Bug#835386: cracklib2: Buffer overflow processing long words

Fri, 26 Aug 2016 14:39:58 -0700 

Control: reopen -1
Control: notfixed -1 2.9.2-3

On Thu, 25 Aug 2016 08:35:50 +0200 Salvatore Bonaccorso <car...@debian.org> 
wrote:
> Source: cracklib2
> Version: 2.9.2-1
> Severity: important
> Tags: security upstream
> 
> On Mon, Aug 22, 2016 at 10:22:40PM +0200, Daniel Lange wrote:
> > Control: tags -1 + patch
> > 
> > The buffer overflow results from strings that are too short for a strcpy to 
> > always succeed.
> > 
> > Patch from 
> > <https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch>
> >  attached.
> > 
> 
> > The input word is guaranteed to be at most STRINGSIZE-1 in length. One of 
> > the
> > mangle operations involves duplicating the input word, resulting in a string
> > twice the length to be accommodated by both area variables.
> > 
> > Howard Guo <h...@suse.com> 2016-08-17
> > 
> > diff -rupN 3/lib/rules.c 3-patched/lib/rules.c
> > --- 3/lib/rules.c   2016-08-16 14:16:24.033261876 +0200
> > +++ 3-patched/lib/rules.c   2016-08-17 13:57:14.485782894 +0200
> > @@ -434,9 +434,8 @@ Mangle(input, control)          /* returns a poi
> >  {
> >      int limit;
> >      register char *ptr;
> > -    static char area[STRINGSIZE];
> > -    char area2[STRINGSIZE];
> > -    area[0] = '\0';
> > +    static char area[STRINGSIZE * 2] = {0};
> > +    char area2[STRINGSIZE * 2] = {0};
> >      strcpy(area, input);
> >  
> >      for (ptr = control; *ptr; ptr++)
> 
> Opening a separate bugreport about this second issue and track it separately 
> of
> CVE-2016-6318. I have asked for a CVE id in
> http://www.openwall.com/lists/oss-security/2016/08/23/8 .

While I'm sceptical of the security implications of this, let's
*actually* fix it

This function contains a loop and it may carry out multiple lengthening
operations.  Instead of increasing the buffer to cope with the maximum
output length of a single operation, all lengthening operations
(RULE_PLURALISE, RULE_DUPLICATE, RULE_PREPEND, RULE_APPEND,
RULE_INSERT) should check the current string length to prevent
overflow.

Ben.

-- 
Ben Hutchings
Editing code like this is akin to sticking plasters on the bleeding
stump
of a severed limb. - me, 29 June 1999

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to