diff -Naur cracklib-2.9.7-orig/lib/fascist.c cracklib-2.9.7/lib/fascist.c --- cracklib-2.9.7-orig/lib/fascist.c 2022-03-07 15:16:11.722225350 -0500 +++ cracklib-2.9.7/lib/fascist.c 2022-03-07 15:17:54.598692721 -0500 @@ -55,7 +55,6 @@ "/?p@?p", /* purging out punctuation/symbols/junk */ "/?s@?s", - "/?X@?X", /* attempt reverse engineering of password strings */ @@ -454,6 +453,12 @@ continue; } + if (len - strlen(mp) >= 3) + { + /* purged too much */ + continue; + } + #ifdef DEBUG printf("%-16s = %-16s (destruct %s)\n", mp, rawtext, r_destructors[i]); #endif @@ -480,6 +485,12 @@ continue; } + if (len - strlen(mp) >= 3) + { + /* purged too much */ + continue; + } + #ifdef DEBUG printf("%-16s = %-16s (construct %s)\n", mp, password, r_constructors[i]); #endif @@ -708,6 +719,7 @@ char rpassword[STRINGSIZE]; char area[STRINGSIZE]; uint32_t notfound; + int len; notfound = PW_WORDS(pwp); /* already truncated if from FascistCheck() */ @@ -757,6 +769,7 @@ return _("it is all whitespace"); } + len = strlen(password); i = 0; ptr = password; while (ptr[0] && ptr[1]) @@ -768,10 +781,9 @@ ptr++; } - /* Change by Ben Karsin from ITS at University of Hawaii at Manoa. Static MAXSTEP - would generate many false positives for long passwords. */ - maxrepeat = 3+(0.09*strlen(password)); - if (i > maxrepeat) + /* We were still generating false positives for long passwords. + Just count systematic double as a single character. */ + if (len - i < MINLEN) { return _("it is too simplistic/systematic"); } @@ -804,6 +816,12 @@ continue; } + if (len - strlen(a) >= 3) + { + /* purged too much */ + continue; + } + #ifdef DEBUG printf("%-16s (dict)\n", a); #endif @@ -824,6 +842,13 @@ { continue; } + + if (len - strlen(a) >= 3) + { + /* purged too much */ + continue; + } + #ifdef DEBUG printf("%-16s (reversed dict)\n", a); #endif diff -Naur cracklib-2.9.7-orig/lib/fascist.c.orig cracklib-2.9.7/lib/fascist.c.orig --- cracklib-2.9.7-orig/lib/fascist.c.orig 2022-03-07 15:16:11.722225350 -0500 +++ cracklib-2.9.7/lib/fascist.c.orig 2022-03-07 15:16:11.722225350 -0500 @@ -36,8 +36,8 @@ #undef DEBUG #undef DEBUG2 -extern char *Reverse(char *buf); -extern char *Lowercase(char *buf); +extern char *Reverse(char *buf, char *area); +extern char *Lowercase(char *buf, char *area); static char *r_destructors[] = { ":", /* noop - must do this to test raw word. */ @@ -439,6 +439,8 @@ int i; int len; char *mp; + char area[STRINGSIZE]; + char revarea[STRINGSIZE]; /* use destructors to turn password into rawtext */ /* note use of Reverse() to save duplicating all rules */ @@ -447,7 +449,7 @@ for (i = 0; r_destructors[i]; i++) { - if (!(mp = Mangle(password, r_destructors[i]))) + if (!(mp = Mangle(password, r_destructors[i], area))) { continue; } @@ -462,10 +464,10 @@ } #ifdef DEBUG - printf("%-16s = %-16s (destruct %s reversed)\n", Reverse(mp), rawtext, r_destructors[i]); + printf("%-16s = %-16s (destruct %s reversed)\n", Reverse(mp, revarea), rawtext, r_destructors[i]); #endif - if (!strncmp(Reverse(mp), rawtext, len)) + if (!strncmp(Reverse(mp, revarea), rawtext, len)) { return (1); } @@ -473,7 +475,7 @@ for (i = 0; r_constructors[i]; i++) { - if (!(mp = Mangle(rawtext, r_constructors[i]))) + if (!(mp = Mangle(rawtext, r_constructors[i], area))) { continue; } @@ -520,7 +522,7 @@ strncpy(tbuffer, gecos, STRINGSIZE); tbuffer[STRINGSIZE-1] = '\0'; - strcpy(gbuffer, Lowercase(tbuffer)); + Lowercase(tbuffer, gbuffer); wc = 0; ptr = gbuffer; @@ -704,6 +706,7 @@ char junk[STRINGSIZE]; char *password; char rpassword[STRINGSIZE]; + char area[STRINGSIZE]; uint32_t notfound; notfound = PW_WORDS(pwp); @@ -740,7 +743,7 @@ return _("it does not contain enough DIFFERENT characters"); } - strcpy(password, (char *)Lowercase(password)); + strcpy(password, (char *)Lowercase(password, area)); Trim(password); @@ -796,7 +799,7 @@ { char *a; - if (!(a = Mangle(password, r_destructors[i]))) + if (!(a = Mangle(password, r_destructors[i], area))) { continue; } @@ -811,13 +814,13 @@ } } - strcpy(password, (char *)Reverse(password)); + strcpy(password, (char *)Reverse(password, area)); for (i = 0; r_destructors[i]; i++) { char *a; - if (!(a = Mangle(password, r_destructors[i]))) + if (!(a = Mangle(password, r_destructors[i], area))) { continue; } diff -Naur cracklib-2.9.7-orig/util/cracklib-format cracklib-2.9.7/util/cracklib-format --- cracklib-2.9.7-orig/util/cracklib-format 2019-02-13 20:54:41.000000000 -0500 +++ cracklib-2.9.7/util/cracklib-format 2022-03-07 15:17:54.599692726 -0500 @@ -3,8 +3,10 @@ # This preprocesses a set of word lists into a suitable form for input # into cracklib-packer # +LC_ALL=C +export LC_ALL gzip -cdf "$@" | - grep -v '^\(#\|$\)' | - tr '[A-Z]' '[a-z]' | - tr -cd '\012[a-z][0-9]' | - env LC_ALL=C sort -u + grep -a -E -v '^.{32,}$' | + tr '[:upper:]' '[:lower:]' | + tr -cd '\n[:graph:]' | + sort -u