[Pkg-cracklib-commits] [pkg-cracklib] 01/01: CVE-2016-6318: Fix stack-based buffer overflow when parsing large GECOS fields. (Closes: #834502) thanks to Chris Lamb for the patch

Tue Aug 23 15:48:00 UTC 2016

This is an automated email from the git hooks/post-receive script.

jandd pushed a commit to branch master
in repository pkg-cracklib.

commit ee497744a62398c6eb39b291e65e2470c4a61a59
Author: Jan Dittberner <jandd at debian.org>
Date:   Tue Aug 23 17:46:07 2016 +0200

    CVE-2016-6318: Fix stack-based buffer overflow when parsing large GECOS fields. (Closes: #834502) thanks to Chris Lamb for the patch
---
 debian/changelog                   |   7 +++
 debian/patches/CVE-2016-6318.patch | 123 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   2 +
 3 files changed, 132 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 303ea2f..127f964 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cracklib2 (2.9.2-2) UNRELEASED; urgency=medium
+
+  * CVE-2016-6318: Fix stack-based buffer overflow when parsing large GECOS
+    fields. (Closes: #834502) thanks to Chris Lamb for the patch
+
+ -- Jan Dittberner <jandd at debian.org>  Tue, 23 Aug 2016 17:45:10 +0200
+
 cracklib2 (2.9.2-1) unstable; urgency=medium
 
   * New upstream version (Closes: #724570)
diff --git a/debian/patches/CVE-2016-6318.patch b/debian/patches/CVE-2016-6318.patch
new file mode 100644
index 0000000..e7a11ac
--- /dev/null
+++ b/debian/patches/CVE-2016-6318.patch
@@ -0,0 +1,123 @@
+--- cracklib2-2.8.19.orig/lib/fascist.c
++++ cracklib2-2.8.19/lib/fascist.c
+@@ -509,7 +509,7 @@ FascistGecos(password, uid)
+     size_t sbufferlen = LINE_MAX;
+ #endif
+     char *uwords[STRINGSIZE];
+-    char longbuffer[STRINGSIZE * 2];
++    char longbuffer[STRINGSIZE];
+ 
+ #ifdef HAVE_GETPWUID_R
+     sbuffer = malloc(sbufferlen);
+@@ -636,58 +636,67 @@ FascistGecos(password, uid)
+     {
+ 	for (i = 0; i < j; i++)
+ 	{
+-	    strcpy(longbuffer, uwords[i]);
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+ 	    {
+-	        if (sbuffer)
+-	        {
+-	       	    free(sbuffer);
+-		    sbuffer = NULL;
+-	        }
+-		return _("it is derived from your password entry");
+-	    }
+-
+-	    strcpy(longbuffer, uwords[j]);
+-	    strcat(longbuffer, uwords[i]);
++		strcpy(longbuffer, uwords[i]);
++		strcat(longbuffer, uwords[j]);
+ 
+-	    if (GTry(longbuffer, password))
+-	    {
+-	        if (sbuffer)
+-	        {
+-	       	    free(sbuffer);
+-		    sbuffer = NULL;
+-	        }
+-		return _("it's derived from your password entry");
++		if (GTry(longbuffer, password))
++		{
++		    if (sbuffer)
++		    {
++			free(sbuffer);
++			sbuffer = NULL;
++		    }
++		    return _("it is derived from your password entry");
++		}
++
++		strcpy(longbuffer, uwords[j]);
++		strcat(longbuffer, uwords[i]);
++
++		if (GTry(longbuffer, password))
++		{
++		    if (sbuffer)
++		    {
++			free(sbuffer);
++			sbuffer = NULL;
++		    }
++		    return _("it's derived from your password entry");
++		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[i][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[j]) < STRINGSIZE - 1)
+ 	    {
+-	        if (sbuffer)
+-	        {
+-	       	    free(sbuffer);
+-		    sbuffer = NULL;
+-	        }
+-		return _("it is derivable from your password entry");
++		longbuffer[0] = uwords[i][0];
++		longbuffer[1] = '\0';
++	    	strcat(longbuffer, uwords[j]);
++
++		if (GTry(longbuffer, password))
++		{
++		    if (sbuffer)
++		    {
++			free(sbuffer);
++			sbuffer = NULL;
++		    }
++		    return _("it is derivable from your password entry");
++		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[j][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[i]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) < STRINGSIZE - 1)
+ 	    {
+-	        if (sbuffer)
+-	        {
+-	       	    free(sbuffer);
+-		    sbuffer = NULL;
+-	        }
+-		return _("it's derivable from your password entry");
++		longbuffer[0] = uwords[j][0];
++		longbuffer[1] = '\0';
++		strcat(longbuffer, uwords[i]);
++
++		if (GTry(longbuffer, password))
++		{
++		    if (sbuffer)
++		    {
++			free(sbuffer);
++			sbuffer = NULL;
++		    }
++		    return _("it's derivable from your password entry");
++		}
+ 	    }
+ 	}
+     }
diff --git a/debian/patches/series b/debian/patches/series
index d84a0e6..32f2c9e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
 install-debian-python-modules.patch
+pass-dict-to-cracklib-test.patch
 libcrack2-error-safer-check-variant.patch
 improve_test_737040.patch
+CVE-2016-6318.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cracklib/pkg-cracklib.git

