A stack overflow in Cracklib that could potentially lead to arbitrary code execution was just disclosed:
http://seclists.org/oss-sec/2016/q3/290 "When an application compiled against the cracklib libary, such as "passwd" is used to parse the GECOS field, it could cause the application to crash or execute arbitary code with the permissions of the user running such an application." The message recommends this patch: https://bugzilla.redhat.com/show_bug.cgi?id=1364944#c2 For us, cracklib is used by libpwquality, which is used in turn by gnome-control-center. Passwd is safe: $ guix build --check shadow [...] shadow will be compiled with the following features: auditing support: no CrackLib support: no PAM support: yes suid account management tools: yes SELinux support: no ACL support: no Extended Attributes support: no tcb support (incomplete): no shadow group support: yes S/Key support: no SHA passwords encryption: yes nscd support: yes subordinate IDs support: yes Leo Famulari (1): gnu: cracklib: Fix CVE-2016-6318. gnu/local.mk | 1 + gnu/packages/password-utils.scm | 2 + gnu/packages/patches/cracklib-CVE-2016-6318.patch | 95 +++++++++++++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 gnu/packages/patches/cracklib-CVE-2016-6318.patch -- 2.9.3
