openkylin
/
cracklib2
mirror of https://gitee.com/openkylin/cracklib2.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

changed debian/source/format to native

This commit is contained in:
Lu zhiping 2022-06-04 14:14:21 +08:00
parent 9519f8323d
commit 6987af54db
7 changed files with 1 additions and 419 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
debian/patches/CVE-2016-6318.patch vendored
View File

@ -1,93 +0,0 @@
Description: CVE-2016-6318: Stack-based buffer overflow when parsing large GECOS field
It is not safe to pass words longer than STRINGSIZE further to cracklib
so the longbuffer cannot be longer than STRINGSIZE.
Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=1188599
Bug-Debian: https://bugs.debian.org/834502
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1364944
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-08-16
--- a/lib/fascist.c
+++ b/lib/fascist.c
@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const c
char gbuffer[STRINGSIZE];
char tbuffer[STRINGSIZE];
char *uwords[STRINGSIZE];
- char longbuffer[STRINGSIZE * 2];
+ char longbuffer[STRINGSIZE];
if (gecos == NULL)
gecos = "";
@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const c
{
for (i = 0; i < j; i++)
{
- strcpy(longbuffer, uwords[i]);
- strcat(longbuffer, uwords[j]);
-
- if (GTry(longbuffer, password))
+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
{
- return _("it is derived from your password entry");
- }
-
- strcpy(longbuffer, uwords[j]);
- strcat(longbuffer, uwords[i]);
+ strcpy(longbuffer, uwords[i]);
+ strcat(longbuffer, uwords[j]);
- if (GTry(longbuffer, password))
- {
- return _("it's derived from your password entry");
+ if (GTry(longbuffer, password))
+ {
+ return _("it is derived from your password entry");
+ }
+
+ strcpy(longbuffer, uwords[j]);
+ strcat(longbuffer, uwords[i]);
+
+ if (GTry(longbuffer, password))
+ {
+ return _("it's derived from your password entry");
+ }
}
- longbuffer[0] = uwords[i][0];
- longbuffer[1] = '\0';
- strcat(longbuffer, uwords[j]);
-
- if (GTry(longbuffer, password))
+ if (strlen(uwords[j]) < STRINGSIZE - 1)
{
- return _("it is derivable from your password entry");
+ longbuffer[0] = uwords[i][0];
+ longbuffer[1] = '\0';
+ strcat(longbuffer, uwords[j]);
+
+ if (GTry(longbuffer, password))
+ {
+ return _("it is derivable from your password entry");
+ }
}
- longbuffer[0] = uwords[j][0];
- longbuffer[1] = '\0';
- strcat(longbuffer, uwords[i]);
-
- if (GTry(longbuffer, password))
+ if (strlen(uwords[i]) < STRINGSIZE - 1)
{
- return _("it's derivable from your password entry");
+ longbuffer[0] = uwords[j][0];
+ longbuffer[1] = '\0';
+ strcat(longbuffer, uwords[i]);
+
+ if (GTry(longbuffer, password))
+ {
+ return _("it's derivable from your password entry");
+ }
}
}
}

83
debian/patches/improve_test_737040.patch vendored
View File

@ -1,83 +0,0 @@
Author: Jan Dittberner <jandd@debian.org>
Subject: improve Python test to cover low level FascistCheck
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737040
--- a/python/test_cracklib.py
+++ b/python/test_cracklib.py
@@ -15,6 +15,13 @@
class TestModuleFunctions(unittest.TestCase):
+ def test_FascistCheck(self):
+ try:
+ cracklib.FascistCheck('test', dictpath=dictpath)
+ self.fail('expected ValueError')
+ except ValueError:
+ pass
+
def test_VeryFascistCheck(self):
try:
cracklib.VeryFascistCheck('test', dictpath=dictpath)
@@ -68,7 +75,7 @@
def test_simple_lower(self):
for passwd in ['t' * i for i in range(
- cracklib.MIN_LENGTH - cracklib.LOW_CREDIT)]:
+ cracklib.MIN_LENGTH - cracklib.LOW_CREDIT)]:
self.assertEquals(
1, cracklib.simple(passwd),
'password {0} should be detected as too simple'.format(
@@ -78,7 +85,7 @@
def test_simple_upper(self):
for passwd in ['T' * i for i in range(
- cracklib.MIN_LENGTH - cracklib.UP_CREDIT)]:
+ cracklib.MIN_LENGTH - cracklib.UP_CREDIT)]:
self.assertEquals(
1, cracklib.simple(passwd),
'password {0} should be detected as too simple'.format(
@@ -88,7 +95,7 @@
def test_simple_digit(self):
for passwd in ['1' * i for i in range(
- cracklib.MIN_LENGTH - cracklib.DIG_CREDIT)]:
+ cracklib.MIN_LENGTH - cracklib.DIG_CREDIT)]:
self.assertEquals(
1, cracklib.simple(passwd),
'password {0} should be detected as too simple'.format(
@@ -98,7 +105,7 @@
def test_simple_other(self):
for passwd in ['#' * i for i in range(
- cracklib.MIN_LENGTH - cracklib.OTH_CREDIT)]:
+ cracklib.MIN_LENGTH - cracklib.OTH_CREDIT)]:
self.assertEquals(
1, cracklib.simple(passwd),
'password {0} should be detected as too simple'.format(
@@ -109,14 +116,16 @@
def test_simple_combinations(self):
testset = '#a' * (cracklib.MIN_LENGTH // 2)
for passwd in [testset[:i] for i in range(
- cracklib.MIN_LENGTH - cracklib.LOW_CREDIT - cracklib.OTH_CREDIT)]:
+ cracklib.MIN_LENGTH -
+ cracklib.LOW_CREDIT -
+ cracklib.OTH_CREDIT)]:
self.assertEquals(
1, cracklib.simple(passwd),
'password {0} should be detected as too simple'.format(
passwd))
self.assertEquals(0, cracklib.simple(
testset[:(cracklib.MIN_LENGTH - cracklib.LOW_CREDIT -
- cracklib.OTH_CREDIT)]))
+ cracklib.OTH_CREDIT)]))
tests.append(TestModuleFunctions)
@@ -127,7 +136,7 @@
print(('cracklib is installed in: ' + os.path.dirname(__file__)))
print(('cracklib version: ' + __version__))
print((sys.version))
- dictpath=use_dictpath
+ dictpath = use_dictpath
suite = unittest.TestSuite()
for cls in tests:

13
debian/patches/install-debian-python-modules.patch vendored
View File

@ -1,13 +0,0 @@
Subject: install Debian specific Python modules
Author: Jan Dittberner <jandd@debian.org>
--- a/python/setup.py.in
+++ b/python/setup.py.in
@@ -42,7 +42,7 @@
author_email="jan@dittberner.info",
url="http://cracklib.sourceforge.net/",
license="GPLv2+",
- py_modules=['cracklib', 'test_cracklib'],
+ py_modules=['cracklib', 'test_cracklib', 'crack'],
package_dir={'': '@srcdir@'},
ext_modules=extensions,
zip_safe=False,

202
debian/patches/libcrack2-error-safer-check-variant.patch vendored
View File

@ -1,202 +0,0 @@
Subject: add a safer check variant
Author: Markus Wanner <markus@bluegap.ch>
Bug-Debian: http://bugs.debian.org/682735
Bug-Debian: http://bugs.debian.org/737040
--- a/lib/fascist.c
+++ b/lib/fascist.c
@@ -882,6 +882,60 @@
return FascistCheckUser(password, path, NULL, NULL);
}
+/* This Debian specific method is a work-around for Debian #682735. Please
+ do not rely on it being available in future verisons of cracklib2. */
+int
+__DEBIAN_SPECIFIC__SafeFascistCheck(password, path, errstr, errstr_len)
+ const char *password;
+ const char *path;
+ char *errstr;
+ size_t errstr_len;
+{
+ PWDICT *pwp;
+ char pwtrunced[STRINGSIZE];
+ char *error;
+
+ /* If passed null for the path, use a compiled-in default */
+ if ( ! path )
+ {
+ path = DEFAULT_CRACKLIB_DICT;
+ }
+
+ /* security problem: assume we may have been given a really long
+ password (buffer attack) and so truncate it to a workable size;
+ try to define workable size as something from which we cannot
+ extend a buffer beyond its limits in the rest of the code */
+
+ strncpy(pwtrunced, password, TRUNCSTRINGSIZE);
+ pwtrunced[TRUNCSTRINGSIZE - 1] = '\0'; /* enforce */
+
+ /* perhaps someone should put something here to check if password
+ is really long and syslog() a message denoting buffer attacks? */
+
+ if (!(pwp = PWOpen(path, "r")))
+ {
+ return 0;
+ }
+
+
+ error = FascistLook(pwp, pwtrunced);
+ if (error != NULL)
+ {
+ strncpy(errstr, error, errstr_len);
+ errstr[errstr_len - 1] = '\0';
+ }
+ else
+ {
+ errstr[0] = '\0';
+ }
+
+ /* sure seems like we should close the database, since we're only likely to check one password */
+ PWClose(pwp);
+ pwp = (PWDICT *)0;
+
+ return 1;
+}
+
const char *
GetDefaultCracklibDict()
{
--- a/lib/crack.h
+++ b/lib/crack.h
@@ -22,6 +22,15 @@
extern const char *FascistCheckUser(const char *pw, const char *dictpath,
const char *user, const char *gecos);
+/* This Debian specific method is a work-around for Debian #682735. Please
+ do not rely on it being available in future verisons of cracklib2.
+ Returns 1 (true) for success and 0 (false) in case an error occurred
+ opening or reading the dictionary. In the later case, please check
+ errno. */
+extern int __DEBIAN_SPECIFIC__SafeFascistCheck(const char *pw,
+ const char *dictpath, char *errmsg,
+ size_t errmsg_len);
+
/* This function returns the compiled in value for DEFAULT_CRACKLIB_DICT.
*/
extern const char *GetDefaultCracklibDict(void);
--- a/lib/packlib.c
+++ b/lib/packlib.c
@@ -16,6 +16,7 @@
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
+#include <errno.h>
#include "packer.h"
static const char vers_id[] = "packlib.c : v2.3p2 Alec Muffett 18 May 1993";
@@ -157,6 +158,7 @@
if (!fread((char *) &pdesc.header, sizeof(pdesc.header), 1, ifp))
{
