Hello community, here is the log from the commit of package libxcrypt for openSUSE:Factory checked in at Wed Jul 27 09:55:52 CEST 2011.
-------- --- libxcrypt/libxcrypt.changes 2011-06-09 09:40:22.000000000 +0200 +++ /mounts/work_src_done/STABLE/libxcrypt/libxcrypt.changes 2011-07-20 11:54:58.000000000 +0200 @@ -1,0 +2,12 @@ +Tue Jul 19 08:36:18 UTC 2011 - [email protected] + +- update crypt_blowfish to version 1.2 (bnc#700876, CVE-2011-2483) + * due to the signedness bug fix 2a hashes are incompatible with + previous versions if the password contains 8bit chracters! + +------------------------------------------------------------------- +Tue Jul 5 12:39:05 UTC 2011 - [email protected] + +- update bundled crypt_blowfish to 1.1 + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- crypt_blowfish-1.2.tar.gz crypt_blowfish-1.2.tar.gz.sign libxcrypt-3.0.4-blowfish-noasm.diff libxcrypt-3.0.4-blowfish-xcrypt.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxcrypt.spec ++++++ --- /var/tmp/diff_new_pack.2Q7pnJ/_old 2011-07-27 09:53:09.000000000 +0200 +++ /var/tmp/diff_new_pack.2Q7pnJ/_new 2011-07-27 09:53:09.000000000 +0200 @@ -27,11 +27,16 @@ Obsoletes: libxcrypt-64bit %endif Version: 3.0.4 -Release: 1 +Release: 5 Summary: Crypt Library for DES, MD5, Blowfish and others Source: libxcrypt-%{version}.tar.bz2 -Source2: baselibs.conf +Url: http://www.openwall.com/crypt/ +Source1: %{url}crypt_blowfish-1.2.tar.gz +Source2: %{url}crypt_blowfish-1.2.tar.gz.sign +Source20: baselibs.conf Patch0: fix-werror.patch +Patch1: libxcrypt-3.0.4-blowfish-noasm.diff +Patch2: libxcrypt-3.0.4-blowfish-xcrypt.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -63,10 +68,16 @@ %prep -%setup -q +%setup -q -a1 +cp crypt_blowfish-*/*.{c,h} plugins/blowfish +mv plugins/blowfish/wrapper.c plugins/blowfish/blowfish-test.c %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build +rm -f libtool +autoreconf -f -i ./configure CFLAGS="$RPM_OPT_FLAGS -Wno-cast-align" \ --prefix=%{_prefix} \ --libdir=/%{_lib} --disable-static ++++++ libxcrypt-3.0.4-blowfish-noasm.diff ++++++ Index: libxcrypt-3.0.4/plugins/blowfish/crypt_blowfish.c =================================================================== --- libxcrypt-3.0.4.orig/plugins/blowfish/crypt_blowfish.c +++ libxcrypt-3.0.4/plugins/blowfish/crypt_blowfish.c @@ -42,7 +42,7 @@ #include "crypt_blowfish.h" #ifdef __i386__ -#define BF_ASM 1 +#define BF_ASM 0 #define BF_SCALE 1 #elif defined(__x86_64__) || defined(__alpha__) || defined(__hppa__) #define BF_ASM 0 ++++++ libxcrypt-3.0.4-blowfish-xcrypt.diff ++++++ Index: libxcrypt-3.0.4/plugins/blowfish/crypt_blowfish.c =================================================================== --- libxcrypt-3.0.4.orig/plugins/blowfish/crypt_blowfish.c +++ libxcrypt-3.0.4/plugins/blowfish/crypt_blowfish.c @@ -32,6 +32,7 @@ */ #include <string.h> +#include <stdio.h> #include <errno.h> #ifndef __set_errno @@ -52,6 +53,9 @@ #define BF_SCALE 0 #endif +#include "xcrypt-plugin.h" +#define _crypt_blowfish_rn __crypt_r + typedef unsigned int BF_word; typedef signed int BF_word_signed; @@ -887,3 +891,10 @@ char *_crypt_gensalt_blowfish_rn(const c return output; } + +char *__crypt_gensalt_r (unsigned long count, __const char *input, int size, char *output, int output_size) +{ + return _crypt_gensalt_blowfish_rn("$2a$", count, input, size, output, output_size); +} + + Index: libxcrypt-3.0.4/plugins/blowfish/blowfish-test.c =================================================================== --- libxcrypt-3.0.4.orig/plugins/blowfish/blowfish-test.c +++ libxcrypt-3.0.4/plugins/blowfish/blowfish-test.c @@ -26,13 +26,19 @@ #define CRYPT_OUTPUT_SIZE (7 + 22 + 31 + 1) #define CRYPT_GENSALT_OUTPUT_SIZE (7 + 22 + 1) -#if defined(__GLIBC__) && defined(_LIBC) #define __SKIP_GNU -#endif +#include "xcrypt.h" +#include "xcrypt-plugin.h" #include "ow-crypt.h" #include "crypt_blowfish.h" +#ifndef XCRYPT #include "crypt_gensalt.h" +#else +#define _crypt_blowfish_rn __crypt_r +#undef crypt_r +char *crypt_r(const char *key, const char *setting, void *data); +#endif #if defined(__GLIBC__) && defined(_LIBC) /* crypt.h from glibc-crypt-2.1 will define struct crypt_data for us */ @@ -186,6 +192,7 @@ char *crypt(const char *key, const char #define __crypt_gensalt crypt_gensalt #endif +#ifndef XCRYPT char *__crypt_gensalt_rn(const char *prefix, unsigned long count, const char *input, int size, char *output, int output_size) { @@ -220,6 +227,13 @@ char *__crypt_gensalt_rn(const char *pre return use(prefix, count, input, size, output, output_size); } +#else +char *__crypt_gensalt_rn(const char *prefix __attribute__((unused)), unsigned long count, + const char *input, int size, char *output, int output_size) +{ + return __crypt_gensalt_r(count, input, size, output, output_size); +} +#endif char *__crypt_gensalt_ra(const char *prefix, unsigned long count, const char *input, int size) @@ -531,4 +545,21 @@ int main(void) return 0; } +#endif + +#ifdef XCRYPT +int _crypt_output_magic(const char *setting, char *output, int size) +{ + if (size < 3) + return -1; + + output[0] = '*'; + output[1] = '0'; + output[2] = '\0'; + + if (setting[0] == '*' && setting[1] == '0') + output[1] = '1'; + + return 0; +} #endif Index: libxcrypt-3.0.4/plugins/blowfish/Makefile.am =================================================================== --- libxcrypt-3.0.4.orig/plugins/blowfish/Makefile.am +++ libxcrypt-3.0.4/plugins/blowfish/Makefile.am @@ -25,5 +25,5 @@ libxcrypt_2a_la_SOURCES = crypt_blowfish noinst_PROGRAMS = blowfish-test -blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST_THREADS=10 +blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST -DTEST_THREADS=4 -DXCRYPT blowfish_test_LDADD = libxcrypt_2a.la -lpthread Index: libxcrypt-3.0.4/src/xcrypt.c =================================================================== --- libxcrypt-3.0.4.orig/src/xcrypt.c +++ libxcrypt-3.0.4/src/xcrypt.c @@ -42,6 +42,10 @@ get_plugin (const char *hash_id) { struct plugin_t *ptr = plugins; + /* blowfish hack for CVE-2011-2483 */ + if (!strcmp(hash_id, "2x") || !strcmp(hash_id, "2y")) + hash_id = "2a"; + while (ptr) { if (strcmp (hash_id, ptr->id) == 0) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
