Apply patch to fix CVE-2016-6318

This patch fixes an issue with a stack-based buffer overflow whne
parsing large GECOS field. See
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
information.

diff --git a/src/NEWS b/src/NEWS
index 26abeee98c77a952f3ec10fb96b0d8349967d321..361a2074be2e68d88be9509648b6ef9d9795da15 100644 (file)
--- a/src/NEWS
+++ b/src/NEWS
@@ -1,3 +1,4 @@
+v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field
 v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
        migration to github
        patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller)

diff --git a/src/lib/fascist.c b/src/lib/fascist.c
index a996509bcb75fb2445db0ea5551e236e5203a5a7..d4deb15c20a54d6e93d92c62db97414e44185e3a 100644 (file)
--- a/src/lib/fascist.c
+++ b/src/lib/fascist.c
@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
     char gbuffer[STRINGSIZE];
     char tbuffer[STRINGSIZE];
     char *uwords[STRINGSIZE];
-    char longbuffer[STRINGSIZE * 2];
+    char longbuffer[STRINGSIZE];
 
     if (gecos == NULL)
        gecos = "";
@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
     {
        for (i = 0; i < j; i++)
        {
-           strcpy(longbuffer, uwords[i]);
-           strcat(longbuffer, uwords[j]);
-
-           if (GTry(longbuffer, password))
+           if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
            {
-               return _("it is derived from your password entry");
-           }
+               strcpy(longbuffer, uwords[i]);
+               strcat(longbuffer, uwords[j]);
 
-           strcpy(longbuffer, uwords[j]);
-           strcat(longbuffer, uwords[i]);
+               if (GTry(longbuffer, password))
+               {
+                   return _("it is derived from your password entry");
+               }
 
-           if (GTry(longbuffer, password))
-           {
-               return _("it's derived from your password entry");
-           }
+               strcpy(longbuffer, uwords[j]);
+               strcat(longbuffer, uwords[i]);
 
-           longbuffer[0] = uwords[i][0];
-           longbuffer[1] = '\0';
-           strcat(longbuffer, uwords[j]);
+               if (GTry(longbuffer, password))
+               {
+                  return _("it's derived from your password entry");
+               }
+           }
 
-           if (GTry(longbuffer, password))
+           if (strlen(uwords[j]) < STRINGSIZE - 1)
            {
-               return _("it is derivable from your password entry");
+               longbuffer[0] = uwords[i][0];
+               longbuffer[1] = '\0';
+               strcat(longbuffer, uwords[j]);
+
+               if (GTry(longbuffer, password))
+               {
+                   return _("it is derivable from your password entry");
+               }
            }
 
-           longbuffer[0] = uwords[j][0];
-           longbuffer[1] = '\0';
-           strcat(longbuffer, uwords[i]);
-
-           if (GTry(longbuffer, password))
+           if (strlen(uwords[i]) < STRINGSIZE - 1)
            {
-               return _("it's derivable from your password entry");
+               longbuffer[0] = uwords[j][0];
+               longbuffer[1] = '\0';
+               strcat(longbuffer, uwords[i]);
+
+               if (GTry(longbuffer, password))
+               {
+                   return _("it's derivable from your password entry");
+               }
            }
        }
     }