diff --git a/whois-5.0.11-mkpasswd-add-support-for-the-new-2y-blowfish-tag-CVE-2011-2483.diff b/whois-5.0.11-mkpasswd-add-support-for-the-new-2y-blowfish-tag-CVE-2011-2483.diff new file mode 100644 index 0000000..75d0499 --- /dev/null +++ b/whois-5.0.11-mkpasswd-add-support-for-the-new-2y-blowfish-tag-CVE-2011-2483.diff @@ -0,0 +1,41 @@ +From 757e302cc12f962ee1e04ccc572d0553bcfb780c Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 14 Jul 2011 13:38:08 +0200 +Subject: [PATCH whois 4/7] add support for the new 2y blowfish tag (CVE-2011-2483) + +--- + mkpasswd.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/mkpasswd.c b/mkpasswd.c +index 8bdc7f3..281d970 100644 +--- a/mkpasswd.c ++++ b/mkpasswd.c +@@ -86,9 +86,13 @@ static const struct crypt_method methods[] = { + #if defined FreeBSD + { "bf", "$2$", 22, 22, 0, "Blowfish (FreeBSD)" }, + #endif +-#if defined OpenBSD || (defined __SVR4 && defined __sun) || defined HAVE_CRYPT_GENSALT ++#if defined OpenBSD || (defined __SVR4 && defined __sun) + { "bf", "$2a$", 22, 22, 1, "Blowfish" }, + #endif ++#if defined HAVE_CRYPT_GENSALT ++ { "bf", "$2a$", 22, 22, 1, "Blowfish, system-specific on 8-bit chars" }, ++ { "bfy", "$2y$", 22, 22, 1, "Blowfish, correct handling of 8-bit chars" }, ++#endif + #if defined FreeBSD + { "nt", "$3$", 0, 0, 0, "NT-Hash" }, + #endif +@@ -226,7 +230,8 @@ int main(int argc, char *argv[]) + salt_prefix = methods[0].prefix; + } + +- if (streq(salt_prefix, "$2a$")) { /* OpenBSD Blowfish */ ++ if (streq(salt_prefix, "$2a$") ++ || streq(salt_prefix, "$2y$")) { /* OpenBSD Blowfish */ + if (rounds <= 4) + rounds = 4; + /* actually for 2a it is the logarithm of the number of rounds */ +-- +1.7.3.4 + diff --git a/whois-5.0.11-mkpasswd-crypt_gensalt-might-change-the-prefix.diff b/whois-5.0.11-mkpasswd-crypt_gensalt-might-change-the-prefix.diff new file mode 100644 index 0000000..d65f007 --- /dev/null +++ b/whois-5.0.11-mkpasswd-crypt_gensalt-might-change-the-prefix.diff @@ -0,0 +1,28 @@ +From b8cdda35e57303fa67e96165e8eb37a19e22171b Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 14 Jul 2011 13:06:56 +0200 +Subject: [PATCH whois 3/7] crypt_gensalt might change the prefix + +It's undocumented behavior but be prepared for it. +--- + mkpasswd.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +diff --git a/mkpasswd.c b/mkpasswd.c +index 59c7a58..8bdc7f3 100644 +--- a/mkpasswd.c ++++ b/mkpasswd.c +@@ -331,7 +331,9 @@ int main(int argc, char *argv[]) + fprintf(stderr, "crypt failed.\n"); + exit(2); + } +- if (!strneq(result, salt_prefix, strlen(salt_prefix))) { ++ /* yes, using strlen(salt_prefix) on salt. It's not ++ * documented whether crypt_gensalt may change the prefix */ ++ if (!strneq(result, salt, strlen(salt_prefix))) { + fprintf(stderr, _("Method not supported by crypt(3).\n")); + exit(2); + } +-- +1.7.3.4 + diff --git a/whois-5.0.11-mkpasswd-fix-compiler-warnings.diff b/whois-5.0.11-mkpasswd-fix-compiler-warnings.diff new file mode 100644 index 0000000..731e9af --- /dev/null +++ b/whois-5.0.11-mkpasswd-fix-compiler-warnings.diff @@ -0,0 +1,34 @@ +From a57b7374a00a93bc237f34c28f9226258adb6a82 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 14 Jul 2011 13:42:01 +0200 +Subject: [PATCH whois 7/7] fix compiler warnings + +--- + mkpasswd.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mkpasswd.c b/mkpasswd.c +index 7408cbc..cb5f5ad 100644 +--- a/mkpasswd.c ++++ b/mkpasswd.c +@@ -179,7 +179,7 @@ int main(int argc, char *argv[]) + { + char *p; + rounds = strtol(optarg, &p, 10); +- if (p == NULL || *p != '\0' || rounds < 0) { ++ if (p == NULL || *p != '\0') { + fprintf(stderr, _("Invalid number '%s'.