Hello community, here is the log from the commit of package cracklib for openSUSE:Factory checked in at 2016-08-26 23:12:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cracklib (Old) and /work/SRC/openSUSE:Factory/.cracklib.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cracklib" Changes: -------- --- /work/SRC/openSUSE:Factory/cracklib/cracklib.changes 2015-09-08 17:37:33.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.cracklib.new/cracklib.changes 2016-08-26 23:12:12.000000000 +0200 @@ -1,0 +2,15 @@ +Wed Aug 17 12:32:43 UTC 2016 - [email protected] + +- Add patch 0004-overflow-processing-long-words.patch + to fix a new buffer overflow identified together with bsc#992966. + +------------------------------------------------------------------- +Mon Aug 15 12:01:52 UTC 2016 - [email protected] + +- Relabel patches: + cracklib-magic.diff -> 0001-cracklib-magic.diff + cracklib-2.9.2-visibility.patch -> 0002-cracklib-2.9.2-visibility.patch +- Add patch 0003-overflow-processing-gecos.patch + to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) + +------------------------------------------------------------------- Old: ---- cracklib-2.9.2-visibility.patch cracklib-magic.diff New: ---- 0001-cracklib-magic.diff 0002-cracklib-2.9.2-visibility.patch 0003-overflow-processing-gecos.patch 0004-overflow-processing-long-words.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cracklib.spec ++++++ --- /var/tmp/diff_new_pack.ZvqmBZ/_old 2016-08-26 23:12:13.000000000 +0200 +++ /var/tmp/diff_new_pack.ZvqmBZ/_new 2016-08-26 23:12:13.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package cracklib # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,9 +27,11 @@ Source2: baselibs.conf # PATCH-FIX-OPENSUSE (should be upstreamed) # Remove support for broken 64bit indexes from magic entry [bnc#106007] -Patch0: cracklib-magic.diff +Patch1: 0001-cracklib-magic.diff # PATCH-FIX-OPENSUSE Hide non-public functions -Patch1: cracklib-2.9.2-visibility.patch +Patch2: 0002-cracklib-2.9.2-visibility.patch +Patch3: 0003-overflow-processing-gecos.patch +Patch4: 0004-overflow-processing-long-words.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gzip @@ -85,8 +87,10 @@ %prep %setup -q translation-update-upstream -%patch0 %patch1 +%patch2 +%patch3 -p1 +%patch4 -p1 %build AUTOPOINT=true autoreconf -fi ++++++ 0001-cracklib-magic.diff ++++++ Index: doc/cracklib.magic =================================================================== --- doc/cracklib.magic.orig +++ doc/cracklib.magic @@ -1,10 +1,5 @@ # cracklib: file (1) magic for cracklib v2.7 0 lelong 0x70775631 Cracklib password index, little endian ->4 long >0 (%i words) ->4 long 0 ("64-bit") ->>8 long >-1 (%i words) +>4 lelong >0 (%i words) 0 belong 0x70775631 Cracklib password index, big endian ->4 belong >-1 (%i words) -0 long 0 ->4 belong 0x70775631 Cracklib password index, big endian ("64-bit") ->12 belong >0 (%i words) +>4 belong >0 (%i words) ++++++ 0002-cracklib-2.9.2-visibility.patch ++++++ Index: configure.ac =================================================================== --- configure.ac.orig +++ configure.ac @@ -97,6 +97,45 @@ AM_CONDITIONAL(BUILD_PYTHON,[test "$buil dnl Handle local dict compiling properly AC_SUBST(CROSS_COMPILING, $cross_compiling) + dnl ************************************************************ + dnl Enable hiding of internal symbols in library to reduce its size and + dnl speed dynamic