cracklib: Apply patch to fix CVE-2016-6318

Fix CVE-2016-6318 Backport from cracklib upstream: https://github.com/cracklib/cracklib/commit/47e5dec521ab6243c9b249dd65b93d232d90d6b1 (From OE-Core rev: bc7691c47f21a7d7549788fe0370c3080fc4dff5) (From OE-Core rev: 64757265e0122314036e80aa1440c29654c052c0) Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Dengke Du <dengke.du@windriver.com> 2016-09-23 03:15:20 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-09-27 09:05:56 +0100
commit: 9fd6b093a4ec49f016accd0186763233e4fc6171 (patch)
tree: 0fb29b051d76af116de31fc3c81cc6c3850c22b6
parent: b7bb83a4bb9f10aadda598bbccf779791bdc060c (diff)
download: poky-9fd6b093a4ec49f016accd0186763233e4fc6171.tar.gz
2 files changed, 106 insertions, 0 deletions
diff --git a/meta/recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch b/meta/recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
new file mode 100644
index 0000000000..b251ac9056
--- /dev/null
+++ b/meta/recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
@@ -0,0 +1,105 @@
+From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:13:49 +0200
+Subject: [PATCH] Apply patch to fix CVE-2016-6318
+This patch fixes an issue with a stack-based buffer overflow when
+parsing large GECOS field. See
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
+https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
+information.
+Upstream-Status: Backport [https://github.com/cracklib/cracklib/commit/47e5dec521ab6243c9b249dd65b93d232d90d6b1]
+CVE: CVE-2016-6318
+Signed-off-by: Dengke Du <dengke.du@windriver.com>
+---
+ lib/fascist.c | 57 ++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 33 insertions(+), 24 deletions(-)
+diff --git a/lib/fascist.c b/lib/fascist.c
+index a996509..d4deb15 100644
+--- a/lib/fascist.c
+++ b/lib/fascist.c
+@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
+     char gbuffer[STRINGSIZE];
+     char tbuffer[STRINGSIZE];
+     char *uwords[STRINGSIZE];
+-    char longbuffer[STRINGSIZE * 2];
+    char longbuffer[STRINGSIZE];
+ 
+     if (gecos == NULL)
+        gecos = "";
+@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
+     {
+        for (i = 0; i < j; i++)
+        {
+-           strcpy(longbuffer, uwords[i]);
+-           strcat(longbuffer, uwords[j]);
+-
+-           if (GTry(longbuffer, password))
+           if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+            {
+-               return _("it is derived from your password entry");
+-           }
+               strcpy(longbuffer, uwords[i]);
+               strcat(longbuffer, uwords[j]);
+ 
+-           strcpy(longbuffer, uwords[j]);
+-           strcat(longbuffer, uwords[i]);
+               if (GTry(longbuffer, password))
+               {
+                   return _("it is derived from your password entry");
+               }
+ 
+-           if (GTry(longbuffer, password))
+-           {
+-               return _("it's derived from your password entry");
+-           }
+               strcpy(longbuffer, uwords[j]);
+               strcat(longbuffer, uwords[i]);
+ 
+-           longbuffer[0] = uwords[i][0];
+-           longbuffer[1] = '\0';
+-           strcat(longbuffer, uwords[j]);
+               if (GTry(longbuffer, password))
+               {
+                  return _("it's derived from your password entry");
+               }
+           }
+ 
+-           if (GTry(longbuffer, password))
+           if (strlen(uwords[j]) < STRINGSIZE - 1)
+            {
+-               return _("it is derivable from your password entry");
+               longbuffer[0] = uwords[i][0];
+               longbuffer[1] = '\0';
+               strcat(longbuffer, uwords[j]);
+
+               if (GTry(longbuffer, password))
+               {
+                   return _("it is derivable from your password entry");
+               }
+            }
+ 
+-           longbuffer[0] = uwords[j][0];
+-           longbuffer[1] = '\0';
+-           strcat(longbuffer, uwords[i]);
+-
+-           if (GTry(longbuffer, password))
+           if (strlen(uwords[i]) < STRINGSIZE - 1)
+            {
+-               return _("it's derivable from your password entry");
+               longbuffer[0] = uwords[j][0];
+               longbuffer[1] = '\0';
+               strcat(longbuffer, uwords[i]);
+
+               if (GTry(longbuffer, password))
+               {
+                   return _("it's derivable from your password entry");
+               }
+            }
+        }
+     }
+-- 
+2.8.1
diff --git a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
index 3bd3f93674..2071d0f40d 100644
--- a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
+++ b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
@@ -13,6 +13,7 @@ EXTRA_OECONF = "--with-python --libdir=${base_libdir}"
 SRC_URI = "${SOURCEFORGE_MIRROR}/cracklib/cracklib-${PV}.tar.gz \
           file://0001-packlib.c-support-dictionary-byte-order-dependent.patch \
+           file://0001-Apply-patch-to-fix-CVE-2016-6318.patch \
           file://0002-craklib-fix-testnum-and-teststr-failed.patch"
 SRC_URI[md5sum] = "376790a95c1fb645e59e6e9803c78582"
author	Dengke Du <dengke.du@windriver.com>	2016-09-23 03:15:20 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-09-27 09:05:56 +0100
commit	9fd6b093a4ec49f016accd0186763233e4fc6171 (patch)
tree	0fb29b051d76af116de31fc3c81cc6c3850c22b6
parent	b7bb83a4bb9f10aadda598bbccf779791bdc060c (diff)
download	poky-9fd6b093a4ec49f016accd0186763233e4fc6171.tar.gz