\n"), optarg); + exit(1); + } +@@ -296,7 +296,7 @@ int main(int argc, char *argv[]) + if (password) { + } else if (password_fd != -1) { + FILE *fp; +- unsigned char *p; ++ char *p; + + if (isatty(password_fd)) + fprintf(stderr, _("Password: ")); +-- +1.7.3.4 + diff --git a/whois-5.0.11-mkpasswd-remove-obsolete-settings.diff b/whois-5.0.11-mkpasswd-remove-obsolete-settings.diff new file mode 100644 index 0000000..994b394 --- /dev/null +++ b/whois-5.0.11-mkpasswd-remove-obsolete-settings.diff @@ -0,0 +1,43 @@ +From cda3259facbb37e8775131cfde9822aeb09edf78 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 14 Jul 2011 13:31:13 +0200 +Subject: [PATCH whois 6/7] remove obsolete settings + +According to Solar Designer $2$ never was officially released, +refers to a pre-version of blowfish crypt. FreeBSD is said to +support $2a. + +libxcrypt does not actually support {SHA} +--- + mkpasswd.c | 8 +------- + 1 files changed, 1 insertions(+), 7 deletions(-) + +diff --git a/mkpasswd.c b/mkpasswd.c +index ee997ba..7408cbc 100644 +--- a/mkpasswd.c ++++ b/mkpasswd.c +@@ -83,10 +83,7 @@ static const struct crypt_method methods[] = { + { "des", "", 2, 2, 0, + N_("standard 56 bit DES-based crypt(3)") }, + { "md5", "$1$", 8, 8, 0, "MD5" }, +-#if defined FreeBSD +- { "bf", "$2$", 22, 22, 0, "Blowfish (FreeBSD)" }, +-#endif +-#if defined OpenBSD || (defined __SVR4 && defined __sun) ++#if defined OpenBSD || defined FreeBSD || (defined __SVR4 && defined __sun) + { "bf", "$2a$", 22, 22, 1, "Blowfish" }, + #endif + #if defined HAVE_CRYPT_GENSALT +@@ -111,9 +108,6 @@ static const struct crypt_method methods[] = { + #if defined __SVR4 && defined __sun + { "sunmd5", "$md5$", 8, 8, 1, "SunMD5" }, + #endif +-#if defined HAVE_XCRYPT +- { "sha", "{SHA}", 0, 0, 0, "SHA-1" }, +-#endif + { NULL, NULL, 0, 0, 0, NULL } + }; + +-- +1.7.3.4 + diff --git a/whois-5.0.11-mkpasswd-set-default-blowfish-rounds-to-5.diff b/whois-5.0.11-mkpasswd-set-default-blowfish-rounds-to-5.diff new file mode 100644 index 0000000..107e095 --- /dev/null +++ b/whois-5.0.11-mkpasswd-set-default-blowfish-rounds-to-5.diff @@ -0,0 +1,28 @@ +From 45731d21f551b72e10e211edfa1b3c4e2ed3f8ad Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 14 Jul 2011 13:39:07 +0200 +Subject: [PATCH whois 5/7] set default blowfish rounds to 5 + +five rounds is the crypt_blowfish default +--- + mkpasswd.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mkpasswd.c b/mkpasswd.c +index 281d970..ee997ba 100644 +--- a/mkpasswd.c ++++ b/mkpasswd.c +@@ -232,8 +232,8 @@ int main(int argc, char *argv[]) + + if (streq(salt_prefix, "$2a$") + || streq(salt_prefix, "$2y$")) { /* OpenBSD Blowfish */ +- if (rounds <= 4) +- rounds = 4; ++ if (rounds < 5) ++ rounds = 5; + /* actually for 2a it is the logarithm of the number of rounds */ + snprintf(rounds_str, sizeof(rounds_str), "%02u$", rounds); + } else if (rounds_support && rounds) +-- +1.7.3.4 + diff --git a/whois-5.0.11-mkpasswd-support-8bit-characters.diff b/whois-5.0.11-mkpasswd-support-8bit-characters.diff new file mode 100644 index 0000000..f4699bb --- /dev/null +++ b/whois-5.0.11-mkpasswd-support-8bit-characters.diff @@ -0,0 +1,42 @@ +From b6d62022a7ab3694ed6cef0021a2f837c6b5d80b Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 14 Jul 2011 13:06:41 +0200 +Subject: [PATCH whois 2/7] support 8bit characters + +8bit characters are accepted when typed interactively so there is no +reason to reject them when read from a file. +--- + mkpasswd.c | 17 +++-------------- + 1 files changed, 3 insertions(+), 14 deletions(-) + +diff --git a/mkpasswd.c b/mkpasswd.c +index 43403d4..59c7a58 100644 +--- a/mkpasswd.c ++++ b/mkpasswd.c +@@ -312,20 +312,9 @@ int main(int argc, char *argv[]) + exit(2); + } + +- p = (unsigned char *)password; +- while (*p) { +- if (*p == '\n' || *p == '\r') { +- *p = '\0'; +- break; +- } +- /* which characters are valid? */ +- if (*p > 0x7f) { +- fprintf(stderr, +- _("Illegal password character '0x%hhx'.