linking of applications. This currently is only supported + dnl on gcc >= 4.0 and SunPro C. + dnl + AC_MSG_CHECKING([whether to enable hidden symbols in the library]) + AC_ARG_ENABLE(hidden-symbols, + AC_HELP_STRING([--enable-hidden-symbols],[Hide internal symbols in library]) + AC_HELP_STRING([--disable-hidden-symbols],[Leave all symbols with default visibility in library]), + [ case "$enableval" in + no) + AC_MSG_RESULT(no) + ;; + *) + AC_MSG_CHECKING([whether $CC supports it]) + if test "$GCC" = yes ; then + if $CC --help --verbose 2>&1 | grep fvisibility= > /dev/null ; then + AC_MSG_RESULT(yes) + AC_DEFINE(CRACKLIB_API, [extern __attribute__ ((visibility ("default")))], [to make a symbol visible]) + CFLAGS="$CFLAGS -fvisibility=hidden" + else + AC_MSG_RESULT(no) + fi + + else + dnl Test for SunPro cc + if $CC 2>&1 | grep flags >/dev/null && $CC -flags | grep xldscope= >/dev/null ; then + AC_MSG_RESULT(yes) + AC_DEFINE(CRACKLIB_API, [__global], [to make a symbol visible]) + CFLAGS="$CFLAGS -xldscope=hidden" + else + AC_MSG_RESULT(no) + fi + fi + ;; + esac ], + AC_MSG_RESULT(no) + ) + AC_OUTPUT(util/Makefile lib/Makefile doc/Makefile python/Makefile Makefile \ python/setup.py \ po/Makefile.in m4/Makefile dicts/Makefile cracklib.spec) Index: lib/crack.h =================================================================== --- lib/crack.h.orig +++ lib/crack.h @@ -5,6 +5,10 @@ extern "C" { #endif +#ifndef CRACKLIB_API +#define CRACKLIB_API extern +#endif + /* Pass these functions a password (pw) and a path to the * dictionaries (/usr/lib/cracklib_dict should be specified) * and it will either return a NULL string, meaning that the @@ -18,13 +22,13 @@ extern "C" { * You must link with -lcrack */ -extern const char *FascistCheck(const char *pw, const char *dictpath); -extern const char *FascistCheckUser(const char *pw, const char *dictpath, +CRACKLIB_API const char *FascistCheck(const char *pw, const char *dictpath); +CRACKLIB_API const char *FascistCheckUser(const char *pw, const char *dictpath, const char *user, const char *gecos); /* This function returns the compiled in value for DEFAULT_CRACKLIB_DICT. */ -extern const char *GetDefaultCracklibDict(void); +CRACKLIB_API const char *GetDefaultCracklibDict(void); #ifdef __cplusplus }; Index: lib/packer.h =================================================================== --- lib/packer.h.orig +++ lib/packer.h @@ -76,7 +76,7 @@ typedef struct #define PIH_MAGIC 0x70775631 /* Internal routines */ -extern char *GetPW(PWDICT *pwp, uint32_t number); +CRACKLIB_API char *GetPW(PWDICT *pwp, uint32_t number); #else @@ -87,15 +87,15 @@ typedef struct { #endif -extern PWDICT *PWOpen(const char *prefix, char *mode); -extern int PWClose(PWDICT *pwp); -extern unsigned int FindPW(PWDICT *pwp, char *string); -extern int PutPW(PWDICT *pwp, char *string); -extern int PMatch(char *control, char *string); -extern char *Mangle(char *input, char *control); -extern char Chop(char *string); -extern char *Trim(char *string); -extern char *FascistLook(PWDICT *pwp, char *instring); +CRACKLIB_API PWDICT *PWOpen(const char *prefix, char *mode); +CRACKLIB_API int PWClose(PWDICT *pwp); +CRACKLIB_API unsigned int FindPW(PWDICT *pwp, char *string); +CRACKLIB_API int PutPW(PWDICT *pwp, char *string); +CRACKLIB_API int PMatch(char *control, char *string); +CRACKLIB_API char *Mangle(char *input, char *control); +CRACKLIB_API char Chop(char *string); +CRACKLIB_API