openkylin
/
cracklib2
mirror of https://gitee.com/openkylin/cracklib2.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

CVE-2016-6318: Stack-based buffer overflow when parsing large GECOS field 

It is not safe to pass words longer than STRINGSIZE further to cracklib
so the longbuffer cannot be longer than STRINGSIZE.
Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=1188599
Bug-Debian: https://bugs.debian.org/834502
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1364944
Forwarded: not-needed
Last-Update: 2016-08-16

Gbp-Pq: Name CVE-2016-6318.patch
This commit is contained in:
Salvatore Bonaccorso 2022-06-04 14:14:21 +08:00 committed by Lu zhiping
parent 4fcca984e4
commit 6abdf68440
1 changed files with 34 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
lib/fascist.c
View File

@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
char gbuffer[STRINGSIZE];
char tbuffer[STRINGSIZE];
char *uwords[STRINGSIZE];
char longbuffer[STRINGSIZE * 2];
char longbuffer[STRINGSIZE];
if (gecos == NULL)
gecos = "";
@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
{
for (i = 0; i < j; i++)
{
strcpy(longbuffer, uwords[i]);
strcat(longbuffer, uwords[j]);
if (GTry(longbuffer, password))
if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
{
return _("it is derived from your password entry");
strcpy(longbuffer, uwords[i]);
strcat(longbuffer, uwords[j]);
if (GTry(longbuffer, password))
{
return _("it is derived from your password entry");
}
strcpy(longbuffer, uwords[j]);
strcat(longbuffer, uwords[i]);
if (GTry(longbuffer, password))
{
return _("it's derived from your password entry");
}
}
strcpy(longbuffer, uwords[j]);
strcat(longbuffer, uwords[i]);
if (GTry(longbuffer, password))
if (strlen(uwords[j]) < STRINGSIZE - 1)
{
return _("it's derived from your password entry");
longbuffer[0] = uwords[i][0];
longbuffer[1] = '\0';
strcat(longbuffer, uwords[j]);
if (GTry(longbuffer, password))
{
return _("it is derivable from your password entry");
}
}
longbuffer[0] = uwords[i][0];
longbuffer[1] = '\0';
strcat(longbuffer, uwords[j]);
if (GTry(longbuffer, password))
if (strlen(uwords[i]) < STRINGSIZE - 1)
{
return _("it is derivable from your password entry");
}
longbuffer[0] = uwords[j][0];
longbuffer[1] = '\0';
strcat(longbuffer, uwords[i]);
longbuffer[0] = uwords[j][0];
longbuffer[1] = '\0';
strcat(longbuffer, uwords[i]);
if (GTry(longbuffer, password))
{
return _("it's derivable from your password entry");
if (GTry(longbuffer, password))
{
return _("it's derivable from your password entry");
}
}
}
}