\n"), *p); +- exit(1); +- } +- p++; +- } ++ p = strpbrk(password, "\n\r"); ++ if (p) ++ *p = '\0'; + } else { + password = getpass(_("Password: ")); + if (!password) { +-- +1.7.3.4 + diff --git a/whois-5.0.11-mkpasswd-support-Owl-patched-libcrypt.diff b/whois-5.0.11-mkpasswd-support-Owl-patched-libcrypt.diff new file mode 100644 index 0000000..840a40b --- /dev/null +++ b/whois-5.0.11-mkpasswd-support-Owl-patched-libcrypt.diff @@ -0,0 +1,68 @@ +From 1f6bc61a9b79472234571092493d6d980826e736 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 14 Jul 2011 13:06:14 +0200 +Subject: [PATCH whois 1/7] support Owl patched libcrypt + +Owl (and upcoming openSUSE) patch crypt_gensalt directly into libc's +libcrypt. +--- + Makefile | 7 ++++++- + mkpasswd.c | 8 ++++++-- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/Makefile b/Makefile +index 44f09dd..66c4cbe 100644 +--- a/Makefile ++++ b/Makefile +@@ -44,9 +44,14 @@ endif + + ifdef HAVE_XCRYPT + mkpasswd_LDADD += -lxcrypt +-DEFS += -DHAVE_XCRYPT ++DEFS += -DHAVE_XCRYPT -DHAVE_CRYPT_GENSALT + else ++ifdef HAVE_CRYPT_GENSALT ++DEFS += -DHAVE_CRYPT_GENSALT + mkpasswd_LDADD += -lcrypt ++else ++mkpasswd_LDADD += -lcrypt ++endif + endif + + ############################################################################## +diff --git a/mkpasswd.c b/mkpasswd.c +index 176d980..43403d4 100644 +--- a/mkpasswd.c ++++ b/mkpasswd.c +@@ -36,6 +36,10 @@ + #include + #include + #endif ++#ifdef HAVE_CRYPT_GENSALT ++#define _OW_SOURCE ++#include ++#endif + #ifdef HAVE_GETTIMEOFDAY + #include + #endif +@@ -82,7 +86,7 @@ static const struct crypt_method methods[] = { + #if defined FreeBSD + { "bf", "$2$", 22, 22, 0, "Blowfish (FreeBSD)" }, + #endif +-#if defined OpenBSD || (defined __SVR4 && defined __sun) || defined HAVE_XCRYPT ++#if defined OpenBSD || (defined __SVR4 && defined __sun) || defined HAVE_CRYPT_GENSALT + { "bf", "$2a$", 22, 22, 1, "Blowfish" }, + #endif + #if defined FreeBSD +@@ -264,7 +268,7 @@ int main(int argc, char *argv[]) + strcat(salt, rounds_str); + strcat(salt, salt_arg); + } else { +-#ifdef HAVE_XCRYPT ++#ifdef HAVE_CRYPT_GENSALT + void *entropy = get_random_bytes(64); + + salt = crypt_gensalt(salt_prefix, rounds, entropy, 64); +-- +1.7.3.4 + diff --git a/whois.changes b/whois.changes index 220eeae..cba8921 100644 --- a/whois.changes +++ b/whois.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Jul 19 08:48:20 UTC 2011 - lnussel@suse.de + +- enable use of crypt_gensalt to support all glibc supported + algorithms +- allow 8bit passwords read from file +- support new blowfish $2y algorithm + ------------------------------------------------------------------- Tue Mar 22 10:15:42 UTC 2011 - puzel@novell.com diff --git a/whois.spec b/whois.spec index 9be6d0c..8574e5f 100644 --- a/whois.spec +++ b/whois.spec @@ -24,8 +24,15 @@ License: GPLv2+ Summary: Whois Client Program Url: http://www.linux.it/~md/software/ Group: Productivity/Networking/Other -Source: %{name}_%{version}.tar.bz2 +Source: http://ftp.debian.org/debian/pool/main/w/whois/%{name}_%{version}.tar.bz2 Patch1: whois-4.7.33-nb.patch +Patch2: whois-5.0.11-mkpasswd-support-Owl-patched-libcrypt.diff +Patch3: whois-5.0.11-mkpasswd-crypt_gensalt-might-change-the-prefix.diff +Patch4: whois-5.0.11-mkpasswd-support-8bit-characters.diff +Patch5: whois-5.0.11-mkpasswd-add-support-for-the-new-2y-blowfish-tag-CVE-2011-2483.diff +Patch6: whois-5.0.11-mkpasswd-set-default-blowfish-rounds-to-5.diff +Patch7: whois-5.0.11-mkpasswd-remove-obsolete-settings.diff +Patch8: whois-5.0.11-mkpasswd-fix-compiler-warnings.diff BuildRequires: libidn-devel Provides: ripe-whois-tools BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -40,10 +47,17 @@ mkpasswd, a simple front-end to crypt(3). %prep %setup -n whois-%{version} %patch1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 rename no nb po/no.* %build -make all mkpasswd HAVE_LIBIDN=1 HAVE_ICONV=1 CFLAGS="%{optflags}" +make all mkpasswd HAVE_LIBIDN=1 HAVE_ICONV=1 HAVE_CRYPT_GENSALT=1 CFLAGS="%{optflags}" %install mkdir -p %{buildroot}{/usr/bin,%{_mandir}/man1}