cracklib/cracklib-2.9.6-cve-2016-6318.patch

145 lines
3.9 KiB
Diff

diff -up cracklib-2.9.6/lib/fascist.c.overflow cracklib-2.9.6/lib/fascist.c
--- cracklib-2.9.6/lib/fascist.c.overflow 2015-10-23 16:58:38.403319225 +0200
+++ cracklib-2.9.6/lib/fascist.c 2016-12-08 17:28:41.490101358 +0100
@@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c
char gbuffer[STRINGSIZE];
char tbuffer[STRINGSIZE];
char *uwords[STRINGSIZE];
- char longbuffer[STRINGSIZE * 2];
+ char longbuffer[STRINGSIZE];
if (gecos == NULL)
gecos = "";
@@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c
{
for (i = 0; i < j; i++)
{
- strcpy(longbuffer, uwords[i]);
- strcat(longbuffer, uwords[j]);
-
- if (GTry(longbuffer, password))
+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
{
- return _("it is derived from your password entry");
- }
-
- strcpy(longbuffer, uwords[j]);
- strcat(longbuffer, uwords[i]);
+ strcpy(longbuffer, uwords[i]);
+ strcat(longbuffer, uwords[j]);
- if (GTry(longbuffer, password))
- {
- return _("it's derived from your password entry");
+ if (GTry(longbuffer, password))
+ {
+ return _("it is derived from your password entry");
+ }
+
+ strcpy(longbuffer, uwords[j]);
+ strcat(longbuffer, uwords[i]);
+
+ if (GTry(longbuffer, password))
+ {
+ return _("it's derived from your password entry");
+ }
}
- longbuffer[0] = uwords[i][0];
- longbuffer[1] = '\0';
- strcat(longbuffer, uwords[j]);
-
- if (GTry(longbuffer, password))
+ if (strlen(uwords[j]) < STRINGSIZE - 1)
{
- return _("it is derivable from your password entry");
+ longbuffer[0] = uwords[i][0];
+ longbuffer[1] = '\0';
+ strcat(longbuffer, uwords[j]);
+
+ if (GTry(longbuffer, password))
+ {
+ return _("it is derivable from your password entry");
+ }
}
- longbuffer[0] = uwords[j][0];
- longbuffer[1] = '\0';
- strcat(longbuffer, uwords[i]);
-
- if (GTry(longbuffer, password))
+ if (strlen(uwords[i]) < STRINGSIZE - 1)
{
- return _("it's derivable from your password entry");
+ longbuffer[0] = uwords[j][0];
+ longbuffer[1] = '\0';
+ strcat(longbuffer, uwords[i]);
+
+ if (GTry(longbuffer, password))
+ {
+ return _("it's derivable from your password entry");
+ }
}
}
}
diff -up cracklib-2.9.6/lib/rules.c.overflow cracklib-2.9.6/lib/rules.c
--- cracklib-2.9.6/lib/rules.c.overflow 2015-10-23 16:58:38.000000000 +0200
+++ cracklib-2.9.6/lib/rules.c 2016-12-08 18:03:27.041941297 +0100
@@ -158,6 +158,8 @@ Pluralise(string, area) /* returns a po
register int length;
length = strlen(string);
strcpy(area, string);
+ if (length > STRINGSIZE - 3) /* we add 2 characters at worst */
+ return (area);
if (!Suffix(string, "ch") ||
!Suffix(string, "ex") ||
@@ -462,11 +464,11 @@ Mangle(input, control, area) /* returns
Pluralise(area2, area);
break;
case RULE_REFLECT:
- strcat(area, Reverse(area, area2));
+ strncat(area, Reverse(area, area2), STRINGSIZE - strlen(area) - 1);
break;
case RULE_DUPLICATE:
strcpy(area2, area);
- strcat(area, area2);
+ strncat(area, area2, STRINGSIZE - strlen(area) - 1);
break;
case RULE_GT:
if (!ptr[1])
@@ -514,7 +516,8 @@ Mangle(input, control, area) /* returns
} else
{
area2[0] = *(++ptr);
- strcpy(area2 + 1, area);
+ strncpy(area2 + 1, area, STRINGSIZE - 2);
+ area2[STRINGSIZE - 1] = '\0';
strcpy(area, area2);
}
break;
@@ -528,8 +531,10 @@ Mangle(input, control, area) /* returns
register char *string;
string = area;
while (*(string++));
- string[-1] = *(++ptr);
- *string = '\0';
+ if (string < area + STRINGSIZE) {
+ string[-1] = *(++ptr);
+ *string = '\0';
+ }
}
break;
case RULE_EXTRACT:
@@ -600,6 +605,10 @@ Mangle(input, control, area) /* returns
}
p1 = area;
p2 = area2;
+ if (strlen(p1) > STRINGSIZE - 2) {
+ /* truncate */
+ p1[STRINGSIZE - 2] = '\0';
+ }
while (i && *p1)
{
i--;