Accepting request 815757 from home:mgorse:branches:Base:System

- Update to version 2.9.7: + fix a buffer overflow processing long words. - Drop 0003-overflow-processing-gecos.patch and 0004-overflow-processing-long-words.patch: fixed upstream. - Update source URI. - Remove use of translation-update-upstream. It cannot be added to ring 0 on leap, and 2.9.7 has some translation fixes (bsc#1172396). OBS-URL: https://build.opensuse.org/request/show/815757 OBS-URL: https://build.opensuse.org/package/show/Base:System/cracklib?expand=0&rev=54
2020-06-22 11:24:05 +00:00 · 2020-06-22 11:24:05 +00:00 · fe52af6027
commit fe52af6027
parent b1fa06cd1b
6 changed files with 17 additions and 124 deletions
--- a/0003-overflow-processing-gecos.patch
+++ b/0003-overflow-processing-gecos.patch
@ -1,88 +0,0 @@
-(2016-08-10) The patch authored by Raed Albuliwi addresses a buffer overflow in the parser
-of GECOS field of user account information. CVE-2016-6318 has been assigned to
-the issue.
-
-diff -rupN cracklib-2.9.5/lib/fascist.c cracklib-2.9.5-patched/lib/fascist.c
--- cracklib-2.9.5/lib/fascist.c	2015-04-11 19:18:12.000000000 +0200
-+++ cracklib-2.9.5-patched/lib/fascist.c	2016-08-16 11:08:59.635876877 +0200
-@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c
-     char gbuffer[STRINGSIZE];
-     char tbuffer[STRINGSIZE];
-     char *uwords[STRINGSIZE];
-    char longbuffer[STRINGSIZE * 2];
-+    char longbuffer[STRINGSIZE];
- 
-     if (gecos == NULL)
- 	gecos = "";
-@@ -583,38 +583,46 @@ FascistGecosUser(char *password, const c
-     {
- 	for (i = 0; i < j; i++)
- 	{
-	    strcpy(longbuffer, uwords[i]);
-	    strcat(longbuffer, uwords[j]);
-
-	    if (GTry(longbuffer, password))
-+        if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
- 	    {
-		return _("it is derived from your password entry");
-+            strcpy(longbuffer, uwords[i]);
-+            strcat(longbuffer, uwords[j]);
-+            if (GTry(longbuffer, password))
-+            {
-+                return _("it is derived from your password entry");
-+            }
-+
-+            strcpy(longbuffer, uwords[j]);
-+            strcat(longbuffer, uwords[i]);
-+
-+            if (GTry(longbuffer, password))
-+            {
-+                return _("it's derived from your password entry");
-+            }
- 	    }
- 
-	    strcpy(longbuffer, uwords[j]);
-	    strcat(longbuffer, uwords[i]);
-
-	    if (GTry(longbuffer, password))
-+        if (strlen(uwords[j]) < STRINGSIZE - 1)
- 	    {
-		return _("it's derived from your password entry");
-+            longbuffer[0] = uwords[i][0];
-+            longbuffer[1] = '\0';
-+            strcat(longbuffer, uwords[j]);
-+
-+            if (GTry(longbuffer, password))
-+            {
-+                return _("it is derivable from your password entry");
-+            }
- 	    }
- 
-	    longbuffer[0] = uwords[i][0];
-	    longbuffer[1] = '\0';
-	    strcat(longbuffer, uwords[j]);
-
-	    if (GTry(longbuffer, password))
-	    {
-		return _("it is derivable from your password entry");
-	    }
-
-	    longbuffer[0] = uwords[j][0];
-	    longbuffer[1] = '\0';
-	    strcat(longbuffer, uwords[i]);
-
-	    if (GTry(longbuffer, password))
-+        if (strlen(uwords[i]) < STRINGSIZE - 1)
- 	    {
-		return _("it's derivable from your password entry");
-+            longbuffer[0] = uwords[j][0];
-+            longbuffer[1] = '\0';
-+            strcat(longbuffer, uwords[i]);
-+
-+            if (GTry(longbuffer, password))
-+            {
-+                return _("it's derivable from your password entry");
-+            }
- 	    }
- 	}
-     }
--- a/0004-overflow-processing-long-words.patch
+++ b/0004-overflow-processing-long-words.patch
@ -1,21 +0,0 @@
-The input word is guaranteed to be at most STRINGSIZE-1 in length. One of the
-mangle operations involves duplicating the input word, resulting in a string
-twice the length to be accommodated by both area variables.
-
-Howard Guo <hguo@suse.com> 2016-08-17
-
-diff -rupN 3/lib/rules.c 3-patched/lib/rules.c
--- 3/lib/rules.c	2016-08-16 14:16:24.033261876 +0200
-+++ 3-patched/lib/rules.c	2016-08-17 13:57:14.485782894 +0200
-@@ -434,9 +434,8 @@ Mangle(input, control)		/* returns a poi
- {
-     int limit;
-     register char *ptr;
-    static char area[STRINGSIZE];
-    char area2[STRINGSIZE];
-    area[0] = '\0';
-+    static char area[STRINGSIZE * 2] = {0};
-+    char area2[STRINGSIZE * 2] = {0};
-     strcpy(area, input);
- 
-     for (ptr = control; *ptr; ptr++)
--- a/cracklib-2.9.6.tar.gz
+++ b/cracklib-2.9.6.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:17cf76943de272fd579ed831a1fd85339b393f8d00bf9e0d17c91e972f583343
-size 642402
--- a/cracklib-2.9.7.tar.bz2
+++ b/cracklib-2.9.7.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fe82098509e4d60377b998662facf058dc405864a8947956718857dbb4bc35e6
+size 603630
--- a/cracklib.changes
+++ b/cracklib.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Tue Jun  2 18:41:21 UTC 2020 - Michael Gorse <mgorse@suse.com>
+
+- Update to version 2.9.7: 
+  + fix a buffer overflow processing long words.
+- Drop 0003-overflow-processing-gecos.patch and
+  0004-overflow-processing-long-words.patch: fixed upstream.
+- Update source URI.
+- Remove use of translation-update-upstream. It cannot be added to
+  ring 0 on leap, and 2.9.7 has some translation fixes
+  (bsc#1172396).
+
 -------------------------------------------------------------------
 Fri May 22 16:06:54 UTC 2020 - Michael Gorse <mgorse@suse.com>

