unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH 0/1] Cracklib security CVE-2016-6318
@ 2016-08-17  2:49 Leo Famulari
  2016-08-17  2:49 ` [PATCH 1/1] gnu: cracklib: Fix CVE-2016-6318 Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-08-17  2:49 UTC (permalink / raw)
  To: guix-devel

A stack overflow in Cracklib that could potentially lead to arbitrary
code execution was just disclosed:

http://seclists.org/oss-sec/2016/q3/290

"When an application compiled against the cracklib libary, such as
"passwd" is used to parse the GECOS field, it could cause the
application to crash or execute arbitary code with the permissions of
the user running such an application."

The message recommends this patch:
https://bugzilla.redhat.com/show_bug.cgi?id=1364944#c2

For us, cracklib is used by libpwquality, which is used in turn by
gnome-control-center.

Passwd is safe:
$ guix build --check shadow
[...]
shadow will be compiled with the following features:

	auditing support:		no
	CrackLib support:		no
	PAM support:			yes
	suid account management tools:	yes
	SELinux support:		no
	ACL support:			no
	Extended Attributes support:	no
	tcb support (incomplete):	no
	shadow group support:		yes
	S/Key support:			no
	SHA passwords encryption:	yes
	nscd support:			yes
	subordinate IDs support:	yes

Leo Famulari (1):
  gnu: cracklib: Fix CVE-2016-6318.

 gnu/local.mk                                      |  1 +
 gnu/packages/password-utils.scm                   |  2 +
 gnu/packages/patches/cracklib-CVE-2016-6318.patch | 95 +++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 gnu/packages/patches/cracklib-CVE-2016-6318.patch

-- 
2.9.3

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-08-23 21:06 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-17  2:49 [PATCH 0/1] Cracklib security CVE-2016-6318 Leo Famulari
2016-08-17  2:49 ` [PATCH 1/1] gnu: cracklib: Fix CVE-2016-6318 Leo Famulari
2016-08-17  4:29   ` Eric Bavier
2016-08-17  4:44     ` Leo Famulari
2016-08-23 21:06       ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).