commit:     aac5b4f4a65ce70854e77014fa096b7bd2d34e43
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Sep 14 20:55:05 2016 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Sep 14 20:57:44 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aac5b4f4

sys-libs/cracklib: Revision bump to address CVE-2016-6318 and another buffer 
overflow

Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
Gentoo-Bug: https://bugs.gentoo.org/591456

Package-Manager: portage-2.3.0

 sys-libs/cracklib/cracklib-2.9.6-r1.ebuild         | 108 +++++++++++++++++++++
 .../files/cracklib-2.9.6-CVE-2016-6318.patch       | 108 +++++++++++++++++++++
 ...acklib-2.9.6-fix-long-word-bufferoverflow.patch |  43 ++++++++
 3 files changed, 259 insertions(+)

diff --git a/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild 
b/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild
new file mode 100644
index 00000000..3767e64
--- /dev/null
+++ b/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild
@@ -0,0 +1,108 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+PYTHON_COMPAT=( python2_7 )
+DISTUTILS_OPTIONAL=1
+
+inherit eutils distutils-r1 libtool multilib-minimal toolchain-funcs
+
+MY_P=${P/_}
+DESCRIPTION="Password Checking Library"
+HOMEPAGE="https://github.com/cracklib/cracklib/";
+SRC_URI="https://github.com/${PN}/${PN}/releases/download/${P}/${P}.tar.gz";
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 
~sh ~sparc ~x86 ~x86-fbsd ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux 
~ppc-macos ~x86-macos ~m68k-mint"
+IUSE="nls python static-libs test zlib"
+
+RDEPEND="zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+       python? (
+               dev-python/setuptools[${PYTHON_USEDEP}]
+               test? ( dev-python/nose[${PYTHON_USEDEP}] )
+       )"
+RDEPEND="${RDEPEND}
+       abi_x86_32? (
+               !<=app-emulation/emul-linux-x86-baselibs-20140508-r6
+               !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+       )"
+
+S=${WORKDIR}/${MY_P}
+
+do_python() {
+       multilib_is_native_abi || return 0
+       use python || return 0
+       pushd python > /dev/null || die
+       distutils-r1_src_${EBUILD_PHASE}
+       popd > /dev/null
+}
+
+pkg_setup() {
+       # workaround #195017
+       if has unmerge-orphans ${FEATURES} && has_version 
"<${CATEGORY}/${PN}-2.8.10" ; then
+               eerror "Upgrade path is broken with FEATURES=unmerge-orphans"
+               eerror "Please run: FEATURES=-unmerge-orphans emerge cracklib"
+               die "Please run: FEATURES=-unmerge-orphans emerge cracklib"
+       fi
+}
+
+src_prepare() {
+       epatch "${FILESDIR}"/cracklib-2.9.6-CVE-2016-6318.patch
+       epatch "${FILESDIR}"/cracklib-2.9.6-fix-long-word-bufferoverflow.patch
+
+       elibtoolize #269003
+       do_python
+}
+
+multilib_src_configure() {
+       export ac_cv_header_zlib_h=$(usex zlib)
+       export ac_cv_search_gzopen=$(usex zlib -lz no)
+       # use /usr/lib so that the dictionary is shared between ABIs
+       ECONF_SOURCE=${S} \
+       econf \
+               --with-default-dict='/usr/lib/cracklib_dict' \
+               --without-python \
+               $(use_enable nls) \
+               $(use_enable static-libs static)
+}
+
+multilib_src_compile() {
+       default
+       do_python
+}
+
+multilib_src_test() {
+       do_python
+}
+
+python_test() {
+       nosetests -w "${S}"/python || die "Tests fail with ${EPYTHON}"
+}
+
+multilib_src_install() {
+       default
+       # move shared libs to /
+       gen_usr_ldscript -a crack
+
+       do_python
+}
+
+multilib_src_install_all() {
+       einstalldocs
+       prune_libtool_files
+       rm -r "${ED}"/usr/share/cracklib
+
+       insinto /usr/share/dict
+       doins dicts/cracklib-small || die
+}
+
+pkg_postinst() {
+       if [[ ${ROOT} == "/" ]] ; then
+               ebegin "Regenerating cracklib dictionary"
+               create-cracklib-dict "${EPREFIX}"/usr/share/dict/* > /dev/null
+               eend $?
+       fi
+}

