rpms / cracklib

Clone
Source Code
GIT

Blame SOURCES/cracklib-2.9.6-cve-2016-6318.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c5a7106034d1fc1285608c86d5059164054f27e6
  2.   SOURCES
  3.   cracklib-2.9.6-cve-2016-6318.patch
Blob History Raw
c5a710 
diff -up cracklib-2.9.6/lib/fascist.c.overflow cracklib-2.9.6/lib/fascist.c
c5a710 
--- cracklib-2.9.6/lib/fascist.c.overflow	2015-10-23 16:58:38.403319225 +0200
c5a710 
+++ cracklib-2.9.6/lib/fascist.c	2016-12-08 17:28:41.490101358 +0100
c5a710 
@@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c
c5a710 
     char gbuffer[STRINGSIZE];
c5a710 
     char tbuffer[STRINGSIZE];
c5a710 
     char *uwords[STRINGSIZE];
c5a710 
-    char longbuffer[STRINGSIZE * 2];
c5a710 
+    char longbuffer[STRINGSIZE];
c5a710
c5a710 
     if (gecos == NULL)
c5a710 
 	gecos = "";
c5a710 
@@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c
c5a710 
     {
c5a710 
 	for (i = 0; i < j; i++)
c5a710 
 	{
c5a710 
-	    strcpy(longbuffer, uwords[i]);
c5a710 
-	    strcat(longbuffer, uwords[j]);
c5a710 
-
c5a710 
-	    if (GTry(longbuffer, password))
c5a710 
+	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
c5a710 
 	    {
c5a710 
-		return _("it is derived from your password entry");
c5a710 
-	    }
c5a710 
-
c5a710 
-	    strcpy(longbuffer, uwords[j]);
c5a710 
-	    strcat(longbuffer, uwords[i]);
c5a710 
+		strcpy(longbuffer, uwords[i]);
c5a710 
+		strcat(longbuffer, uwords[j]);
c5a710
c5a710 
-	    if (GTry(longbuffer, password))
c5a710 
-	    {
c5a710 
-		return _("it's derived from your password entry");
c5a710 
+		if (GTry(longbuffer, password))
c5a710 
+		{
c5a710 
+		    return _("it is derived from your password entry");
c5a710 
+		}
c5a710 
+
c5a710 
+		strcpy(longbuffer, uwords[j]);
c5a710 
+		strcat(longbuffer, uwords[i]);
c5a710 
+
c5a710 
+		if (GTry(longbuffer, password))
c5a710 
+		{
c5a710 
+		   return _("it's derived from your password entry");
c5a710 
+		}
c5a710 
 	    }
c5a710
c5a710 
-	    longbuffer[0] = uwords[i][0];
c5a710 
-	    longbuffer[1] = '\0';
c5a710 
-	    strcat(longbuffer, uwords[j]);
c5a710 
-
c5a710 
-	    if (GTry(longbuffer, password))
c5a710 
+	    if (strlen(uwords[j]) < STRINGSIZE - 1)
c5a710 
 	    {
c5a710 
-		return _("it is derivable from your password entry");
c5a710 
+		longbuffer[0] = uwords[i][0];
c5a710 
+		longbuffer[1] = '\0';
c5a710 
+		strcat(longbuffer, uwords[j]);
c5a710 
+
c5a710 
+		if (GTry(longbuffer, password))
c5a710 
+		{
c5a710 
+		    return _("it is derivable from your password entry");
c5a710 
+		}
c5a710 
 	    }
c5a710
c5a710 
-	    longbuffer[0] = uwords[j][0];
c5a710 
-	    longbuffer[1] = '\0';
c5a710 
-	    strcat(longbuffer, uwords[i]);
c5a710 
-
c5a710 
-	    if (GTry(longbuffer, password))
c5a710 
+	    if (strlen(uwords[i]) < STRINGSIZE - 1)
c5a710 
 	    {
c5a710 
-		return _("it's derivable from your password entry");
c5a710 
+		longbuffer[0] = uwords[j][0];
c5a710 
+		longbuffer[1] = '\0';
c5a710 
+		strcat(longbuffer, uwords[i]);
c5a710 
+
c5a710 
+		if (GTry(longbuffer, password))
c5a710 
+		{
c5a710 
+		    return _("it's derivable from your password entry");
c5a710 
+		}
c5a710 
 	    }
c5a710 
 	}
c5a710 
     }
c5a710 
diff -up cracklib-2.9.6/lib/rules.c.overflow cracklib-2.9.6/lib/rules.c
c5a710 
--- cracklib-2.9.6/lib/rules.c.overflow	2015-10-23 16:58:38.000000000 +0200
c5a710 
+++ cracklib-2.9.6/lib/rules.c	2016-12-08 18:03:27.041941297 +0100
c5a710 
@@ -158,6 +158,8 @@ Pluralise(string, area)		/* returns a po
c5a710 
     register int length;
c5a710 
     length = strlen(string);
c5a710 
     strcpy(area, string);
c5a710 
+    if (length > STRINGSIZE - 3) /* we add 2 characters at worst */
c5a710 
+	return (area);
c5a710
c5a710 
     if (!Suffix(string, "ch") ||
c5a710 
 	!Suffix(string, "ex") ||
c5a710 
@@ -462,11 +464,11 @@ Mangle(input, control, area)		/* returns
c5a710 
 	    Pluralise(area2, area);
c5a710 
 	    break;
c5a710 
 	case RULE_REFLECT:
c5a710 
-	    strcat(area, Reverse(area, area2));
c5a710 
+	    strncat(area, Reverse(area, area2), STRINGSIZE - strlen(area) - 1);
c5a710 
 	    break;
c5a710 
 	case RULE_DUPLICATE:
c5a710 
 	    strcpy(area2, area);
c5a710 
-	    strcat(area, area2);
c5a710 
+	    strncat(area, area2, STRINGSIZE - strlen(area) - 1);
c5a710 
 	    break;
c5a710 
 	case RULE_GT:
c5a710 
 	    if (!ptr[1])
c5a710 
@@ -514,7 +516,8 @@ Mangle(input, control, area)		/* returns
c5a710 
 	    } else
c5a710 
 	    {
c5a710 
 		area2[0] = *(++ptr);
c5a710 
-		strcpy(area2 + 1, area);
c5a710 
+		strncpy(area2 + 1, area, STRINGSIZE - 2);
c5a710 
+		area2[STRINGSIZE - 1] = '\0';
c5a710 
 		strcpy(area, area2);
c5a710 
 	    }
c5a710 
 	    break;
c5a710 
@@ -528,8 +531,10 @@ Mangle(input, control, area)		/* returns
c5a710 
 		register char *string;
c5a710 
 		string = area;
c5a710 
 		while (*(string++));
c5a710 
-		string[-1] = *(++ptr);
c5a710 
-		*string = '\0';
c5a710 
+		if (string < area + STRINGSIZE) {
c5a710 
+			string[-1] = *(++ptr);
c5a710 
+			*string = '\0';
c5a710 
+		}
c5a710 
 	    }
c5a710 
 	    break;
c5a710 
 	case RULE_EXTRACT:
c5a710 
@@ -600,6 +605,10 @@ Mangle(input, control, area)		/* returns
c5a710 
 		}
c5a710 
 		p1 = area;
c5a710 
 		p2 = area2;
c5a710 
+		if (strlen(p1) > STRINGSIZE - 2) {
c5a710 
+			/* truncate */
c5a710 
+			p1[STRINGSIZE - 2] = '\0';
c5a710 
+		}
c5a710 
 		while (i && *p1)
c5a710 
 		{
c5a710 
 		    i--;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation