From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- sys-libs/cracklib/Manifest | 7 ++ sys-libs/cracklib/cracklib-2.9.6-r1.ebuild | 105 ++++++++++++++++++++ .../files/cracklib-2.9.6-CVE-2016-6318.patch | 108 +++++++++++++++++++++ ...acklib-2.9.6-fix-long-word-bufferoverflow.patch | 43 ++++++++ sys-libs/cracklib/metadata.xml | 12 +++ 5 files changed, 275 insertions(+) create mode 100644 sys-libs/cracklib/Manifest create mode 100644 sys-libs/cracklib/cracklib-2.9.6-r1.ebuild create mode 100644 sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch create mode 100644 sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch create mode 100644 sys-libs/cracklib/metadata.xml (limited to 'sys-libs/cracklib') diff --git a/sys-libs/cracklib/Manifest b/sys-libs/cracklib/Manifest new file mode 100644 index 000000000000..cabba446b37a --- /dev/null +++ b/sys-libs/cracklib/Manifest @@ -0,0 +1,7 @@ +AUX cracklib-2.9.6-CVE-2016-6318.patch 3288 SHA256 16f033cb2192cb27d77e992b5399a4f2b99f7a0afa13f112f98a82b5ad826eee SHA512 232f632034fb602ea464885cd9f07aa30a3feb04bd231e7c2f2854f47493e027d87910454c089dc2c567aa01f6882bed7ee2a86d929fa36178746cf2a7dbf346 WHIRLPOOL 898cc6e66dc5b0801b324836a80004a7d0f97c710a46c618f29ff12b72e22c924cd7d82cad1163df1b47597f5676a84ec64955ddad7297ce64c98323ca127288 +AUX cracklib-2.9.6-fix-long-word-bufferoverflow.patch 1614 SHA256 b26ea5ff656e606f27baceccf2c11503fc2deeea912397b44f31ebd0dbdd7ddd SHA512 e4a2f9f467d3f0ce8acd4c9ea6ca19787dca6bd2bfaa80ddbf9ec1214a5e2b519c088b07760349adac9bd6805a4b512c015181863d679643cc12c68104c29a6d WHIRLPOOL abea9574414390a474561313e501b240457da22cd8fb18109ad42ab5af9a504ee20c4a2a3d9d4b9ea7bd148d26604ba5c1826a511f68d08f43c9b69b18d27f8f +DIST cracklib-2.9.6.tar.gz 642402 SHA256 17cf76943de272fd579ed831a1fd85339b393f8d00bf9e0d17c91e972f583343 SHA512 2b09672e5b412d670e7ed911ebf0c0023fe2901ea05c9c02eefb7a58a13cddbc27a65d75bb20be9f8cebf4c90a9a56dfe1a3b656dff62b1d6048f5376e671786 WHIRLPOOL 2b7b908952166e07aedfca7d17423a8dff0ec145a5f34a7ec01571cb591f0e92e57dd25ab6ffff15f1ec276bfefa455072fc7741e664115a4fafdd7f75d580e1 +EBUILD cracklib-2.9.6-r1.ebuild 2586 SHA256 00bef078c5d6ba19c76edaa79d58c091bd1f02d3cc6ffbb39e2c3e38c3956edd SHA512 0154faa441e253340b73b681ca939cc63bb3a3e6fc165f94593da6036478bd3b849557ac53f6b260028d4627414b269434d7bbb3f5dc1e5bccb149abf10add2c WHIRLPOOL 1898e3f398636ab985472db34af285dd910ed6834eb65e32e423a8c194dff398a14d652dcfe9e8ce0b6dec0d2ae392521074c5265900f67d1e5b5b863f37de01 +MISC ChangeLog 7657 SHA256 66e9eed15ff1a8dd2ca9ed3e7a2476fffeb90433f933c0c687b5fb887b6d7034 SHA512 344ec06e6b80812a30572f2fed8a5c6ae6345ed8f0b1b61e144fe189e57a897c127b6363bbcd6b2a6761d123c4d328e8685931eca2ae4399bc5e3a1f4108d5e0 WHIRLPOOL b836a6a114602930c3feb150448f03faca5cf109f72dd079b0eb22d0aaa4cb6c3aa52dfa7a2b7f5fb05363b039e9b6f660c89cb1edba00bd61a100f0171f6f27 +MISC ChangeLog-2015 27435 SHA256 f4e21158fda642097c81941e1bfbd1ca009335d73a21fefe18e41d322dcafa6e SHA512 73625d98457b1e96cc9b77585a457a3375b34fce199cac90db905616013934ea4edbf05a2d6f1419dba58c3c9e158e900d652c39a8eb7583b91678c293da0592 WHIRLPOOL 7ee06f55d10d379fd01caef49525c803413a551e5dc4573fa01d652b4152c6c4eaf486781fc71ed5e76fb2686e00bc98435a7b8538ec5c4899d4d0d32a3a326c +MISC metadata.xml 384 SHA256 7634a3d5aca060298d77d31e2b9048b1e4e3c6be42c080f618d882a65f347232 SHA512 773287176f56f1a0f11edc6cd1ca85453f998ad8e58b1e608562335f814aab18124bfb850063dd4fa35aba525b776bf2c202d8afa6d4b51e354276678f324bd1 WHIRLPOOL b94fe41a178eba9f8fcfa6519a8de0e091b14fe3157d3e6c9b7260a069915f10bc66c314e62062e4d5047978944a30c3a978d9f9e08b94a7607a4755530df5e9 diff --git a/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild b/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild new file mode 100644 index 000000000000..101aef422958 --- /dev/null +++ b/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild @@ -0,0 +1,105 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} ) +DISTUTILS_OPTIONAL=1 + +inherit eutils distutils-r1 libtool multilib-minimal toolchain-funcs + +MY_P=${P/_} +DESCRIPTION="Password Checking Library" +HOMEPAGE="https://github.com/cracklib/cracklib/" +SRC_URI="https://github.com/${PN}/${PN}/releases/download/${P}/${P}.tar.gz" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint" +IUSE="nls python static-libs zlib" +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +RDEPEND="python? ( ${PYTHON_DEPS} ) + zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )" +DEPEND="${RDEPEND} + python? ( + dev-python/setuptools[${PYTHON_USEDEP}] + )" + +S=${WORKDIR}/${MY_P} + +do_python() { + multilib_is_native_abi || return 0 + use python || return 0 + pushd python > /dev/null || die + distutils-r1_src_${EBUILD_PHASE} + popd > /dev/null +} + +pkg_setup() { + # workaround #195017 + if has unmerge-orphans ${FEATURES} && has_version "<${CATEGORY}/${PN}-2.8.10" ; then + eerror "Upgrade path is broken with FEATURES=unmerge-orphans" + eerror "Please run: FEATURES=-unmerge-orphans emerge cracklib" + die "Please run: FEATURES=-unmerge-orphans emerge cracklib" + fi +} + +src_prepare() { + epatch "${FILESDIR}"/cracklib-2.9.6-CVE-2016-6318.patch + epatch "${FILESDIR}"/cracklib-2.9.6-fix-long-word-bufferoverflow.patch + + elibtoolize #269003 + do_python +} + +multilib_src_configure() { + export ac_cv_header_zlib_h=$(usex zlib) + export ac_cv_search_gzopen=$(usex zlib -lz no) + # use /usr/lib so that the dictionary is shared between ABIs + ECONF_SOURCE=${S} \ + econf \ + --with-default-dict='/usr/lib/cracklib_dict' \ + --without-python \ + $(use_enable nls) \ + $(use_enable static-libs static) +} + +multilib_src_compile() { + default + do_python +} + +multilib_src_test() { + # Make sure we load the freshly built library + LD_LIBRARY_PATH="${BUILD_DIR}/lib/.libs" do_python +} + +python_test() { + ${EPYTHON} -m unittest test_cracklib || die "Tests fail with ${EPYTHON}" +} + +multilib_src_install() { + default + # move shared libs to / + gen_usr_ldscript -a crack + + do_python +} + +multilib_src_install_all() { + einstalldocs + prune_libtool_files + rm -r "${ED}"/usr/share/cracklib + + insinto /usr/share/dict + doins dicts/cracklib-small || die +} + +pkg_postinst() { + if [[ ${ROOT} == "/" ]] ; then + ebegin "Regenerating cracklib dictionary" + create-cracklib-dict "${EPREFIX}"/usr/share/dict/* > /dev/null + eend $? + fi +} diff --git a/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch b/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch new file mode 100644 index 000000000000..bc47734759e2 --- /dev/null +++ b/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch @@ -0,0 +1,108 @@ +From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001 +From: Jan Dittberner +Date: Thu, 25 Aug 2016 17:13:49 +0200 +Subject: [PATCH] Apply patch to fix CVE-2016-6318 + +This patch fixes an issue with a stack-based buffer overflow whne +parsing large GECOS field. See +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and +https://security-tracker.debian.org/tracker/CVE-2016-6318 for more +information. +--- + src/NEWS | 1 + + src/lib/fascist.c | 57 ++++++++++++++++++++++++++++++++----------------------- + 2 files changed, 34 insertions(+), 24 deletions(-) + +diff --git a/src/NEWS b/src/NEWS +index 26abeee..361a207 100644 +--- a/src/NEWS ++++ b/src/NEWS +@@ -1,3 +1,4 @@ ++v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field + v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists + migration to github + patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller) +diff --git a/src/lib/fascist.c b/src/lib/fascist.c +index a996509..d4deb15 100644 +--- a/src/lib/fascist.c ++++ b/src/lib/fascist.c +@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos) + char gbuffer[STRINGSIZE]; + char tbuffer[STRINGSIZE]; + char *uwords[STRINGSIZE]; +- char longbuffer[STRINGSIZE * 2]; ++ char longbuffer[STRINGSIZE]; + + if (gecos == NULL) + gecos = ""; +@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos) + { + for (i = 0; i < j; i++) + { +- strcpy(longbuffer, uwords[i]); +- strcat(longbuffer, uwords[j]); +- +- if (GTry(longbuffer, password)) ++ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) + { +- return _("it is derived from your password entry"); +- } ++ strcpy(longbuffer, uwords[i]); ++ strcat(longbuffer, uwords[j]); + +- strcpy(longbuffer, uwords[j]); +- strcat(longbuffer, uwords[i]); ++ if (GTry(longbuffer, password)) ++ { ++ return _("it is derived from your password entry"); ++ } + +- if (GTry(longbuffer, password)) +- { +- return _("it's derived from your password entry"); +- } ++ strcpy(longbuffer, uwords[j]); ++ strcat(longbuffer, uwords[i]); + +- longbuffer[0] = uwords[i][0]; +- longbuffer[1] = '\0'; +- strcat(longbuffer, uwords[j]); ++ if (GTry(longbuffer, password)) ++ { ++ return _("it's derived from your password entry"); ++ } ++ } + +- if (GTry(longbuffer, password)) ++ if (strlen(uwords[j]) < STRINGSIZE - 1) + { +- return _("it is derivable from your password entry"); ++ longbuffer[0] = uwords[i][0]; ++ longbuffer[1] = '\0'; ++ strcat(longbuffer, uwords[j]); ++ ++ if (GTry(longbuffer, password)) ++ { ++ return _("it is derivable from your password entry"); ++ } + } + +- longbuffer[0] = uwords[j][0]; +- longbuffer[1] = '\0'; +- strcat(longbuffer, uwords[i]); +- +- if (GTry(longbuffer, password)) ++ if (strlen(uwords[i]) < STRINGSIZE - 1) + { +- return _("it's derivable from your password entry"); ++ longbuffer[0] = uwords[j][0]; ++ longbuffer[1] = '\0'; ++ strcat(longbuffer, uwords[i]); ++ ++ if (GTry(longbuffer, password)) ++ { ++ return _("it's derivable from your password entry"); ++ } + } + } + } diff --git a/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch b/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch new file mode 100644 index 000000000000..59dc9e539eb3 --- /dev/null +++ b/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch @@ -0,0 +1,43 @@ +From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001 +From: Jan Dittberner +Date: Thu, 25 Aug 2016 17:17:53 +0200 +Subject: [PATCH] Fix a buffer overflow processing long words + +A buffer overflow processing long words has been discovered. This commit +applies the patch from +https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch +by Howard Guo. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and +http://www.openwall.com/lists/oss-security/2016/08/23/8 +--- + src/NEWS | 1 + + src/lib/rules.c | 5 ++--- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/NEWS b/src/NEWS +index 361a207..f1df3b0 100644 +--- a/src/NEWS ++++ b/src/NEWS +@@ -1,4 +1,5 @@ + v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field ++ fix a buffer overflow processing long words + v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists + migration to github + patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller) +diff --git a/src/lib/rules.c b/src/lib/rules.c +index d193cc0..3a2aa46 100644 +--- a/src/lib/rules.c ++++ b/src/lib/rules.c +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */ + { + int limit; + register char *ptr; +- static char area[STRINGSIZE]; +- char area2[STRINGSIZE]; +- area[0] = '\0'; ++ static char area[STRINGSIZE * 2] = {0}; ++ char area2[STRINGSIZE * 2] = {0}; + strcpy(area, input); + + for (ptr = control; *ptr; ptr++) diff --git a/sys-libs/cracklib/metadata.xml b/sys-libs/cracklib/metadata.xml new file mode 100644 index 000000000000..0bd584bf7040 --- /dev/null +++ b/sys-libs/cracklib/metadata.xml @@ -0,0 +1,12 @@ + + + + + base-system@gentoo.org + Gentoo Base System + + + cracklib + cracklib/cracklib + + -- cgit v1.2.3