gnu/packages/patches/cracklib-CVE-2016-6318.patch

   1 Fix CVE-2016-6318.
   2
   3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318
   4
   5 Patch copied from Red Hat:
   6
   7 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6318
   8 https://bugzilla.redhat.com/attachment.cgi?id=1188599&action=diff
   9
  10 It is not safe to pass words longer than STRINGSIZE further to cracklib
  11 so the longbuffer cannot be longer than STRINGSIZE.
  12 diff -up cracklib-2.9.0/lib/fascist.c.longgecos cracklib-2.9.0/lib/fascist.c
  13 --- cracklib-2.9.0/lib/fascist.c.longgecos      2014-02-06 16:03:59.000000000 +0100
  14 +++ cracklib-2.9.0/lib/fascist.c        2016-08-08 12:05:40.279235815 +0200
  15 @@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c
  16      char gbuffer[STRINGSIZE];
  17      char tbuffer[STRINGSIZE];
  18      char *uwords[STRINGSIZE];
  19 -    char longbuffer[STRINGSIZE * 2];
  20 +    char longbuffer[STRINGSIZE];
  21
  22      if (gecos == NULL)
  23         gecos = "";
  24 @@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c
  25      {
  26         for (i = 0; i < j; i++)
  27         {
  28 -           strcpy(longbuffer, uwords[i]);
  29 -           strcat(longbuffer, uwords[j]);
  30 -
  31 -           if (GTry(longbuffer, password))
  32 +           if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
  33             {
  34 -               return _("it is derived from your password entry");
  35 -           }
  36 -
  37 -           strcpy(longbuffer, uwords[j]);
  38 -           strcat(longbuffer, uwords[i]);
  39 +               strcpy(longbuffer, uwords[i]);
  40 +               strcat(longbuffer, uwords[j]);
  41
  42 -           if (GTry(longbuffer, password))
  43 -           {
  44 -               return _("it's derived from your password entry");
  45 +               if (GTry(longbuffer, password))
  46 +               {
  47 +                   return _("it is derived from your password entry");
  48 +               }
  49 +
  50 +               strcpy(longbuffer, uwords[j]);
  51 +               strcat(longbuffer, uwords[i]);
  52 +
  53 +               if (GTry(longbuffer, password))
  54 +               {
  55 +                  return _("it's derived from your password entry");
  56 +               }
  57             }
  58
  59 -           longbuffer[0] = uwords[i][0];
  60 -           longbuffer[1] = '\0';
  61 -           strcat(longbuffer, uwords[j]);
  62 -
  63 -           if (GTry(longbuffer, password))
  64 +           if (strlen(uwords[j]) < STRINGSIZE - 1)
  65             {
  66 -               return _("it is derivable from your password entry");
  67 +               longbuffer[0] = uwords[i][0];
  68 +               longbuffer[1] = '\0';
  69 +               strcat(longbuffer, uwords[j]);
  70 +
  71 +               if (GTry(longbuffer, password))
  72 +               {
  73 +                   return _("it is derivable from your password entry");
  74 +               }
  75             }
  76
  77 -           longbuffer[0] = uwords[j][0];
  78 -           longbuffer[1] = '\0';
  79 -           strcat(longbuffer, uwords[i]);
  80 -
  81 -           if (GTry(longbuffer, password))
  82 +           if (strlen(uwords[i]) < STRINGSIZE - 1)
  83             {
  84 -               return _("it's derivable from your password entry");
  85 +               longbuffer[0] = uwords[j][0];
  86 +               longbuffer[1] = '\0';
  87 +               strcat(longbuffer, uwords[i]);
  88 +
  89 +               if (GTry(longbuffer, password))
  90 +               {
  91 +                   return _("it's derivable from your password entry");
  92 +               }
  93             }
  94         }
  95      }