diff options
Diffstat (limited to 'meta/recipes-extended/cracklib/cracklib')
3 files changed, 13 insertions, 118 deletions
diff --git a/meta/recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch b/meta/recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch deleted file mode 100644 index b251ac9056..0000000000 --- a/meta/recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001 -From: Jan Dittberner <jan@dittberner.info> -Date: Thu, 25 Aug 2016 17:13:49 +0200 -Subject: [PATCH] Apply patch to fix CVE-2016-6318 - -This patch fixes an issue with a stack-based buffer overflow when -parsing large GECOS field. See -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and -https://security-tracker.debian.org/tracker/CVE-2016-6318 for more -information. - -Upstream-Status: Backport [https://github.com/cracklib/cracklib/commit/47e5dec521ab6243c9b249dd65b93d232d90d6b1] -CVE: CVE-2016-6318 -Signed-off-by: Dengke Du <dengke.du@windriver.com> ---- - lib/fascist.c | 57 ++++++++++++++++++++++++++++++++----------------------- - 1 file changed, 33 insertions(+), 24 deletions(-) - -diff --git a/lib/fascist.c b/lib/fascist.c -index a996509..d4deb15 100644 ---- a/lib/fascist.c -+++ b/lib/fascist.c -@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos) - char gbuffer[STRINGSIZE]; - char tbuffer[STRINGSIZE]; - char *uwords[STRINGSIZE]; -- char longbuffer[STRINGSIZE * 2]; -+ char longbuffer[STRINGSIZE]; - - if (gecos == NULL) - gecos = ""; -@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos) - { - for (i = 0; i < j; i++) - { -- strcpy(longbuffer, uwords[i]); -- strcat(longbuffer, uwords[j]); -- -- if (GTry(longbuffer, password)) -+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) - { -- return _("it is derived from your password entry"); -- } -+ strcpy(longbuffer, uwords[i]); -+ strcat(longbuffer, uwords[j]); - -- strcpy(longbuffer, uwords[j]); -- strcat(longbuffer, uwords[i]); -+ if (GTry(longbuffer, password)) -+ { -+ return _("it is derived from your password entry"); -+ } - -- if (GTry(longbuffer, password)) -- { -- return _("it's derived from your password entry"); -- } -+ strcpy(longbuffer, uwords[j]); -+ strcat(longbuffer, uwords[i]); - -- longbuffer[0] = uwords[i][0]; -- longbuffer[1] = '\0'; -- strcat(longbuffer, uwords[j]); -+ if (GTry(longbuffer, password)) -+ { -+ return _("it's derived from your password entry"); -+ } -+ } - -- if (GTry(longbuffer, password)) -+ if (strlen(uwords[j]) < STRINGSIZE - 1) - { -- return _("it is derivable from your password entry"); -+ longbuffer[0] = uwords[i][0]; -+ longbuffer[1] = '\0'; -+ strcat(longbuffer, uwords[j]); -+ -+ if (GTry(longbuffer, password)) -+ { -+ return _("it is derivable from your password entry"); -+ } - } - -- longbuffer[0] = uwords[j][0]; -- longbuffer[1] = '\0'; -- strcat(longbuffer, uwords[i]); -- -- if (GTry(longbuffer, password)) -+ if (strlen(uwords[i]) < STRINGSIZE - 1) - { -- return _("it's derivable from your password entry"); -+ longbuffer[0] = uwords[j][0]; -+ longbuffer[1] = '\0'; -+ strcat(longbuffer, uwords[i]); -+ -+ if (GTry(longbuffer, password)) -+ { -+ return _("it's derivable from your password entry"); -+ } - } - } - } --- -2.8.1 - diff --git a/meta/recipes-extended/cracklib/cracklib/0001-packlib.c-support-dictionary-byte-order-dependent.patch b/meta/recipes-extended/cracklib/cracklib/0001-packlib.c-support-dictionary-byte-order-dependent.patch