all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [PATCH 0/1] Cracklib security CVE-2016-6318
@ 2016-08-17  2:49 Leo Famulari
  2016-08-17  2:49 ` [PATCH 1/1] gnu: cracklib: Fix CVE-2016-6318 Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-08-17  2:49 UTC (permalink / raw)
  To: guix-devel

A stack overflow in Cracklib that could potentially lead to arbitrary
code execution was just disclosed:

http://seclists.org/oss-sec/2016/q3/290

"When an application compiled against the cracklib libary, such as
"passwd" is used to parse the GECOS field, it could cause the
application to crash or execute arbitary code with the permissions of
the user running such an application."

The message recommends this patch:
https://bugzilla.redhat.com/show_bug.cgi?id=1364944#c2

For us, cracklib is used by libpwquality, which is used in turn by
gnome-control-center.

Passwd is safe:
$ guix build --check shadow
[...]
shadow will be compiled with the following features:

	auditing support:		no
	CrackLib support:		no
	PAM support:			yes
	suid account management tools:	yes
	SELinux support:		no
	ACL support:			no
	Extended Attributes support:	no
	tcb support (incomplete):	no
	shadow group support:		yes
	S/Key support:			no
	SHA passwords encryption:	yes
	nscd support:			yes
	subordinate IDs support:	yes

Leo Famulari (1):
  gnu: cracklib: Fix CVE-2016-6318.

 gnu/local.mk                                      |  1 +
 gnu/packages/password-utils.scm                   |  2 +
 gnu/packages/patches/cracklib-CVE-2016-6318.patch | 95 +++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 gnu/packages/patches/cracklib-CVE-2016-6318.patch

-- 
2.9.3

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/1] gnu: cracklib: Fix CVE-2016-6318.
  2016-08-17  2:49 [PATCH 0/1] Cracklib security CVE-2016-6318 Leo Famulari
@ 2016-08-17  2:49 ` Leo Famulari
  2016-08-17  4:29   ` Eric Bavier
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-08-17  2:49 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/patches/cracklib-CVE-2016-6318.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/password-utils.scm (cracklib)[source]: Use the patch.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/password-utils.scm                   |  2 +
 gnu/packages/patches/cracklib-CVE-2016-6318.patch | 95 +++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 gnu/packages/patches/cracklib-CVE-2016-6318.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 7416850..d890046 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -464,6 +464,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/cpio-gets-undeclared.patch		\
   %D%/packages/patches/cpio-CVE-2016-2037.patch			\
   %D%/packages/patches/cpufrequtils-fix-aclocal.patch		\
+  %D%/packages/patches/cracklib-CVE-2016-6318.patch		\
   %D%/packages/patches/crda-optional-gcrypt.patch		\
   %D%/packages/patches/crossmap-allow-system-pysam.patch	\
   %D%/packages/patches/csound-header-ordering.patch		\
diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index 7a8bdcb..7288da6 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -29,6 +29,7 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix download)
   #:use-module (guix packages)
+  #:use-module (gnu packages)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages base)
   #:use-module (gnu packages compression)
@@ -159,6 +160,7 @@ and vice versa.")
               (uri (string-append "https://github.com/cracklib/cracklib/"
                                   "releases/download/" name "-" version "/"
                                   name "-" version ".tar.gz"))
+              (patches (search-patches "cracklib-CVE-2016-6318.patch"))
               (sha256
                (base32
                 "0hrkb0prf7n92w6rxgq0ilzkk6rkhpys2cfqkrbzswp27na7dkqp"))))
diff --git a/gnu/packages/patches/cracklib-CVE-2016-6318.patch b/gnu/packages/patches/cracklib-CVE-2016-6318.patch
new file mode 100644
index 0000000..4806eca
--- /dev/null
+++ b/gnu/packages/patches/cracklib-CVE-2016-6318.patch
@@ -0,0 +1,95 @@
+Fix CVE-2016-6318.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318
+
+Patch copied from Red Hat:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6318
+https://bugzilla.redhat.com/attachment.cgi?id=1188599&action=diff
+
+It is not safe to pass words longer than STRINGSIZE further to cracklib
+so the longbuffer cannot be longer than STRINGSIZE.
+diff -up cracklib-2.9.0/lib/fascist.c.longgecos cracklib-2.9.0/lib/fascist.c
+--- cracklib-2.9.0/lib/fascist.c.longgecos	2014-02-06 16:03:59.000000000 +0100
++++ cracklib-2.9.0/lib/fascist.c	2016-08-08 12:05:40.279235815 +0200
+@@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c
+     char gbuffer[STRINGSIZE];
+     char tbuffer[STRINGSIZE];
+     char *uwords[STRINGSIZE];
+-    char longbuffer[STRINGSIZE * 2];
++    char longbuffer[STRINGSIZE];
+ 
+     if (gecos == NULL)
+ 	gecos = "";
+@@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c
+     {
+ 	for (i = 0; i < j; i++)
+ 	{
+-	    strcpy(longbuffer, uwords[i]);
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+ 	    {
+-		return _("it is derived from your password entry");
+-	    }
+-
+-	    strcpy(longbuffer, uwords[j]);
+-	    strcat(longbuffer, uwords[i]);
++		strcpy(longbuffer, uwords[i]);
++		strcat(longbuffer, uwords[j]);
+ 
+-	    if (GTry(longbuffer, password))
+-	    {
+-		return _("it's derived from your password entry");
++		if (GTry(longbuffer, password))
++		{
++		    return _("it is derived from your password entry");
++		}
++
++		strcpy(longbuffer, uwords[j]);
++		strcat(longbuffer, uwords[i]);
++
++		if (GTry(longbuffer, password))
++		{
++		   return _("it's derived from your password entry");
++		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[i][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[j]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it is derivable from your password entry");
++		longbuffer[0] = uwords[i][0];
++		longbuffer[1] = '\0';
++		strcat(longbuffer, uwords[j]);
++
++		if (GTry(longbuffer, password))
++		{
++		    return _("it is derivable from your password entry");
++		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[j][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[i]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it's derivable from your password entry");
++		longbuffer[0] = uwords[j][0];
++		longbuffer[1] = '\0';
++		strcat(longbuffer, uwords[i]);
++
++		if (GTry(longbuffer, password))
++		{
++		    return _("it's derivable from your password entry");
++		}
+ 	    }
+ 	}
+     }
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] gnu: cracklib: Fix CVE-2016-6318.
  2016-08-17  2:49 ` [PATCH 1/1] gnu: cracklib: Fix CVE-2016-6318 Leo Famulari
@ 2016-08-17  4:29   ` Eric Bavier
  2016-08-17  4:44     ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Bavier @ 2016-08-17  4:29 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

