Hello community,
here is the log from the commit of package pwdutils for openSUSE:11.4
checked in at Fri Jul 29 18:11:30 CEST 2011.
Patchinfo file has no description
Patchinfo file has no description
Patchinfo file has no description
--------
--- old-versions/11.4/all/pwdutils/pwdutils.changes 2011-02-02
13:05:56.000000000 +0100
+++ 11.4/pwdutils/pwdutils.changes 2011-07-20 17:21:36.000000000 +0200
@@ -1,0 +2,5 @@
+Wed Jul 20 15:18:37 UTC 2011 - lnus...@suse.de
+
+- change blowfish id from 2a to 2y (bnc#700876, CVE-2011-2483)
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback
old-versions/11.4/all/pwdutils
Destination is old-versions/11.4/UPDATES/all/pwdutils
calling whatdependson for 11.4-i586
New:
----
pwdutils-3.2.14-CVE-2011-2483.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pwdutils.spec ++++++
--- /var/tmp/diff_new_pack.yWtTws/_old 2011-07-29 18:11:18.000000000 +0200
+++ /var/tmp/diff_new_pack.yWtTws/_new 2011-07-29 18:11:18.000000000 +0200
@@ -29,14 +29,16 @@
Group: System/Base
AutoReqProv: on
Version: 3.2.14
-Release: 1
+Release: 4.<RELEASE5>
Summary: Utilities to Manage User and Group Accounts
Requires: pam-modules
+Requires: libxcrypt-crypt_blowfish >= 1.2
Source: pwdutils-%{version}.tar.bz2
Source2: ldap.conf
Source3: useradd.default
Source4: baselibs.conf
Patch0: %{name}-selinux-useradd.patch
+Patch1: pwdutils-3.2.14-CVE-2011-2483.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -77,6 +79,7 @@
%prep
%setup -q
%patch0
+%patch1 -p1
%build
%configure --with-ldap-conf-file=/etc/ldap.conf \
++++++ pwdutils-3.2.14-CVE-2011-2483.diff ++++++
Index: pwdutils-3.2.14/src/chpasswd.c
===================================================================
--- pwdutils-3.2.14.orig/src/chpasswd.c
+++ pwdutils-3.2.14/src/chpasswd.c
@@ -342,7 +342,7 @@ main (int argc, char *argv[])
/* blowfish has a limit of 72 characters */
if (use_crypt == BLOWFISH && strlen (cp) > 72)
cp[72] = '\0';
- salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */);
+ salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */);
if (salt != NULL)
pw_data->newpassword = strdup (crypt_r (cp, salt, &output));
else
Index: pwdutils-3.2.14/src/gpasswd.c
===================================================================
--- pwdutils-3.2.14.orig/src/gpasswd.c
+++ pwdutils-3.2.14/src/gpasswd.c
@@ -432,7 +432,7 @@ main (int argc, char **argv)
/* blowfish has a limit of 72 characters */
if (use_crypt == BLOWFISH && strlen (p1) > 72)
p1[72] = '\0';
- salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */);
+ salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */);
if (salt != NULL)
gr_data->newpassword = strdup (crypt_r (p1, salt, &output));
else
Index: pwdutils-3.2.14/etc/default/passwd
===================================================================
--- pwdutils-3.2.14.orig/etc/default/passwd
+++ pwdutils-3.2.14/etc/default/passwd
@@ -26,3 +26,20 @@ BLOWFISH_CRYPT_FILES=10
# For NIS, we should always use DES:
CRYPT_YP=des
+
+# In June 2011 it was discovered that the Linux crypt_blowfish
+# implementation contained a bug that made passwords with non-ASCII
+# characters easier to crack (CVE-2011-2483). Affected passwords are
+# also incompatible with the original, correct OpenBSD
+# implementation. Therefore the $2a hash identifier previously used
+# for blowfish now is ambiguous as it could mean the hash was
+# generated with the correct implementation on OpenBSD or the buggy
+# one on Linux. To avoid the ambiguity two new identifier were
+# introduced. $2x now explicitly identifies hashes that were
+# generated with the buggy algorithm while $2y is used for hashes
+# generated with the correct algorithm. New passwords are now
+# generated with the $2y identifier.
+#
+# Setting the following option to "yes" tells the sytem that $2a
+# hashes are to be treated as generated with the buggy algorithm.
+BLOWFISH_2a2x=yes
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
