Accepting request 419768 from home:guohouzuo:branches:Base:System

- Add patch 0004-overflow-processing-long-words.patch to fix a new buffer overflow identified together with bsc#992966. - Relabel patches: cracklib-magic.diff -> 0001-cracklib-magic.diff cracklib-2.9.2-visibility.patch -> 0002-cracklib-2.9.2-visibility.patch - Add patch 0003-overflow-processing-gecos.patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) OBS-URL: https://build.opensuse.org/request/show/419768 OBS-URL: https://build.opensuse.org/package/show/Base:System/cracklib?expand=0&rev=44
2016-08-22 09:02:18 +00:00 · 2016-08-22 09:02:18 +00:00 · d3c3dc0115
commit d3c3dc0115
parent 857c58c0dd
6 changed files with 132 additions and 4 deletions
--- a/0001-cracklib-magic.diff
+++ b/0001-cracklib-magic.diff
--- a/0002-cracklib-2.9.2-visibility.patch
+++ b/0002-cracklib-2.9.2-visibility.patch
--- a/0003-overflow-processing-gecos.patch
+++ b/0003-overflow-processing-gecos.patch
@ -0,0 +1,88 @@
+(2016-08-10) The patch authored by Raed Albuliwi addresses a buffer overflow in the parser
+of GECOS field of user account information. CVE-2016-6318 has been assigned to
+the issue.
+
+diff -rupN cracklib-2.9.5/lib/fascist.c cracklib-2.9.5-patched/lib/fascist.c
+--- cracklib-2.9.5/lib/fascist.c	2015-04-11 19:18:12.000000000 +0200
+++ cracklib-2.9.5-patched/lib/fascist.c	2016-08-16 11:08:59.635876877 +0200
+@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c
+     char gbuffer[STRINGSIZE];
+     char tbuffer[STRINGSIZE];
+     char *uwords[STRINGSIZE];
+-    char longbuffer[STRINGSIZE * 2];
+    char longbuffer[STRINGSIZE];
+ 
+     if (gecos == NULL)
+ 	gecos = "";
+@@ -583,38 +583,46 @@ FascistGecosUser(char *password, const c
+     {
+ 	for (i = 0; i < j; i++)
+ 	{
+-	    strcpy(longbuffer, uwords[i]);
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
+        if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+ 	    {
+-		return _("it is derived from your password entry");
+            strcpy(longbuffer, uwords[i]);
+            strcat(longbuffer, uwords[j]);
+            if (GTry(longbuffer, password))
+            {
+                return _("it is derived from your password entry");
+            }
+
+            strcpy(longbuffer, uwords[j]);
+            strcat(longbuffer, uwords[i]);
+
+            if (GTry(longbuffer, password))
+            {
+                return _("it's derived from your password entry");
+            }
+ 	    }
+ 
+-	    strcpy(longbuffer, uwords[j]);
+-	    strcat(longbuffer, uwords[i]);
+-
+-	    if (GTry(longbuffer, password))
+        if (strlen(uwords[j]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it's derived from your password entry");
+            longbuffer[0] = uwords[i][0];
+            longbuffer[1] = '\0';
+            strcat(longbuffer, uwords[j]);
+
+            if (GTry(longbuffer, password))
+            {
+                return _("it is derivable from your password entry");
+            }
+ 	    }
+ 
+-	    longbuffer[0] = uwords[i][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
+-	    {
+-		return _("it is derivable from your password entry");
+-	    }
+-
+-	    longbuffer[0] = uwords[j][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[i]);
+-
+-	    if (GTry(longbuffer, password))
+        if (strlen(uwords[i]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it's derivable from your password entry");
+            longbuffer[0] = uwords[j][0];
+            longbuffer[1] = '\0';
+            strcat(longbuffer, uwords[i]);
+
+            if (GTry(longbuffer, password))
+            {
+                return _("it's derivable from your password entry");
+            }
+ 	    }
+ 	}
+     }
--- a/0004-overflow-processing-long-words.patch
+++ b/0004-overflow-processing-long-words.patch
@ -0,0 +1,21 @@
+The input word is guaranteed to be at most STRINGSIZE-1 in length. One of the
+mangle operations involves duplicating the input word, resulting in a string
+twice the length to be accommodated by both area variables.
+
+Howard Guo <hguo@suse.com> 2016-08-17
+
+diff -rupN 3/lib/rules.c 3-patched/lib/rules.c
+--- 3/lib/rules.c	2016-08-16 14:16:24.033261876 +0200
+++ 3-patched/lib/rules.c	2016-08-17 13:57:14.485782894 +0200
+@@ -434,9 +434,8 @@ Mangle(input, control)		/* returns a poi
+ {
+     int limit;
+     register char *ptr;
+-    static char area[STRINGSIZE];
+-    char area2[STRINGSIZE];
+-    area[0] = '\0';
+    static char area[STRINGSIZE * 2] = {0};
+    char area2[STRINGSIZE * 2] = {0};
+     strcpy(area, input);
+ 
+     for (ptr = control; *ptr; ptr++)
--- a/cracklib.changes
+++ b/cracklib.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Wed Aug 17 12:32:43 UTC 2016 - hguo@suse.com
+
+- Add patch 0004-overflow-processing-long-words.patch
+  to fix a new buffer overflow identified together with bsc#992966.
+
+-------------------------------------------------------------------
+Mon Aug 15 12:01:52 UTC 2016 - hguo@suse.com
+
+- Relabel patches:
+  cracklib-magic.diff -> 0001-cracklib-magic.diff
+  cracklib-2.9.2-visibility.patch -> 0002-cracklib-2.9.2-visibility.patch
+- Add patch 0003-overflow-processing-gecos.patch
+  to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318)
+
 -------------------------------------------------------------------
 Tue Aug 18 13:00:24 UTC 2015 - mpluskal@suse.com

--- a/cracklib.spec
+++ b/cracklib.spec
@ -1,7 +1,7 @@
 #
 # spec file for package cracklib
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -27,9 +27,11 @@ Source:         http://prdownloads.sourceforge.net/cracklib/cracklib-%{version}.
 Source2:        baselibs.conf
 # PATCH-FIX-OPENSUSE (should be upstreamed)
 # Remove support for broken 64bit indexes from magic entry [bnc#106007]
-Patch0:         cracklib-magic.diff
+Patch1:         0001-cracklib-magic.diff
 # PATCH-FIX-OPENSUSE Hide non-public functions
-Patch1:         cracklib-2.9.2-visibility.patch
+Patch2:         0002-cracklib-2.9.2-visibility.patch
+Patch3:         0003-overflow-processing-gecos.patch
+Patch4:         0004-overflow-processing-long-words.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gzip
@ -85,8 +87,10 @@ This package contains a small dictionay file used by cracklib.
 %prep
 %setup -q
 translation-update-upstream
-%patch0
 %patch1
+%patch2
+%patch3 -p1
+%patch4 -p1

 %build
 AUTOPOINT=true autoreconf -fi