On Tue, 16 Aug 2016 22:49:55 -0400
Leo Famulari <leo@famulari.name> wrote:

> * gnu/packages/patches/cracklib-CVE-2016-6318.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/password-utils.scm (cracklib)[source]: Use the patch.
> ---
>  gnu/local.mk                                      |  1 +
>  gnu/packages/password-utils.scm                   |  2 +
>  gnu/packages/patches/cracklib-CVE-2016-6318.patch | 95 +++++++++++++++++++++++
>  3 files changed, 98 insertions(+)
>  create mode 100644 gnu/packages/patches/cracklib-CVE-2016-6318.patch

LGTM! Thanks for getting the patch so quick.

From the bug report it looks like we could get some real benefit from
the hardening project thread you revived.

`~Eric

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] gnu: cracklib: Fix CVE-2016-6318.
  2016-08-17  4:29   ` Eric Bavier
@ 2016-08-17  4:44     ` Leo Famulari
  2016-08-23 21:06       ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-08-17  4:44 UTC (permalink / raw)
  To: Eric Bavier; +Cc: guix-devel

On Tue, Aug 16, 2016 at 11:29:11PM -0500, Eric Bavier wrote:
> On Tue, 16 Aug 2016 22:49:55 -0400
> Leo Famulari <leo@famulari.name> wrote:
> 
> > * gnu/packages/patches/cracklib-CVE-2016-6318.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/password-utils.scm (cracklib)[source]: Use the patch.
> > ---
> >  gnu/local.mk                                      |  1 +
> >  gnu/packages/password-utils.scm                   |  2 +
> >  gnu/packages/patches/cracklib-CVE-2016-6318.patch | 95 +++++++++++++++++++++++
> >  3 files changed, 98 insertions(+)
> >  create mode 100644 gnu/packages/patches/cracklib-CVE-2016-6318.patch
> 
> LGTM! Thanks for getting the patch so quick.

Thanks for the fast review! Pushed as 53dcbbec07c

> From the bug report it looks like we could get some real benefit from
> the hardening project thread you revived.

Yes, it does look like that!

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] gnu: cracklib: Fix CVE-2016-6318.
  2016-08-17  4:44     ` Leo Famulari
@ 2016-08-23 21:06       ` Leo Famulari
  0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-08-23 21:06 UTC (permalink / raw)
  To: Eric Bavier; +Cc: guix-devel

On Wed, Aug 17, 2016 at 12:44:29AM -0400, Leo Famulari wrote:
> On Tue, Aug 16, 2016 at 11:29:11PM -0500, Eric Bavier wrote:
> > On Tue, 16 Aug 2016 22:49:55 -0400
> > Leo Famulari <leo@famulari.name> wrote:
> > 
> > > * gnu/packages/patches/cracklib-CVE-2016-6318.patch: New file.
> > > * gnu/local.mk (dist_patch_DATA): Add it.
> > > * gnu/packages/password-utils.scm (cracklib)[source]: Use the patch.
> > > ---
> > >  gnu/local.mk                                      |  1 +
> > >  gnu/packages/password-utils.scm                   |  2 +
> > >  gnu/packages/patches/cracklib-CVE-2016-6318.patch | 95 +++++++++++++++++++++++
> > >  3 files changed, 98 insertions(+)
> > >  create mode 100644 gnu/packages/patches/cracklib-CVE-2016-6318.patch
> > 
> > LGTM! Thanks for getting the patch so quick.
> 
> Thanks for the fast review! Pushed as 53dcbbec07c

It seems this story is not over. SuSE identified another buffer
overflow:
http://seclists.org/oss-sec/2016/q3/370

What do people think of the patch linked from that message?

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-08-23 21:06 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-17  2:49 [PATCH 0/1] Cracklib security CVE-2016-6318 Leo Famulari
2016-08-17  2:49 ` [PATCH 1/1] gnu: cracklib: Fix CVE-2016-6318 Leo Famulari
2016-08-17  4:29   ` Eric Bavier
2016-08-17  4:44     ` Leo Famulari
2016-08-23 21:06       ` Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.