diff --git a/meta/recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch b/meta/recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch new file mode 100644 index 0000000000..b251ac9056 --- /dev/null +++ b/meta/recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
@@ -0,0 +1,105 @@
		1	From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001
		2	From: Jan Dittberner <jan@dittberner.info>
		3	Date: Thu, 25 Aug 2016 17:13:49 +0200
		4	Subject: [PATCH] Apply patch to fix CVE-2016-6318
		5
		6	This patch fixes an issue with a stack-based buffer overflow when
		7	parsing large GECOS field. See
		8	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
		9	https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
		10	information.
		11
		12	Upstream-Status: Backport [https://github.com/cracklib/cracklib/commit/47e5dec521ab6243c9b249dd65b93d232d90d6b1]
		13	CVE: CVE-2016-6318
		14	Signed-off-by: Dengke Du <dengke.du@windriver.com>
		15	---
		16	lib/fascist.c \| 57 ++++++++++++++++++++++++++++++++-----------------------
		17	1 file changed, 33 insertions(+), 24 deletions(-)
		18
		19	diff --git a/lib/fascist.c b/lib/fascist.c
		20	index a996509..d4deb15 100644
		21	--- a/lib/fascist.c
		22	+++ b/lib/fascist.c
		23	@@ -502,7 +502,7 @@ FascistGecosUser(char password, const char user, const char *gecos)
		24	char gbuffer[STRINGSIZE];
		25	char tbuffer[STRINGSIZE];
		26	char *uwords[STRINGSIZE];
		27	- char longbuffer[STRINGSIZE * 2];
		28	+ char longbuffer[STRINGSIZE];
		29
		30	if (gecos == NULL)
		31	gecos = "";
		32	@@ -583,38 +583,47 @@ FascistGecosUser(char password, const char user, const char *gecos)
		33	{
		34	for (i = 0; i < j; i++)
		35	{
		36	- strcpy(longbuffer, uwords[i]);
		37	- strcat(longbuffer, uwords[j]);
		38	-
		39	- if (GTry(longbuffer, password))
		40	+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
		41	{
		42	- return _("it is derived from your password entry");
		43	- }
		44	+ strcpy(longbuffer, uwords[i]);
		45	+ strcat(longbuffer, uwords[j]);
		46
		47	- strcpy(longbuffer, uwords[j]);
		48	- strcat(longbuffer, uwords[i]);
		49	+ if (GTry(longbuffer, password))
		50	+ {
		51	+ return _("it is derived from your password entry");
		52	+ }
		53
		54	- if (GTry(longbuffer, password))
		55	- {
		56	- return _("it's derived from your password entry");
		57	- }
		58	+ strcpy(longbuffer, uwords[j]);
		59	+ strcat(longbuffer, uwords[i]);
		60
		61	- longbuffer[0] = uwords[i][0];
		62	- longbuffer[1] = '\0';
		63	- strcat(longbuffer, uwords[j]);
		64	+ if (GTry(longbuffer, password))
		65	+ {
		66	+ return _("it's derived from your password entry");
		67	+ }
		68	+ }
		69
		70	- if (GTry(longbuffer, password))
		71	+ if (strlen(uwords[j]) < STRINGSIZE - 1)
		72	{
		73	- return _("it is derivable from your password entry");
		74	+ longbuffer[0] = uwords[i][0];
		75	+ longbuffer[1] = '\0';
		76	+ strcat(longbuffer, uwords[j]);
		77	+
		78	+ if (GTry(longbuffer, password))
		79	+ {
		80	+ return _("it is derivable from your password entry");
		81	+ }
		82	}
		83
		84	- longbuffer[0] = uwords[j][0];
		85	- longbuffer[1] = '\0';
		86	- strcat(longbuffer, uwords[i]);
		87	-
		88	- if (GTry(longbuffer, password))
		89	+ if (strlen(uwords[i]) < STRINGSIZE - 1)
		90	{
		91	- return _("it's derivable from your password entry");
		92	+ longbuffer[0] = uwords[j][0];
		93	+ longbuffer[1] = '\0';
		94	+ strcat(longbuffer, uwords[i]);
		95	+
		96	+ if (GTry(longbuffer, password))
		97	+ {
		98	+ return _("it's derivable from your password entry");
		99	+ }
		100	}
		101	}
		102	}
		103	--
		104	2.8.1
		105


diff --git a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb index 3bd3f93674..2071d0f40d 100644 --- a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb +++ b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
@@ -13,6 +13,7 @@ EXTRA_OECONF = "--with-python --libdir=${base_libdir}"
13		13
14	SRC_URI = "${SOURCEFORGE_MIRROR}/cracklib/cracklib-${PV}.tar.gz \	14	SRC_URI = "${SOURCEFORGE_MIRROR}/cracklib/cracklib-${PV}.tar.gz \
15	file://0001-packlib.c-support-dictionary-byte-order-dependent.patch \	15	file://0001-packlib.c-support-dictionary-byte-order-dependent.patch \
		16	file://0001-Apply-patch-to-fix-CVE-2016-6318.patch \
16	file://0002-craklib-fix-testnum-and-teststr-failed.patch"	17	file://0002-craklib-fix-testnum-and-teststr-failed.patch"
17		18
18	SRC_URI[md5sum] = "376790a95c1fb645e59e6e9803c78582"	19	SRC_URI[md5sum] = "376790a95c1fb645e59e6e9803c78582"