cracklib/0003-overflow-processing-gecos.patch

(2016-08-10) The patch authored by Raed Albuliwi addresses a buffer overflow in the parser
of GECOS field of user account information. CVE-2016-6318 has been assigned to
the issue.

diff -rupN cracklib-2.9.5/lib/fascist.c cracklib-2.9.5-patched/lib/fascist.c
--- cracklib-2.9.5/lib/fascist.c	2015-04-11 19:18:12.000000000 +0200
+++ cracklib-2.9.5-patched/lib/fascist.c	2016-08-16 11:08:59.635876877 +0200
@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c
     char gbuffer[STRINGSIZE];
     char tbuffer[STRINGSIZE];
     char *uwords[STRINGSIZE];
-    char longbuffer[STRINGSIZE * 2];
+    char longbuffer[STRINGSIZE];
 
     if (gecos == NULL)
 	gecos = "";
@@ -583,38 +583,46 @@ FascistGecosUser(char *password, const c
     {
 	for (i = 0; i < j; i++)
 	{
-	    strcpy(longbuffer, uwords[i]);
-	    strcat(longbuffer, uwords[j]);
-
-	    if (GTry(longbuffer, password))
+        if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
 	    {
-		return _("it is derived from your password entry");
+            strcpy(longbuffer, uwords[i]);
+            strcat(longbuffer, uwords[j]);
+            if (GTry(longbuffer, password))
+            {
+                return _("it is derived from your password entry");
+            }
+
+            strcpy(longbuffer, uwords[j]);
+            strcat(longbuffer, uwords[i]);
+
+            if (GTry(longbuffer, password))
+            {
+                return _("it's derived from your password entry");
+            }
 	    }
 
-	    strcpy(longbuffer, uwords[j]);
-	    strcat(longbuffer, uwords[i]);
-
-	    if (GTry(longbuffer, password))
+        if (strlen(uwords[j]) < STRINGSIZE - 1)
 	    {
-		return _("it's derived from your password entry");
+            longbuffer[0] = uwords[i][0];
+            longbuffer[1] = '\0';
+            strcat(longbuffer, uwords[j]);
+
+            if (GTry(longbuffer, password))
+            {
+                return _("it is derivable from your password entry");
+            }
 	    }
 
-	    longbuffer[0] = uwords[i][0];
-	    longbuffer[1] = '\0';
-	    strcat(longbuffer, uwords[j]);
-
-	    if (GTry(longbuffer, password))
-	    {
-		return _("it is derivable from your password entry");
-	    }
-
-	    longbuffer[0] = uwords[j][0];
-	    longbuffer[1] = '\0';
-	    strcat(longbuffer, uwords[i]);
-
-	    if (GTry(longbuffer, password))
+        if (strlen(uwords[i]) < STRINGSIZE - 1)
 	    {
-		return _("it's derivable from your password entry");
+            longbuffer[0] = uwords[j][0];
+            longbuffer[1] = '\0';
+            strcat(longbuffer, uwords[i]);
+
+            if (GTry(longbuffer, password))
+            {
+                return _("it's derivable from your password entry");
+            }
 	    }
 	}
     }
Accepting request 419768 from home:guohouzuo:branches:Base:System - Add patch 0004-overflow-processing-long-words.patch to fix a new buffer overflow identified together with bsc#992966. - Relabel patches: cracklib-magic.diff -> 0001-cracklib-magic.diff cracklib-2.9.2-visibility.patch -> 0002-cracklib-2.9.2-visibility.patch - Add patch 0003-overflow-processing-gecos.patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) OBS-URL: https://build.opensuse.org/request/show/419768 OBS-URL: https://build.opensuse.org/package/show/Base:System/cracklib?expand=0&rev=44 2016-08-22 09:02:18 +00:00			`(2016-08-10) The patch authored by Raed Albuliwi addresses a buffer overflow in the parser`
			`of GECOS field of user account information. CVE-2016-6318 has been assigned to`
			`the issue.`

			`diff -rupN cracklib-2.9.5/lib/fascist.c cracklib-2.9.5-patched/lib/fascist.c`
			`--- cracklib-2.9.5/lib/fascist.c 2015-04-11 19:18:12.000000000 +0200`
			`+++ cracklib-2.9.5-patched/lib/fascist.c 2016-08-16 11:08:59.635876877 +0200`
			`@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c`
			`char gbuffer[STRINGSIZE];`
			`char tbuffer[STRINGSIZE];`
			`char *uwords[STRINGSIZE];`
			`- char longbuffer[STRINGSIZE * 2];`
			`+ char longbuffer[STRINGSIZE];`

			`if (gecos == NULL)`
			`gecos = "";`
			`@@ -583,38 +583,46 @@ FascistGecosUser(char *password, const c`
			`{`
			`for (i = 0; i < j; i++)`
			`{`
			`- strcpy(longbuffer, uwords[i]);`
			`- strcat(longbuffer, uwords[j]);`
			`-`
			`- if (GTry(longbuffer, password))`
			`+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)`
			`{`
			`- return _("it is derived from your password entry");`
			`+ strcpy(longbuffer, uwords[i]);`
			`+ strcat(longbuffer, uwords[j]);`
			`+ if (GTry(longbuffer, password))`
			`+ {`
			`+ return _("it is derived from your password entry");`
			`+ }`
			`+`
			`+ strcpy(longbuffer, uwords[j]);`
			`+ strcat(longbuffer, uwords[i]);`
			`+`
			`+ if (GTry(longbuffer, password))`
			`+ {`
			`+ return _("it's derived from your password entry");`
			`+ }`
			`}`

			`- strcpy(longbuffer, uwords[j]);`
			`- strcat(longbuffer, uwords[i]);`
			`-`
			`- if (GTry(longbuffer, password))`
			`+ if (strlen(uwords[j]) < STRINGSIZE - 1)`
			`{`
			`- return _("it's derived from your password entry");`
			`+ longbuffer[0] = uwords[i][0];`
			`+ longbuffer[1] = '\0';`
			`+ strcat(longbuffer, uwords[j]);`
			`+`
			`+ if (GTry(longbuffer, password))`
			`+ {`
			`+ return _("it is derivable from your password entry");`
			`+ }`
			`}`

			`- longbuffer[0] = uwords[i][0];`
			`- longbuffer[1] = '\0';`
			`- strcat(longbuffer, uwords[j]);`
			`-`
			`- if (GTry(longbuffer, password))`
			`- {`
			`- return _("it is derivable from your password entry");`
			`- }`
			`-`
			`- longbuffer[0] = uwords[j][0];`
			`- longbuffer[1] = '\0';`
			`- strcat(longbuffer, uwords[i]);`
			`-`
			`- if (GTry(longbuffer, password))`
			`+ if (strlen(uwords[i]) < STRINGSIZE - 1)`
			`{`
			`- return _("it's derivable from your password entry");`
			`+ longbuffer[0] = uwords[j][0];`
			`+ longbuffer[1] = '\0';`
			`+ strcat(longbuffer, uwords[i]);`
			`+`
			`+ if (GTry(longbuffer, password))`
			`+ {`
			`+ return _("it's derivable from your password entry");`
			`+ }`
			`}`
			`}`
			`}`