620dc687b7
Mostly a security fix release for CVE 2016-6318 which was already fixed in Fedora.
218 lines
5.3 KiB
Diff
218 lines
5.3 KiB
Diff
diff -Naur cracklib-2.9.7-orig/lib/fascist.c cracklib-2.9.7/lib/fascist.c
|
|
--- cracklib-2.9.7-orig/lib/fascist.c 2022-03-07 15:16:11.722225350 -0500
|
|
+++ cracklib-2.9.7/lib/fascist.c 2022-03-07 15:17:54.598692721 -0500
|
|
@@ -55,7 +55,6 @@
|
|
|
|
"/?p@?p", /* purging out punctuation/symbols/junk */
|
|
"/?s@?s",
|
|
- "/?X@?X",
|
|
|
|
/* attempt reverse engineering of password strings */
|
|
|
|
@@ -454,6 +453,12 @@
|
|
continue;
|
|
}
|
|
|
|
+ if (len - strlen(mp) >= 3)
|
|
+ {
|
|
+ /* purged too much */
|
|
+ continue;
|
|
+ }
|
|
+
|
|
#ifdef DEBUG
|
|
printf("%-16s = %-16s (destruct %s)\n", mp, rawtext, r_destructors[i]);
|
|
#endif
|
|
@@ -480,6 +485,12 @@
|
|
continue;
|
|
}
|
|
|
|
+ if (len - strlen(mp) >= 3)
|
|
+ {
|
|
+ /* purged too much */
|
|
+ continue;
|
|
+ }
|
|
+
|
|
#ifdef DEBUG
|
|
printf("%-16s = %-16s (construct %s)\n", mp, password, r_constructors[i]);
|
|
#endif
|
|
@@ -708,6 +719,7 @@
|
|
char rpassword[STRINGSIZE];
|
|
char area[STRINGSIZE];
|
|
uint32_t notfound;
|
|
+ int len;
|
|
|
|
notfound = PW_WORDS(pwp);
|
|
/* already truncated if from FascistCheck() */
|
|
@@ -757,6 +769,7 @@
|
|
return _("it is all whitespace");
|
|
}
|
|
|
|
+ len = strlen(password);
|
|
i = 0;
|
|
ptr = password;
|
|
while (ptr[0] && ptr[1])
|
|
@@ -768,10 +781,9 @@
|
|
ptr++;
|
|
}
|
|
|
|
- /* Change by Ben Karsin from ITS at University of Hawaii at Manoa. Static MAXSTEP
|
|
- would generate many false positives for long passwords. */
|
|
- maxrepeat = 3+(0.09*strlen(password));
|
|
- if (i > maxrepeat)
|
|
+ /* We were still generating false positives for long passwords.
|
|
+ Just count systematic double as a single character. */
|
|
+ if (len - i < MINLEN)
|
|
{
|
|
return _("it is too simplistic/systematic");
|
|
}
|
|
@@ -804,6 +816,12 @@
|
|
continue;
|
|
}
|
|
|
|
+ if (len - strlen(a) >= 3)
|
|
+ {
|
|
+ /* purged too much */
|
|
+ continue;
|
|
+ }
|
|
+
|
|
#ifdef DEBUG
|
|
printf("%-16s (dict)\n", a);
|
|
#endif
|
|
@@ -824,6 +842,13 @@
|
|
{
|
|
continue;
|
|
}
|
|
+
|
|
+ if (len - strlen(a) >= 3)
|
|
+ {
|
|
+ /* purged too much */
|
|
+ continue;
|
|
+ }
|
|
+
|
|
#ifdef DEBUG
|
|
printf("%-16s (reversed dict)\n", a);
|
|
#endif
|
|
diff -Naur cracklib-2.9.7-orig/lib/fascist.c.orig cracklib-2.9.7/lib/fascist.c.orig
|
|
--- cracklib-2.9.7-orig/lib/fascist.c.orig 2022-03-07 15:16:11.722225350 -0500
|
|
+++ cracklib-2.9.7/lib/fascist.c.orig 2022-03-07 15:16:11.722225350 -0500
|
|
@@ -36,8 +36,8 @@
|
|
#undef DEBUG
|
|
#undef DEBUG2
|
|
|
|
-extern char *Reverse(char *buf);
|
|
-extern char *Lowercase(char *buf);
|
|
+extern char *Reverse(char *buf, char *area);
|
|
+extern char *Lowercase(char *buf, char *area);
|
|
|
|
static char *r_destructors[] = {
|
|
":", /* noop - must do this to test raw word. */
