Accepting request 815757 from home:mgorse:branches:Base:System

- Update to version 2.9.7: + fix a buffer overflow processing long words. - Drop 0003-overflow-processing-gecos.patch and 0004-overflow-processing-long-words.patch: fixed upstream. - Update source URI. - Remove use of translation-update-upstream. It cannot be added to ring 0 on leap, and 2.9.7 has some translation fixes (bsc#1172396). OBS-URL: https://build.opensuse.org/request/show/815757 OBS-URL: https://build.opensuse.org/package/show/Base:System/cracklib?expand=0&rev=54
2020-06-22 11:24:05 +00:00 · 2020-06-22 11:24:05 +00:00 · fe52af6027
commit fe52af6027
parent b1fa06cd1b
6 changed files with 17 additions and 124 deletions
--- a/0003-overflow-processing-gecos.patch
+++ b/0003-overflow-processing-gecos.patch
@ -1,88 +0,0 @@
 (2016-08-10) The patch authored by Raed Albuliwi addresses a buffer overflow in the parser
 of GECOS field of user account information. CVE-2016-6318 has been assigned to
 the issue.
 diff -rupN cracklib-2.9.5/lib/fascist.c cracklib-2.9.5-patched/lib/fascist.c
 --- cracklib-2.9.5/lib/fascist.c	2015-04-11 19:18:12.000000000 +0200
 +++ cracklib-2.9.5-patched/lib/fascist.c	2016-08-16 11:08:59.635876877 +0200
@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c
     char gbuffer[STRINGSIZE];
     char tbuffer[STRINGSIZE];
     char *uwords[STRINGSIZE];
 -    char longbuffer[STRINGSIZE * 2];
 +    char longbuffer[STRINGSIZE];
     if (gecos == NULL)
 	gecos = "";
@@ -583,38 +583,46 @@ FascistGecosUser(char *password, const c
     {
 	for (i = 0; i < j; i++)
 	{
 -	    strcpy(longbuffer, uwords[i]);
 -	    strcat(longbuffer, uwords[j]);
 -
 -	    if (GTry(longbuffer, password))
 +        if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
 	    {
 -		return _("it is derived from your password entry");
 +            strcpy(longbuffer, uwords[i]);
 +            strcat(longbuffer, uwords[j]);
 +            if (GTry(longbuffer, password))
 +            {
 +                return _("it is derived from your password entry");
 +            }
 +
 +            strcpy(longbuffer, uwords[j]);
 +            strcat(longbuffer, uwords[i]);
 +
 +            if (GTry(longbuffer, password))
 +            {
 +                return _("it's derived from your password entry");
 +            }
 	    }
 -	    strcpy(longbuffer, uwords[j]);
 -	    strcat(longbuffer, uwords[i]);
 -
 -	    if (GTry(longbuffer, password))
 +        if (strlen(uwords[j]) < STRINGSIZE - 1)
 	    {
 -		return _("it's derived from your password entry");
 +            longbuffer[0] = uwords[i][0];
 +            longbuffer[1] = '\0';
 +            strcat(longbuffer, uwords[j]);
 +
 +            if (GTry(longbuffer, password))
 +            {
 +                return _("it is derivable from your password entry");
 +            }
 	    }
 -	    longbuffer[0] = uwords[i][0];
 -	    longbuffer[1] = '\0';
 -	    strcat(longbuffer, uwords[j]);
 -
 -	    if (GTry(longbuffer, password))
 -	    {
 -		return _("it is derivable from your password entry");
 -	    }
 -
 -	    longbuffer[0] = uwords[j][0];
 -	    longbuffer[1] = '\0';
 -	    strcat(longbuffer, uwords[i]);
 -
 -	    if (GTry(longbuffer, password))
 +        if (strlen(uwords[i]) < STRINGSIZE - 1)
 	    {
 -		return _("it's derivable from your password entry");
 +            longbuffer[0] = uwords[j][0];
 +            longbuffer[1] = '\0';
 +            strcat(longbuffer, uwords[i]);
 +
 +            if (GTry(longbuffer, password))
 +            {
 +                return _("it's derivable from your password entry");
 +            }
 	    }
 	}
     }
--- a/0004-overflow-processing-long-words.patch
+++ b/0004-overflow-processing-long-words.patch
@ -1,21 +0,0 @@
 The input word is guaranteed to be at most STRINGSIZE-1 in length. One of the
 mangle operations involves duplicating the input word, resulting in a string
 twice the length to be accommodated by both area variables.
