* cracklib: Fix buffer overflow
@ 2016-09-15 15:36 Leo Famulari
2016-09-20 9:32 ` Efraim Flashner
2017-01-10 20:33 ` Leo Famulari
0 siblings, 2 replies; 5+ messages in thread
From: Leo Famulari @ 2016-09-15 15:36 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 143 bytes --]
This patch cherry-picks an upstream commit to fix a buffer overflow in
cracklib. Please see the patch file for more information about the bug.
[-- Attachment #1.2: 0001-gnu-cracklib-Fix-buffer-overflow.patch --]
[-- Type: text/plain, Size: 3796 bytes --]
From 62f8f1763ba1766e92e8dc05686bd9353eaf2ad5 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 15 Sep 2016 11:34:49 -0400
Subject: [PATCH] gnu: cracklib: Fix buffer overflow.
* gnu/packages/patches/cracklib-fix-buffer-overflow.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/password-utils.scm (cracklib)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/password-utils.scm | 3 +-
.../patches/cracklib-fix-buffer-overflow.patch | 39 ++++++++++++++++++++++
3 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/cracklib-fix-buffer-overflow.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a7006cb..ab052af 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -473,6 +473,7 @@ dist_patch_DATA = \
%D%/packages/patches/cpio-CVE-2016-2037.patch \
%D%/packages/patches/cpufrequtils-fix-aclocal.patch \
%D%/packages/patches/cracklib-CVE-2016-6318.patch \
+ %D%/packages/patches/cracklib-fix-buffer-overflow.patch \
%D%/packages/patches/crda-optional-gcrypt.patch \
%D%/packages/patches/crossmap-allow-system-pysam.patch \
%D%/packages/patches/csound-header-ordering.patch \
diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index 7288da6..40ed933 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -160,7 +160,8 @@ and vice versa.")
(uri (string-append "https://github.com/cracklib/cracklib/"
"releases/download/" name "-" version "/"
name "-" version ".tar.gz"))
- (patches (search-patches "cracklib-CVE-2016-6318.patch"))
+ (patches (search-patches "cracklib-CVE-2016-6318.patch"
+ "cracklib-fix-buffer-overflow.patch"))
(sha256
(base32
"0hrkb0prf7n92w6rxgq0ilzkk6rkhpys2cfqkrbzswp27na7dkqp"))))
diff --git a/gnu/packages/patches/cracklib-fix-buffer-overflow.patch b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch
new file mode 100644
index 0000000..b1c990f
--- /dev/null
+++ b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch
@@ -0,0 +1,39 @@
+Fix buffer overflow processing long words in Mangle().
+
+Patch adpated from upstream commit, omitting changes to 'NEWS':
+
+https://github.com/cracklib/cracklib/commit/33d7fa4585247cd2247a1ffa032ad245836c6edb
+
+From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:17:53 +0200
+Subject: [PATCH] Fix a buffer overflow processing long words
+
+A buffer overflow processing long words has been discovered. This commit
+applies the patch from
+https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
+by Howard Guo.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and
+http://www.openwall.com/lists/oss-security/2016/08/23/8
+---
+ src/NEWS | 1 +
+ src/lib/rules.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/rules.c b/src/lib/rules.c
+index d193cc0..3a2aa46 100644
+--- a/lib/rules.c
++++ b/lib/rules.c
+@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */
+ {
+ int limit;
+ register char *ptr;
+- static char area[STRINGSIZE];
+- char area2[STRINGSIZE];
+- area[0] = '\0';
++ static char area[STRINGSIZE * 2] = {0};
++ char area2[STRINGSIZE * 2] = {0};
+ strcpy(area, input);
+
+ for (ptr = control; *ptr; ptr++)
--
2.10.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: cracklib: Fix buffer overflow
2016-09-15 15:36 cracklib: Fix buffer overflow Leo Famulari
@ 2016-09-20 9:32 ` Efraim Flashner
2016-09-20 17:43 ` Leo Famulari
2017-01-10 20:33 ` Leo Famulari
1 sibling, 1 reply; 5+ messages in thread
From: Efraim Flashner @ 2016-09-20 9:32 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 4548 bytes --]
On Thu, Sep 15, 2016 at 11:36:46AM -0400, Leo Famulari wrote:
> This patch cherry-picks an upstream commit to fix a buffer overflow in
> cracklib. Please see the patch file for more information about the bug.
> From 62f8f1763ba1766e92e8dc05686bd9353eaf2ad5 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Thu, 15 Sep 2016 11:34:49 -0400
> Subject: [PATCH] gnu: cracklib: Fix buffer overflow.
>
> * gnu/packages/patches/cracklib-fix-buffer-overflow.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/password-utils.scm (cracklib)[source]: Use it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/password-utils.scm | 3 +-
> .../patches/cracklib-fix-buffer-overflow.patch | 39 ++++++++++++++++++++++
> 3 files changed, 42 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/cracklib-fix-buffer-overflow.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index a7006cb..ab052af 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -473,6 +473,7 @@ dist_patch_DATA = \
> %D%/packages/patches/cpio-CVE-2016-2037.patch \
> %D%/packages/patches/cpufrequtils-fix-aclocal.patch \
> %D%/packages/patches/cracklib-CVE-2016-6318.patch \
> + %D%/packages/patches/cracklib-fix-buffer-overflow.patch \
> %D%/packages/patches/crda-optional-gcrypt.patch \
> %D%/packages/patches/crossmap-allow-system-pysam.patch \
> %D%/packages/patches/csound-header-ordering.patch \
> diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
> index 7288da6..40ed933 100644
> --- a/gnu/packages/password-utils.scm
> +++ b/gnu/packages/password-utils.scm
> @@ -160,7 +160,8 @@ and vice versa.")
