From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Thu, 25 Aug 2016 17:17:53 +0200 Subject: [PATCH] Fix a buffer overflow processing long words A buffer overflow processing long words has been discovered. This commit applies the patch from https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch by Howard Guo. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and http://www.openwall.com/lists/oss-security/2016/08/23/8 --- src/NEWS | 1 + src/lib/rules.c | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/NEWS b/src/NEWS index 361a207..f1df3b0 100644 --- a/src/NEWS +++ b/src/NEWS @@ -1,4 +1,5 @@ v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field + fix a buffer overflow processing long words v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists migration to github patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller) diff --git a/src/lib/rules.c b/src/lib/rules.c index d193cc0..3a2aa46 100644 --- a/src/lib/rules.c +++ b/src/lib/rules.c @@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */ { int limit; register char *ptr; - static char area[STRINGSIZE]; - char area2[STRINGSIZE]; - area[0] = '\0'; + static char area[STRINGSIZE * 2] = {0}; + char area2[STRINGSIZE * 2] = {0}; strcpy(area, input); for (ptr = control; *ptr; ptr++)