diff --git a/cracklib-magic.diff b/0001-cracklib-magic.diff similarity index 100% rename from cracklib-magic.diff rename to 0001-cracklib-magic.diff diff --git a/cracklib-2.9.2-visibility.patch b/0002-cracklib-2.9.2-visibility.patch similarity index 100% rename from cracklib-2.9.2-visibility.patch rename to 0002-cracklib-2.9.2-visibility.patch diff --git a/0003-overflow-processing-gecos.patch b/0003-overflow-processing-gecos.patch new file mode 100644 index 0000000..29711cd --- /dev/null +++ b/0003-overflow-processing-gecos.patch @@ -0,0 +1,88 @@ +(2016-08-10) The patch authored by Raed Albuliwi addresses a buffer overflow in the parser +of GECOS field of user account information. CVE-2016-6318 has been assigned to +the issue. + +diff -rupN cracklib-2.9.5/lib/fascist.c cracklib-2.9.5-patched/lib/fascist.c +--- cracklib-2.9.5/lib/fascist.c 2015-04-11 19:18:12.000000000 +0200 ++++ cracklib-2.9.5-patched/lib/fascist.c 2016-08-16 11:08:59.635876877 +0200 +@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c + char gbuffer[STRINGSIZE]; + char tbuffer[STRINGSIZE]; + char *uwords[STRINGSIZE]; +- char longbuffer[STRINGSIZE * 2]; ++ char longbuffer[STRINGSIZE]; + + if (gecos == NULL) + gecos = ""; +@@ -583,38 +583,46 @@ FascistGecosUser(char *password, const c + { + for (i = 0; i < j; i++) + { +- strcpy(longbuffer, uwords[i]); +- strcat(longbuffer, uwords[j]); +- +- if (GTry(longbuffer, password)) ++ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) + { +- return _("it is derived from your password entry"); ++ strcpy(longbuffer, uwords[i]); ++ strcat(longbuffer, uwords[j]); ++ if (GTry(longbuffer, password)) ++ { ++ return _("it is derived from your password entry"); ++ } ++ ++ strcpy(longbuffer, uwords[j]); ++ strcat(longbuffer, uwords[i]); ++ ++ if (GTry(longbuffer, password)) ++ { ++ return _("it's derived from your password entry"); ++ } + } + +- strcpy(longbuffer, uwords[j]); +- strcat(longbuffer, uwords[i]); +- +- if (GTry(longbuffer, password)) ++ if (strlen(uwords[j]) < STRINGSIZE - 1) + { +- return _("it's derived from your password entry"); ++ longbuffer[0] = uwords[i][0]; ++ longbuffer[1] = '\0'; ++ strcat(longbuffer, uwords[j]); ++ ++ if (GTry(longbuffer, password)) ++ { ++ return _("it is derivable from your password entry"); ++ } + } + +- longbuffer[0] = uwords[i][0]; +- longbuffer[1] = '\0'; +- strcat(longbuffer, uwords[j]); +- +- if (GTry(longbuffer, password)) +- { +- return _("it is derivable from your password entry"); +- } +- +- longbuffer[0] = uwords[j][0]; +- longbuffer[1] = '\0'; +- strcat(longbuffer, uwords[i]); +- +- if (GTry(longbuffer, password)) ++ if (strlen(uwords[i]) < STRINGSIZE - 1) + { +- return _("it's derivable from your password entry"); ++ longbuffer[0] = uwords[j][0]; ++ longbuffer[1] = '\0'; ++ strcat(longbuffer, uwords[i]); ++ ++ if (GTry(longbuffer, password)) ++ { ++ return _("it's derivable from your password entry"); ++ } + } + } + } diff --git a/0004-overflow-processing-long-words.patch b/0004-overflow-processing-long-words.patch new file mode 100644 index 0000000..1a4d50c --- /dev/null +++ b/0004-overflow-processing-long-words.patch @@ -0,0 +1,21 @@ +The input word is guaranteed to be at most STRINGSIZE-1 in length. One of the +mangle operations involves duplicating the input word, resulting in a string +twice the length to be accommodated by both area variables. + +Howard Guo 2016-08-17 + +diff -rupN 3/lib/rules.c 3-patched/lib/rules.c +--- 3/lib/rules.c 2016-08-16 14:16:24.033261876 +0200 ++++ 3-patched/lib/rules.c 2016-08-17 13:57:14.485782894 +0200 +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a poi + { + int limit; + register char *ptr; +- static char area[STRINGSIZE]; +- char area2[STRINGSIZE]; +- area[0] = '\0'; ++ static char area[STRINGSIZE * 2] = {0}; ++ char area2[STRINGSIZE * 2] = {0}; + strcpy(area, input); + + for (ptr = control; *ptr; ptr++) diff --git a/cracklib.changes b/cracklib.changes index 704b911..04ebd19 100644 --- a/cracklib.changes +++ b/cracklib.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed Aug 17 12:32:43 UTC 2016 - hguo@suse.com + +- Add patch 0004-overflow-processing-long-words.patch + to fix a new buffer overflow identified together with bsc#992966. + +------------------------------------------------------------------- +Mon Aug 15 12:01:52 UTC 2016 - hguo@suse.com + +- Relabel patches: + cracklib-magic.diff -> 0001-cracklib-magic.diff + cracklib-2.9.2-visibility.patch -> 0002-cracklib-2.9.2-visibility.patch +- Add patch 0003-overflow-processing-gecos.patch + to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) + ------------------------------------------------------------------- Tue Aug 18 13:00:24 UTC 2015 - mpluskal@suse.com diff --git a/cracklib.spec b/cracklib.spec index 6fd9a04..8325851 100644 --- a/cracklib.spec +++ b/cracklib.spec @@ -1,7 +1,7 @@ # # spec file for package cracklib # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,9 +27,11 @@ Source: http://prdownloads.sourceforge.net/cracklib/cracklib-%{version}. Source2: baselibs.conf # PATCH-FIX-OPENSUSE (should be upstreamed) # Remove support for broken 64bit indexes from magic entry [bnc#106007] -Patch0: cracklib-magic.diff +Patch1: 0001-cracklib-magic.diff # PATCH-FIX-OPENSUSE Hide non-public functions -Patch1: cracklib-2.9.2-visibility.patch +Patch2: 0002-cracklib-2.9.2-visibility.patch +Patch3: 0003-overflow-processing-gecos.patch +Patch4: 0004-overflow-processing-long-words.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gzip @@ -85,8 +87,10 @@ This package contains a small dictionay file used by cracklib. %prep %setup -q translation-update-upstream -%patch0 %patch1 +%patch2 +%patch3 -p1 +%patch4 -p1 %build AUTOPOINT=true autoreconf -fi