char *Trim(char *string); +CRACKLIB_API char *FascistLook(PWDICT *pwp, char *instring); extern char *FascistLookUser(PWDICT *pwp, char *instring, const char *user, const char *gecos); extern char *FascistGecos(char *password, int uid); extern char *FascistGecosUser(char *password, const char *user, const char *gecos); ++++++ 0003-overflow-processing-gecos.patch ++++++ (2016-08-10) The patch authored by Raed Albuliwi addresses a buffer overflow in the parser of GECOS field of user account information. CVE-2016-6318 has been assigned to the issue. diff -rupN cracklib-2.9.5/lib/fascist.c cracklib-2.9.5-patched/lib/fascist.c --- cracklib-2.9.5/lib/fascist.c 2015-04-11 19:18:12.000000000 +0200 +++ cracklib-2.9.5-patched/lib/fascist.c 2016-08-16 11:08:59.635876877 +0200 @@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c char gbuffer[STRINGSIZE]; char tbuffer[STRINGSIZE]; char *uwords[STRINGSIZE]; - char longbuffer[STRINGSIZE * 2]; + char longbuffer[STRINGSIZE]; if (gecos == NULL) gecos = ""; @@ -583,38 +583,46 @@ FascistGecosUser(char *password, const c { for (i = 0; i < j; i++) { - strcpy(longbuffer, uwords[i]); - strcat(longbuffer, uwords[j]); - - if (GTry(longbuffer, password)) + if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) { - return _("it is derived from your password entry"); + strcpy(longbuffer, uwords[i]); + strcat(longbuffer, uwords[j]); + if (GTry(longbuffer, password)) + { + return _("it is derived from your password entry"); + } + + strcpy(longbuffer, uwords[j]); + strcat(longbuffer, uwords[i]); + + if (GTry(longbuffer, password)) + { + return _("it's derived from your password entry"); + } } - strcpy(longbuffer, uwords[j]); - strcat(longbuffer, uwords[i]); - - if (GTry(longbuffer, password)) + if (strlen(uwords[j]) < STRINGSIZE - 1) { - return _("it's derived from your password entry"); + longbuffer[0] = uwords[i][0]; + longbuffer[1] = '\0'; + strcat(longbuffer, uwords[j]); + + if (GTry(longbuffer, password)) + { + return _("it is derivable from your password entry"); + } } - longbuffer[0] = uwords[i][0]; - longbuffer[1] = '\0'; - strcat(longbuffer, uwords[j]); - - if (GTry(longbuffer, password)) - { - return _("it is derivable from your password entry"); - } - - longbuffer[0] = uwords[j][0]; - longbuffer[1] = '\0'; - strcat(longbuffer, uwords[i]); - - if (GTry(longbuffer, password)) + if (strlen(uwords[i]) < STRINGSIZE - 1) { - return _("it's derivable from your password entry"); + longbuffer[0] = uwords[j][0]; + longbuffer[1] = '\0'; + strcat(longbuffer, uwords[i]); + + if (GTry(longbuffer, password)) + { + return _("it's derivable from your password entry"); + } } } } ++++++ 0004-overflow-processing-long-words.patch ++++++ The input word is guaranteed to be at most STRINGSIZE-1 in length. One of the mangle operations involves duplicating the input word, resulting in a string twice the length to be accommodated by both area variables. Howard Guo <[email protected]> 2016-08-17 diff -rupN 3/lib/rules.c 3-patched/lib/rules.c --- 3/lib/rules.c 2016-08-16 14:16:24.033261876 +0200 +++ 3-patched/lib/rules.c 2016-08-17 13:57:14.485782894 +0200 @@ -434,9 +434,8 @@ Mangle(input, control) /* returns a poi { int limit; register char *ptr; - static char area[STRINGSIZE]; - char area2[STRINGSIZE]; - area[0] = '\0'; + static char area[STRINGSIZE * 2] = {0}; + char area2[STRINGSIZE * 2] = {0}; strcpy(area, input); for (ptr = control; *ptr; ptr++)