 Howard Guo <hguo@suse.com> 2016-08-17
 diff -rupN 3/lib/rules.c 3-patched/lib/rules.c
 --- 3/lib/rules.c	2016-08-16 14:16:24.033261876 +0200
 +++ 3-patched/lib/rules.c	2016-08-17 13:57:14.485782894 +0200
@@ -434,9 +434,8 @@ Mangle(input, control)		/* returns a poi
 {
     int limit;
     register char *ptr;
 -    static char area[STRINGSIZE];
 -    char area2[STRINGSIZE];
 -    area[0] = '\0';
 +    static char area[STRINGSIZE * 2] = {0};
 +    char area2[STRINGSIZE * 2] = {0};
     strcpy(area, input);
     for (ptr = control; *ptr; ptr++)
--- a/cracklib-2.9.6.tar.gz
+++ b/cracklib-2.9.6.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:17cf76943de272fd579ed831a1fd85339b393f8d00bf9e0d17c91e972f583343
 size 642402
--- a/cracklib-2.9.7.tar.bz2
+++ b/cracklib-2.9.7.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:fe82098509e4d60377b998662facf058dc405864a8947956718857dbb4bc35e6
 size 603630
--- a/cracklib.changes
+++ b/cracklib.changes
@ -1,3 +1,15 @@
 -------------------------------------------------------------------
 Tue Jun  2 18:41:21 UTC 2020 - Michael Gorse <mgorse@suse.com>
 - Update to version 2.9.7: 
  + fix a buffer overflow processing long words.
 - Drop 0003-overflow-processing-gecos.patch and
  0004-overflow-processing-long-words.patch: fixed upstream.
 - Update source URI.
 - Remove use of translation-update-upstream. It cannot be added to
  ring 0 on leap, and 2.9.7 has some translation fixes
  (bsc#1172396).
 -------------------------------------------------------------------
 Fri May 22 16:06:54 UTC 2020 - Michael Gorse <mgorse@suse.com>
--- a/cracklib.spec
+++ b/cracklib.spec
@ -17,30 +17,25 @@
 Name:           cracklib
-Version:        2.9.6
+Version:        2.9.7
 Release:        0
 Summary:        Library to crack passwords using dictionaries
 License:        LGPL-2.1-only
 Group:          System/Libraries
 URL:            http://sourceforge.net/projects/cracklib
-Source:         https://github.com/%{name}/%{name}/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source:         https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
 Source2:        baselibs.conf
 # PATCH-FIX-OPENSUSE (should be upstreamed)
 # Remove support for broken 64bit indexes from magic entry [bnc#106007]
 Patch1:         0001-cracklib-magic.diff
 # PATCH-FIX-OPENSUSE Hide non-public functions
 Patch2:         0002-cracklib-2.9.2-visibility.patch
 Patch3:         0003-overflow-processing-gecos.patch
 Patch4:         0004-overflow-processing-long-words.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gzip
 BuildRequires:  libtool
 BuildRequires:  zlib-devel
 Requires:       cracklib-dict
 %if 0%{?sle_version}
 BuildRequires:  translation-update-upstream
 %endif
 %description
 CrackLib tests passwords to determine whether they match
@ -87,13 +82,8 @@ This package contains a small dictionay file used by cracklib.
 %prep
 %setup -q
 %if 0%{?sle_version}
 translation-update-upstream
 %endif
 %patch1
 %patch2
 %patch3 -p1
 %patch4 -p1
 %build
 AUTOPOINT=true autoreconf -fi