fprintf(stderr, "%s: error reading header\n", prefix);
+ errno = 0;
pdesc.header.pih_magic = 0;
fclose(ifp);
@@ -180,6 +182,7 @@
if (!fread((char *) &pdesc64.header, sizeof(pdesc64.header), 1, ifp))
{
fprintf(stderr, "%s: error reading header\n", prefix);
+ errno = 0;
pdesc.header.pih_magic = 0;
fclose(ifp);
@@ -199,6 +202,7 @@
{
/* nope, not "64-bit" after all */
fprintf(stderr, "%s: error reading header\n", prefix);
+ errno = 0;
pdesc.header.pih_magic = 0;
fclose(ifp);
@@ -225,6 +229,7 @@
if (pdesc.header.pih_magic != PIH_MAGIC)
{
fprintf(stderr, "%s: magic mismatch\n", prefix);
+ errno = 0;
pdesc.header.pih_magic = 0;
fclose(ifp);
@@ -245,6 +250,7 @@
if (pdesc.header.pih_numwords < 1)
{
fprintf(stderr, "%s: invalid word count\n", prefix);
+ errno = 0;
pdesc.header.pih_magic = 0;
fclose(ifp);
@@ -264,6 +270,7 @@
if (pdesc.header.pih_blocklen != NUMWORDS)
{
fprintf(stderr, "%s: size mismatch\n", prefix);
+ errno = 0;
pdesc.header.pih_magic = 0;
fclose(ifp);
--- a/python/_cracklib.c
+++ b/python/_cracklib.c
@@ -42,6 +42,7 @@
#ifdef HAVE_LIBINTL_H
#include <libintl.h>
#endif
+#include <errno.h>
#ifdef HAVE_PTHREAD_H
static pthread_mutex_t cracklib_mutex = PTHREAD_MUTEX_INITIALIZER;
@@ -74,7 +75,8 @@
{
char *candidate, *dict;
char *defaultdict = NULL;
- const char *result;
+ int result;
+ char errmsg[255];
struct stat st;
char *keywords[] = {"pw", "dictpath", NULL};
char *dictfile;
@@ -148,7 +150,8 @@
#endif
LOCK();
- result = FascistCheck(candidate, dict ? dict : defaultdict);
+ result = __DEBIAN_SPECIFIC__SafeFascistCheck(candidate,
+ dict ? dict : defaultdict, errmsg, sizeof(errmsg));
UNLOCK();
if (defaultdict != NULL)
@@ -156,10 +159,25 @@
free(defaultdict);
}
- if (result != NULL)
+ if (result)
{
- PyErr_SetString(PyExc_ValueError, result);
- return NULL;
+ if ((errmsg != NULL) && (strlen(errmsg) > 0))
+ {
+ PyErr_SetString(PyExc_ValueError, errmsg);
+ return NULL;
+ }
+ }
+ else {
+ if (errno == 0)
+ {
+ PyErr_SetString(PyExc_RuntimeError, "Unable to read cracklib dictionary.");
+ return NULL;
+ }
+ else
+ {
+ PyErr_SetFromErrnoWithFilename(PyExc_ValueError, "/var/cache/cracklib_dict.*");
+ return NULL;
+ }
}
return Py_BuildValue("s", candidate);
}

22
debian/patches/overflow-processing-long-words.patch vendored
View File

@ -1,22 +0,0 @@
Description: The input word is guaranteed to be at most STRINGSIZE-1 in length.
One of the mangle operations involves duplicating the input word, resulting in
a string twice the length to be accommodated by both area variables.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386
Author: Howard Guo <hguo@suse.com>
Last-Update: 2016-08-17
diff -rupN 3/lib/rules.c 3-patched/lib/rules.c
--- 3/lib/rules.c 2016-08-16 14:16:24.033261876 +0200
+++ 3-patched/lib/rules.c 2016-08-17 13:57:14.485782894 +0200
@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a poi
{
int limit;
register char *ptr;
- static char area[STRINGSIZE];
- char area2[STRINGSIZE];
- area[0] = '\0';
+ static char area[STRINGSIZE * 2] = {0};
+ char area2[STRINGSIZE * 2] = {0};
strcpy(area, input);
for (ptr = control; *ptr; ptr++)

5
debian/patches/series vendored
View File

@ -1,5 +0,0 @@
install-debian-python-modules.patch
libcrack2-error-safer-check-variant.patch
improve_test_737040.patch
CVE-2016-6318.patch
overflow-processing-long-words.patch

2
debian/source/format vendored
View File

@ -1 +1 @@
3.0 (quilt) 3.0 (native)