diff --git a/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch 
b/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch
new file mode 100644
index 00000000..bc47734
--- /dev/null
+++ b/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch
@@ -0,0 +1,108 @@
+From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <j...@dittberner.info>
+Date: Thu, 25 Aug 2016 17:13:49 +0200
+Subject: [PATCH] Apply patch to fix CVE-2016-6318
+
+This patch fixes an issue with a stack-based buffer overflow whne
+parsing large GECOS field. See
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
+https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
+information.
+---
+ src/NEWS          |  1 +
+ src/lib/fascist.c | 57 ++++++++++++++++++++++++++++++++-----------------------
+ 2 files changed, 34 insertions(+), 24 deletions(-)
+
+diff --git a/src/NEWS b/src/NEWS
+index 26abeee..361a207 100644
+--- a/src/NEWS
++++ b/src/NEWS
+@@ -1,3 +1,4 @@
++v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when 
parsing large GECOS field
+ v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
+        migration to github
+        patch to add some particularly bad cases to the cracklib small 
dictionary (Matthew Miller)
+diff --git a/src/lib/fascist.c b/src/lib/fascist.c
+index a996509..d4deb15 100644
+--- a/src/lib/fascist.c
++++ b/src/lib/fascist.c
+@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const 
char *gecos)
+     char gbuffer[STRINGSIZE];
+     char tbuffer[STRINGSIZE];
+     char *uwords[STRINGSIZE];
+-    char longbuffer[STRINGSIZE * 2];
++    char longbuffer[STRINGSIZE];
+ 
+     if (gecos == NULL)
+       gecos = "";
+@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const 
char *gecos)
+     {
+       for (i = 0; i < j; i++)
+       {
+-          strcpy(longbuffer, uwords[i]);
+-          strcat(longbuffer, uwords[j]);
+-
+-          if (GTry(longbuffer, password))
++          if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+           {
+-              return _("it is derived from your password entry");
+-          }
++              strcpy(longbuffer, uwords[i]);
++              strcat(longbuffer, uwords[j]);
+ 
+-          strcpy(longbuffer, uwords[j]);
+-          strcat(longbuffer, uwords[i]);
++              if (GTry(longbuffer, password))
++              {
++                  return _("it is derived from your password entry");
++              }
+ 
+-          if (GTry(longbuffer, password))
+-          {
+-              return _("it's derived from your password entry");
+-          }
++              strcpy(longbuffer, uwords[j]);
++              strcat(longbuffer, uwords[i]);
+ 
+-          longbuffer[0] = uwords[i][0];
+-          longbuffer[1] = '\0';
+-          strcat(longbuffer, uwords[j]);
++              if (GTry(longbuffer, password))
++              {
++                 return _("it's derived from your password entry");
++              }
++          }
+ 
+-          if (GTry(longbuffer, password))
++          if (strlen(uwords[j]) < STRINGSIZE - 1)
+           {
+-              return _("it is derivable from your password entry");
++              longbuffer[0] = uwords[i][0];
++              longbuffer[1] = '\0';
++              strcat(longbuffer, uwords[j]);
++
++              if (GTry(longbuffer, password))
++              {
++                  return _("it is derivable from your password entry");
++              }
+           }
+ 
+-          longbuffer[0] = uwords[j][0];
+-          longbuffer[1] = '\0';
+-          strcat(longbuffer, uwords[i]);
+-
+-          if (GTry(longbuffer, password))
++          if (strlen(uwords[i]) < STRINGSIZE - 1)
+           {
+-              return _("it's derivable from your password entry");
++              longbuffer[0] = uwords[j][0];
++              longbuffer[1] = '\0';
++              strcat(longbuffer, uwords[i]);
++
++              if (GTry(longbuffer, password))
++              {
++                  return _("it's derivable from your password entry");
++              }
+           }
+       }
+     }

diff --git 
a/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch 
b/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch
new file mode 100644
index 00000000..59dc9e5
--- /dev/null
+++ b/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch
@@ -0,0 +1,43 @@
+From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <j...@dittberner.info>
+Date: Thu, 25 Aug 2016 17:17:53 +0200
+Subject: [PATCH] Fix a buffer overflow processing long words
+
+A buffer overflow processing long words has been discovered. This commit
+applies the patch from
+https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
+by Howard Guo.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and
+http://www.openwall.com/lists/oss-security/2016/08/23/8
+---
+ src/NEWS        | 1 +
+ src/lib/rules.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/NEWS b/src/NEWS
+index 361a207..f1df3b0 100644
+--- a/src/NEWS
++++ b/src/NEWS
+@@ -1,4 +1,5 @@
+ v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when 
parsing large GECOS field
++       fix a buffer overflow processing long words
+ v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
+        migration to github
+        patch to add some particularly bad cases to the cracklib small 
dictionary (Matthew Miller)
+diff --git a/src/lib/rules.c b/src/lib/rules.c
+index d193cc0..3a2aa46 100644
+--- a/src/lib/rules.c
++++ b/src/lib/rules.c
+@@ -434,9 +434,8 @@ Mangle(input, control)             /* returns a pointer to 
a controlled Mangle */
+ {
+     int limit;
+     register char *ptr;
+-    static char area[STRINGSIZE];
+-    char area2[STRINGSIZE];
+-    area[0] = '\0';
++    static char area[STRINGSIZE * 2] = {0};
++    char area2[STRINGSIZE * 2] = {0};
+     strcpy(area, input);
+ 
+     for (ptr = control; *ptr; ptr++)

Reply via email to