--- a/cracklib.spec
+++ b/cracklib.spec
@ -17,30 +17,25 @@


 Name:           cracklib
-Version:        2.9.6
+Version:        2.9.7
 Release:        0
 Summary:        Library to crack passwords using dictionaries
 License:        LGPL-2.1-only
 Group:          System/Libraries
 URL:            http://sourceforge.net/projects/cracklib
-Source:         https://github.com/%{name}/%{name}/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source:         https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
 Source2:        baselibs.conf
 # PATCH-FIX-OPENSUSE (should be upstreamed)
 # Remove support for broken 64bit indexes from magic entry [bnc#106007]
 Patch1:         0001-cracklib-magic.diff
 # PATCH-FIX-OPENSUSE Hide non-public functions
 Patch2:         0002-cracklib-2.9.2-visibility.patch
-Patch3:         0003-overflow-processing-gecos.patch
-Patch4:         0004-overflow-processing-long-words.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gzip
 BuildRequires:  libtool
 BuildRequires:  zlib-devel
 Requires:       cracklib-dict
-%if 0%{?sle_version}
-BuildRequires:  translation-update-upstream
-%endif

 %description
 CrackLib tests passwords to determine whether they match
@ -87,13 +82,8 @@ This package contains a small dictionay file used by cracklib.

 %prep
 %setup -q
-%if 0%{?sle_version}
-translation-update-upstream
-%endif
 %patch1
 %patch2
-%patch3 -p1
-%patch4 -p1

 %build
 AUTOPOINT=true autoreconf -fi