index adbe7dfff4..8fb512a224 100644 --- a/meta/recipes-extended/cracklib/cracklib/0001-packlib.c-support-dictionary-byte-order-dependent.patch +++ b/meta/recipes-extended/cracklib/cracklib/0001-packlib.c-support-dictionary-byte-order-dependent.patch @@ -1,7 +1,7 @@ -From 8a6e43726ad0ae41bd1cc2c248d91deb31459357 Mon Sep 17 00:00:00 2001 +From aae03b7e626d5f62ab929d51d11352a5a2ff6b2d Mon Sep 17 00:00:00 2001 From: Lei Maohui <leimaohui@cn.fujitsu.com> Date: Tue, 9 Jun 2015 11:11:48 +0900 -Subject: [PATCH] packlib.c: support dictionary byte order dependent +Subject: [PATCH 1/2] packlib.c: support dictionary byte order dependent The previous dict files are NOT byte-order independent, in fact they are probably ARCHITECTURE SPECIFIC. @@ -9,7 +9,7 @@ Create the dict files in big endian, and convert to host endian while load them. This could fix the endian issue on multiple platform. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> -Upstream-Status: Pending +Upstream-Status: Submitted [https://github.com/cracklib/cracklib/pull/41] We can't use the endian.h, htobe* and be*toh functions because they are not available on older versions of glibc, such as that found in RHEL @@ -22,11 +22,11 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> --- - lib/packlib.c | 214 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- + lib/packlib.c | 214 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 210 insertions(+), 4 deletions(-) diff --git a/lib/packlib.c b/lib/packlib.c -index f851424..3aac805 100644 +index 8acb7be..a9d8750 100644 --- a/lib/packlib.c +++ b/lib/packlib.c @@ -16,6 +16,12 @@ @@ -317,7 +317,7 @@ index f851424..3aac805 100644 + fwrite((char *) &tmpdatum, sizeof(tmpdatum), 1, pwp->ifp); fputs(pwp->data_put[0], pwp->dfp); - putc(0, pwp->dfp); + putc(0, (FILE*) pwp->dfp); @@ -464,6 +668,7 @@ GetPW(pwp, number) perror("(index fread failed)"); return NULL; @@ -335,5 +335,5 @@ index f851424..3aac805 100644 int r = 1; -- -1.8.4.2 +2.20.1 diff --git a/meta/recipes-extended/cracklib/cracklib/0002-craklib-fix-testnum-and-teststr-failed.patch b/meta/recipes-extended/cracklib/cracklib/0002-craklib-fix-testnum-and-teststr-failed.patch index 6210e82121..1ee97357d0 100644 --- a/meta/recipes-extended/cracklib/cracklib/0002-craklib-fix-testnum-and-teststr-failed.patch +++ b/meta/recipes-extended/cracklib/cracklib/0002-craklib-fix-testnum-and-teststr-failed.patch @@ -1,7 +1,7 @@ -From 06f9a88b5dd5597f9198ea0cb34f5e96f180e6e3 Mon Sep 17 00:00:00 2001 +From 7250328d7f77069726603ef7132826c9260d3c92 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu.jia@windriver.com> Date: Sat, 27 Apr 2013 16:02:30 +0800 -Subject: [PATCH] craklib:fix testnum and teststr failed +Subject: [PATCH 2/2] craklib:fix testnum and teststr failed Error log: ... @@ -16,10 +16,10 @@ PWOpen: No such file or directory Set DEFAULT_CRACKLIB_DICT as the path of PWOpen Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> -Upstream-Status: Pending +Upstream-Status: Submitted [https://github.com/cracklib/cracklib/pull/42] --- - util/testnum.c | 2 +- - util/teststr.c | 2 +- + util/testnum.c | 2 +- + util/teststr.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/util/testnum.c b/util/testnum.c @@ -49,5 +49,5 @@ index 2a31fa4..9fb9cda 100644 perror ("PWOpen"); return (-1); -- -1.7.10.4 +2.20.1 |