-2016-6318.patch +Patch4: cracklib-2.9.7-packlib-reentrant.patch +Patch6: cracklib-2.9.7-simplistic.patch +Patch7: cracklib-2.9.7-translation-updates.patch Patch9: cracklib-2.9.6-coverity.patch Patch10: cracklib-2.9.6-lookup.patch URL: http://sourceforge.net/projects/cracklib/ @@ -89,7 +88,6 @@ install -p -m 644 %{SOURCE3} po/zh_CN.po %patch4 -p1 -b .reentrant %patch6 -p1 -b .simplistic %patch7 -p1 -b .translations -%patch8 -p1 -b .overflow %patch9 -p1 -b .coverity %patch10 -p1 -b .lookup