Source: cracklib2 Version: 2.9.2-1 Severity: important Tags: security upstream
On Mon, Aug 22, 2016 at 10:22:40PM +0200, Daniel Lange wrote: > Control: tags -1 + patch > > The buffer overflow results from strings that are too short for a strcpy to > always succeed. > > Patch from > <https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch> > attached. > > The input word is guaranteed to be at most STRINGSIZE-1 in length. One of the > mangle operations involves duplicating the input word, resulting in a string > twice the length to be accommodated by both area variables. > > Howard Guo <h...@suse.com> 2016-08-17 > > diff -rupN 3/lib/rules.c 3-patched/lib/rules.c > --- 3/lib/rules.c 2016-08-16 14:16:24.033261876 +0200 > +++ 3-patched/lib/rules.c 2016-08-17 13:57:14.485782894 +0200 > @@ -434,9 +434,8 @@ Mangle(input, control) /* returns a poi > { > int limit; > register char *ptr; > - static char area[STRINGSIZE]; > - char area2[STRINGSIZE]; > - area[0] = '\0'; > + static char area[STRINGSIZE * 2] = {0}; > + char area2[STRINGSIZE * 2] = {0}; > strcpy(area, input); > > for (ptr = control; *ptr; ptr++) Opening a separate bugreport about this second issue and track it separately of CVE-2016-6318. I have asked for a CVE id in http://www.openwall.com/lists/oss-security/2016/08/23/8 . Regards, Salvatore
