Bug#835386: cracklib2: Buffer overflow processing long words

Fri, 26 Aug 2016 22:28:10 -0700 

Hi Ben,

On Fri, Aug 26, 2016 at 10:34:31PM +0100, Ben Hutchings wrote:
> Control: reopen -1
> Control: notfixed -1 2.9.2-3
> 
> On Thu, 25 Aug 2016 08:35:50 +0200 Salvatore Bonaccorso <car...@debian.org> 
> wrote:
> > Source: cracklib2
> > Version: 2.9.2-1
> > Severity: important
> > Tags: security upstream
> > 
> > On Mon, Aug 22, 2016 at 10:22:40PM +0200, Daniel Lange wrote:
> > > Control: tags -1 + patch
> > > 
> > > The buffer overflow results from strings that are too short for a strcpy 
> > > to always succeed.
> > > 
> > > Patch from 
> > > <https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch>
> > >  attached.
> > > 
> > 
> > > The input word is guaranteed to be at most STRINGSIZE-1 in length. One of 
> > > the
> > > mangle operations involves duplicating the input word, resulting in a 
> > > string
> > > twice the length to be accommodated by both area variables.
> > > 
> > > Howard Guo <h...@suse.com> 2016-08-17
> > > 
> > > diff -rupN 3/lib/rules.c 3-patched/lib/rules.c
> > > --- 3/lib/rules.c 2016-08-16 14:16:24.033261876 +0200
> > > +++ 3-patched/lib/rules.c 2016-08-17 13:57:14.485782894 +0200
> > > @@ -434,9 +434,8 @@ Mangle(input, control)                /* returns a poi
> > >  {
> > >      int limit;
> > >      register char *ptr;
> > > -    static char area[STRINGSIZE];
> > > -    char area2[STRINGSIZE];
> > > -    area[0] = '\0';
> > > +    static char area[STRINGSIZE * 2] = {0};
> > > +    char area2[STRINGSIZE * 2] = {0};
> > >      strcpy(area, input);
> > >  
> > >      for (ptr = control; *ptr; ptr++)
> > 
> > Opening a separate bugreport about this second issue and track it 
> > separately of
> > CVE-2016-6318. I have asked for a CVE id in
> > http://www.openwall.com/lists/oss-security/2016/08/23/8 .
> 
> While I'm sceptical of the security implications of this, let's
> *actually* fix it
> 
> This function contains a loop and it may carry out multiple lengthening
> operations.  Instead of increasing the buffer to cope with the maximum
> output length of a single operation, all lengthening operations
> (RULE_PLURALISE, RULE_DUPLICATE, RULE_PREPEND, RULE_APPEND,
> RULE_INSERT) should check the current string length to prevent
> overflow.

I'm actually not sure if it has security implication but wanted to be
rather safe than sorry. No mather what if it finally would have
security implication it's good to have it fixed. Thanks for your
triage.

Regards,
Salvatore

Reply via email to