pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2016Q3] pkgsrc/security/libcrack
Module Name: pkgsrc
Committed By: bsiegert
Date: Thu Nov 3 19:50:12 UTC 2016
Modified Files:
pkgsrc/security/libcrack [pkgsrc-2016Q3]: Makefile distinfo
Added Files:
pkgsrc/security/libcrack/patches [pkgsrc-2016Q3]: patch-CVE-2016-6318
Log Message:
Pullup ticket #5147 - requested by spz
security/libcrack: security fix
Revisions pulled up:
- security/libcrack/Makefile 1.19
- security/libcrack/distinfo 1.8
- security/libcrack/patches/patch-CVE-2016-6318 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Oct 30 20:49:58 UTC 2016
Modified Files:
pkgsrc/security/libcrack: Makefile distinfo
Added Files:
pkgsrc/security/libcrack/patches: patch-CVE-2016-6318
Log Message:
add a patch for CVE-2016-6318 from
https://bugzilla.redhat.com/attachment.cgi?id=1188599
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.18.16.1 pkgsrc/security/libcrack/Makefile
cvs rdiff -u -r1.7 -r1.7.8.1 pkgsrc/security/libcrack/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
pkgsrc/security/libcrack/patches/patch-CVE-2016-6318
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/libcrack/Makefile
diff -u pkgsrc/security/libcrack/Makefile:1.18 pkgsrc/security/libcrack/Makefile:1.18.16.1
--- pkgsrc/security/libcrack/Makefile:1.18 Thu Oct 9 14:06:52 2014
+++ pkgsrc/security/libcrack/Makefile Thu Nov 3 19:50:12 2016
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.18 2014/10/09 14:06:52 wiz Exp $
+# $NetBSD: Makefile,v 1.18.16.1 2016/11/03 19:50:12 bsiegert Exp $
#
DISTNAME= cracklib,2.7
PKGNAME= libcrack-2.7
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= security
MASTER_SITES= http://www.crypticide.com/alecm/security/cracklib/
Index: pkgsrc/security/libcrack/distinfo
diff -u pkgsrc/security/libcrack/distinfo:1.7 pkgsrc/security/libcrack/distinfo:1.7.8.1
--- pkgsrc/security/libcrack/distinfo:1.7 Wed Nov 4 01:17:48 2015
+++ pkgsrc/security/libcrack/distinfo Thu Nov 3 19:50:12 2016
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.7 2015/11/04 01:17:48 agc Exp $
+$NetBSD: distinfo,v 1.7.8.1 2016/11/03 19:50:12 bsiegert Exp $
SHA1 (cracklib,2.7.tar.gz) = 903bb7e2400c7e486f432aab026dd6584815d2c1
RMD160 (cracklib,2.7.tar.gz) = 8c1710580ed5778f54d30b709cac0b4b07543aed
SHA512 (cracklib,2.7.tar.gz) = 2d63ed30d78a8fb07caeb21b2eeeb88941b224fe9c94da6c5eaecc4d23510117c836a373e77dffc1ff827dbd8bc02a07d07434caa4fc39b48d515bef425819e9
Size (cracklib,2.7.tar.gz) = 21059 bytes
+SHA1 (patch-CVE-2016-6318) = 8cfb44a70c1b9e23a9739edc393fc017a7327902
SHA1 (patch-aa) = 8119a733f4bdb0a5a41e41ab53e9923564a70855
SHA1 (patch-ab) = b9a0b5929936a1335f08cab93710bbe66c74183d
SHA1 (patch-ac) = 43031370c2bb08c7b43c6afad0fabe8060ac66b3
Added files:
Index: pkgsrc/security/libcrack/patches/patch-CVE-2016-6318
diff -u /dev/null pkgsrc/security/libcrack/patches/patch-CVE-2016-6318:1.1.2.2
--- /dev/null Thu Nov 3 19:50:12 2016
+++ pkgsrc/security/libcrack/patches/patch-CVE-2016-6318 Thu Nov 3 19:50:12 2016
@@ -0,0 +1,89 @@
+patch to cracklib 2.7 based on a patch for cracklib 2.9 from
+https://bugzilla.redhat.com/attachment.cgi?id=1188599 :
+
+It is not safe to pass words longer than STRINGSIZE further to cracklib
+so the longbuffer cannot be longer than STRINGSIZE.
+
+--- ./cracklib/fascist.c.orig 1997-12-31 10:26:46.000000000 +0000
++++ ./cracklib/fascist.c 2016-10-27 19:00:46.000000000 +0000
+@@ -490,7 +490,7 @@ FascistGecos(password, uid)
+ char gbuffer[STRINGSIZE];
+ char tbuffer[STRINGSIZE];
+ char *uwords[STRINGSIZE];
+- char longbuffer[STRINGSIZE * 2];
++ char longbuffer[STRINGSIZE];
+
+ if (!(pwp = getpwuid(uid)))
+ {
+@@ -573,38 +573,47 @@ FascistGecos(password, uid)
+ {
+ for (i = 0; i < j; i++)
+ {
+- strcpy(longbuffer, uwords[i]);
+- strcat(longbuffer, uwords[j]);
+-
+- if (GTry(longbuffer, password))
++ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+ {
+- return ("it is derived from your password entry");
+- }
+-
+- strcpy(longbuffer, uwords[j]);
+- strcat(longbuffer, uwords[i]);
++ strcpy(longbuffer, uwords[i]);
++ strcat(longbuffer, uwords[j]);
+
+- if (GTry(longbuffer, password))
+- {
+- return ("it's derived from your password entry");
++ if (GTry(longbuffer, password))
++ {
++ return ("it is derived from your password entry");
++ }
++
++ strcpy(longbuffer, uwords[j]);
++ strcat(longbuffer, uwords[i]);
++
++ if (GTry(longbuffer, password))
++ {
++ return ("it's derived from your password entry");
++ }
+ }
+
+- longbuffer[0] = uwords[i][0];
+- longbuffer[1] = '\0';
+- strcat(longbuffer, uwords[j]);
+-
+- if (GTry(longbuffer, password))
++ if (strlen(uwords[j]) < STRINGSIZE - 1)
+ {
+- return ("it is derivable from your password entry");
++ longbuffer[0] = uwords[i][0];
++ longbuffer[1] = '\0';
++ strcat(longbuffer, uwords[j]);
++
++ if (GTry(longbuffer, password))
++ {
++ return ("it is derivable from your password entry");
++ }
+ }
+
+- longbuffer[0] = uwords[j][0];
+- longbuffer[1] = '\0';
+- strcat(longbuffer, uwords[i]);
+-
+- if (GTry(longbuffer, password))
++ if (strlen(uwords[i]) < STRINGSIZE - 1)
+ {
+- return ("it's derivable from your password entry");
++ longbuffer[0] = uwords[j][0];
++ longbuffer[1] = '\0';
++ strcat(longbuffer, uwords[i]);
++
++ if (GTry(longbuffer, password))
++ {
++ return ("it's derivable from your password entry");
++ }
+ }
+ }
+ }
Home |
Main Index |
Thread Index |
Old Index