|
|
@@ -439,6 +439,8 @@
|
|
int i;
|
|
int len;
|
|
char *mp;
|
|
+ char area[STRINGSIZE];
|
|
+ char revarea[STRINGSIZE];
|
|
|
|
/* use destructors to turn password into rawtext */
|
|
/* note use of Reverse() to save duplicating all rules */
|
|
@@ -447,7 +449,7 @@
|
|
|
|
for (i = 0; r_destructors[i]; i++)
|
|
{
|
|
- if (!(mp = Mangle(password, r_destructors[i])))
|
|
+ if (!(mp = Mangle(password, r_destructors[i], area)))
|
|
{
|
|
continue;
|
|
}
|
|
@@ -462,10 +464,10 @@
|
|
}
|
|
|
|
#ifdef DEBUG
|
|
- printf("%-16s = %-16s (destruct %s reversed)\n", Reverse(mp), rawtext, r_destructors[i]);
|
|
+ printf("%-16s = %-16s (destruct %s reversed)\n", Reverse(mp, revarea), rawtext, r_destructors[i]);
|
|
#endif
|
|
|
|
- if (!strncmp(Reverse(mp), rawtext, len))
|
|
+ if (!strncmp(Reverse(mp, revarea), rawtext, len))
|
|
{
|
|
return (1);
|
|
}
|
|
@@ -473,7 +475,7 @@
|
|
|
|
for (i = 0; r_constructors[i]; i++)
|
|
{
|
|
- if (!(mp = Mangle(rawtext, r_constructors[i])))
|
|
+ if (!(mp = Mangle(rawtext, r_constructors[i], area)))
|
|
{
|
|
continue;
|
|
}
|
|
@@ -520,7 +522,7 @@
|
|
|
|
strncpy(tbuffer, gecos, STRINGSIZE);
|
|
tbuffer[STRINGSIZE-1] = '\0';
|
|
- strcpy(gbuffer, Lowercase(tbuffer));
|
|
+ Lowercase(tbuffer, gbuffer);
|
|
|
|
wc = 0;
|
|
ptr = gbuffer;
|
|
@@ -704,6 +706,7 @@
|
|
char junk[STRINGSIZE];
|
|
char *password;
|
|
char rpassword[STRINGSIZE];
|
|
+ char area[STRINGSIZE];
|
|
uint32_t notfound;
|
|
|
|
notfound = PW_WORDS(pwp);
|
|
@@ -740,7 +743,7 @@
|
|
return _("it does not contain enough DIFFERENT characters");
|
|
}
|
|
|
|
- strcpy(password, (char *)Lowercase(password));
|
|
+ strcpy(password, (char *)Lowercase(password, area));
|
|
|
|
Trim(password);
|
|
|
|
@@ -796,7 +799,7 @@
|
|
{
|
|
char *a;
|
|
|
|
- if (!(a = Mangle(password, r_destructors[i])))
|
|
+ if (!(a = Mangle(password, r_destructors[i], area)))
|
|
{
|
|
continue;
|
|
}
|
|
@@ -811,13 +814,13 @@
|
|
}
|
|
}
|
|
|
|
- strcpy(password, (char *)Reverse(password));
|
|
+ strcpy(password, (char *)Reverse(password, area));
|
|
|
|
for (i = 0; r_destructors[i]; i++)
|
|
{
|
|
char *a;
|
|
|
|
- if (!(a = Mangle(password, r_destructors[i])))
|
|
+ if (!(a = Mangle(password, r_destructors[i], area)))
|
|
{
|
|
continue;
|
|
}
|
|
diff -Naur cracklib-2.9.7-orig/util/cracklib-format cracklib-2.9.7/util/cracklib-format
|
|
--- cracklib-2.9.7-orig/util/cracklib-format 2019-02-13 20:54:41.000000000 -0500
|
|
+++ cracklib-2.9.7/util/cracklib-format 2022-03-07 15:17:54.599692726 -0500
|
|
@@ -3,8 +3,10 @@
|
|
# This preprocesses a set of word lists into a suitable form for input
|
|
# into cracklib-packer
|
|
#
|
|
+LC_ALL=C
|
|
+export LC_ALL
|
|
gzip -cdf "$@" |
|
|
- grep -v '^\(#\|$\)' |
|
|
- tr '[A-Z]' '[a-z]' |
|
|
- tr -cd '\012[a-z][0-9]' |
|
|
- env LC_ALL=C sort -u
|
|
+ grep -a -E -v '^.{32,}$' |
|
|
+ tr '[:upper:]' '[:lower:]' |
|
|
+ tr -cd '\n[:graph:]' |
|
|
+ sort -u
|