> (uri (string-append "https://github.com/cracklib/cracklib/"
> "releases/download/" name "-" version "/"
> name "-" version ".tar.gz"))
> - (patches (search-patches "cracklib-CVE-2016-6318.patch"))
> + (patches (search-patches "cracklib-CVE-2016-6318.patch"
> + "cracklib-fix-buffer-overflow.patch"))
> (sha256
> (base32
> "0hrkb0prf7n92w6rxgq0ilzkk6rkhpys2cfqkrbzswp27na7dkqp"))))
> diff --git a/gnu/packages/patches/cracklib-fix-buffer-overflow.patch b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch
> new file mode 100644
> index 0000000..b1c990f
> --- /dev/null
> +++ b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch
> @@ -0,0 +1,39 @@
> +Fix buffer overflow processing long words in Mangle().
> +
> +Patch adpated from upstream commit, omitting changes to 'NEWS':
> +
> +https://github.com/cracklib/cracklib/commit/33d7fa4585247cd2247a1ffa032ad245836c6edb
> +
> +From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001
> +From: Jan Dittberner <jan@dittberner.info>
> +Date: Thu, 25 Aug 2016 17:17:53 +0200
> +Subject: [PATCH] Fix a buffer overflow processing long words
> +
> +A buffer overflow processing long words has been discovered. This commit
> +applies the patch from
> +https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
> +by Howard Guo.
> +
> +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and
> +http://www.openwall.com/lists/oss-security/2016/08/23/8
> +---
> + src/NEWS | 1 +
> + src/lib/rules.c | 5 ++---
> + 2 files changed, 3 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/lib/rules.c b/src/lib/rules.c
> +index d193cc0..3a2aa46 100644
> +--- a/lib/rules.c
> ++++ b/lib/rules.c
> +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */
> + {
> + int limit;
> + register char *ptr;
> +- static char area[STRINGSIZE];
> +- char area2[STRINGSIZE];
> +- area[0] = '\0';
> ++ static char area[STRINGSIZE * 2] = {0};
> ++ char area2[STRINGSIZE * 2] = {0};
> + strcpy(area, input);
> +
> + for (ptr = control; *ptr; ptr++)
> --
> 2.10.0
>
not having looked at the full source of lib/rules.c, is there a maximum
value to STRINGSIZE to make sure STRINGSIZE * 2 doesn't wrap around?
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: cracklib: Fix buffer overflow
2016-09-20 9:32 ` Efraim Flashner
@ 2016-09-20 17:43 ` Leo Famulari
0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-09-20 17:43 UTC (permalink / raw)
To: Efraim Flashner; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1347 bytes --]
On Tue, Sep 20, 2016 at 12:32:02PM +0300, Efraim Flashner wrote:
> > +diff --git a/src/lib/rules.c b/src/lib/rules.c
> > +index d193cc0..3a2aa46 100644
> > +--- a/lib/rules.c
> > ++++ b/lib/rules.c
> > +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */
> > + {
> > + int limit;
> > + register char *ptr;
> > +- static char area[STRINGSIZE];
> > +- char area2[STRINGSIZE];
> > +- area[0] = '\0';
> > ++ static char area[STRINGSIZE * 2] = {0};
> > ++ char area2[STRINGSIZE * 2] = {0};
> > + strcpy(area, input);
> > +
> > + for (ptr = control; *ptr; ptr++)
> > --
> > 2.10.0
> >
>
> not having looked at the full source of lib/rules.c, is there a maximum
> value to STRINGSIZE to make sure STRINGSIZE * 2 doesn't wrap around?
STRINGSIZE is defined in 'lib/packer.h' as 1024:
https://github.com/cracklib/cracklib/blob/cracklib-2.9.6/src/lib/packer.h#L11
I just looked at all the uses of STRINGSIZE in order to give a brief
overview of how it's used, but I'm not skilled enough to recognize every
case where it might be dangerous and overflow.
STRINGSIZE is used to declare many char arrays, an array of pointers,
and as an argument to fgets, snprintf, and strncpy. Also the object
macro TRUNCSTRINGSIZE is defined as (STRINGSIZE / 4).
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: cracklib: Fix buffer overflow
2016-09-15 15:36 cracklib: Fix buffer overflow Leo Famulari
2016-09-20 9:32 ` Efraim Flashner
@ 2017-01-10 20:33 ` Leo Famulari
2017-01-10 21:44 ` Ludovic Courtès
1 sibling, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2017-01-10 20:33 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 832 bytes --]
On Thu, Sep 15, 2016 at 11:36:46AM -0400, Leo Famulari wrote:
> This patch cherry-picks an upstream commit to fix a buffer overflow in
> cracklib. Please see the patch file for more information about the bug.
> From 62f8f1763ba1766e92e8dc05686bd9353eaf2ad5 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Thu, 15 Sep 2016 11:34:49 -0400
> Subject: [PATCH] gnu: cracklib: Fix buffer overflow.
>
> * gnu/packages/patches/cracklib-fix-buffer-overflow.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/password-utils.scm (cracklib)[source]: Use it.
I forgot about this patch.
Debian applied it:
https://anonscm.debian.org/cgit/pkg-cracklib/pkg-cracklib.git/tree/debian/patches/overflow-processing-long-words.patch
I'll push it today if I hear no objections.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-01-10 21:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-15 15:36 cracklib: Fix buffer overflow Leo Famulari
2016-09-20 9:32 ` Efraim Flashner
2016-09-20 17:43 ` Leo Famulari
2017-01-10 20:33 ` Leo Famulari
2017-01-10 21:44 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).