public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: sys-libs/cracklib/files/, sys-libs/cracklib/
@ 2016-09-14 20:57 Thomas Deutschmann
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Deutschmann @ 2016-09-14 20:57 UTC (permalink / raw
  To: gentoo-commits

commit:     aac5b4f4a65ce70854e77014fa096b7bd2d34e43
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Sep 14 20:55:05 2016 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Sep 14 20:57:44 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aac5b4f4

sys-libs/cracklib: Revision bump to address CVE-2016-6318 and another buffer overflow

Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
Gentoo-Bug: https://bugs.gentoo.org/591456

Package-Manager: portage-2.3.0

 sys-libs/cracklib/cracklib-2.9.6-r1.ebuild         | 108 +++++++++++++++++++++
 .../files/cracklib-2.9.6-CVE-2016-6318.patch       | 108 +++++++++++++++++++++
 ...acklib-2.9.6-fix-long-word-bufferoverflow.patch |  43 ++++++++
 3 files changed, 259 insertions(+)

diff --git a/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild b/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild
new file mode 100644
index 00000000..3767e64
--- /dev/null
+++ b/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild
@@ -0,0 +1,108 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+PYTHON_COMPAT=( python2_7 )
+DISTUTILS_OPTIONAL=1
+
+inherit eutils distutils-r1 libtool multilib-minimal toolchain-funcs
+
+MY_P=${P/_}
+DESCRIPTION="Password Checking Library"
+HOMEPAGE="https://github.com/cracklib/cracklib/"
+SRC_URI="https://github.com/${PN}/${PN}/releases/download/${P}/${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint"
+IUSE="nls python static-libs test zlib"
+
+RDEPEND="zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	python? (
+		dev-python/setuptools[${PYTHON_USEDEP}]
+		test? ( dev-python/nose[${PYTHON_USEDEP}] )
+	)"
+RDEPEND="${RDEPEND}
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r6
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+
+S=${WORKDIR}/${MY_P}
+
+do_python() {
+	multilib_is_native_abi || return 0
+	use python || return 0
+	pushd python > /dev/null || die
+	distutils-r1_src_${EBUILD_PHASE}
+	popd > /dev/null
+}
+
+pkg_setup() {
+	# workaround #195017
+	if has unmerge-orphans ${FEATURES} && has_version "<${CATEGORY}/${PN}-2.8.10" ; then
+		eerror "Upgrade path is broken with FEATURES=unmerge-orphans"
+		eerror "Please run: FEATURES=-unmerge-orphans emerge cracklib"
+		die "Please run: FEATURES=-unmerge-orphans emerge cracklib"
+	fi
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/cracklib-2.9.6-CVE-2016-6318.patch
+	epatch "${FILESDIR}"/cracklib-2.9.6-fix-long-word-bufferoverflow.patch
+
+	elibtoolize #269003
+	do_python
+}
+
+multilib_src_configure() {
+	export ac_cv_header_zlib_h=$(usex zlib)
+	export ac_cv_search_gzopen=$(usex zlib -lz no)
+	# use /usr/lib so that the dictionary is shared between ABIs
+	ECONF_SOURCE=${S} \
+	econf \
+		--with-default-dict='/usr/lib/cracklib_dict' \
+		--without-python \
+		$(use_enable nls) \
+		$(use_enable static-libs static)
+}
+
+multilib_src_compile() {
+	default
+	do_python
+}
+
+multilib_src_test() {
+	do_python
+}
+
+python_test() {
+	nosetests -w "${S}"/python || die "Tests fail with ${EPYTHON}"
+}
+
+multilib_src_install() {
+	default
+	# move shared libs to /
+	gen_usr_ldscript -a crack
+
+	do_python
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	prune_libtool_files
+	rm -r "${ED}"/usr/share/cracklib
+
+	insinto /usr/share/dict
+	doins dicts/cracklib-small || die
+}
+
+pkg_postinst() {
+	if [[ ${ROOT} == "/" ]] ; then
+		ebegin "Regenerating cracklib dictionary"
+		create-cracklib-dict "${EPREFIX}"/usr/share/dict/* > /dev/null
+		eend $?
+	fi
+}

diff --git a/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch b/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch
new file mode 100644
index 00000000..bc47734
--- /dev/null
+++ b/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch
@@ -0,0 +1,108 @@
+From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:13:49 +0200
+Subject: [PATCH] Apply patch to fix CVE-2016-6318
+
+This patch fixes an issue with a stack-based buffer overflow whne
+parsing large GECOS field. See
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
+https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
+information.
+---
+ src/NEWS          |  1 +
+ src/lib/fascist.c | 57 ++++++++++++++++++++++++++++++++-----------------------
+ 2 files changed, 34 insertions(+), 24 deletions(-)
+
+diff --git a/src/NEWS b/src/NEWS
+index 26abeee..361a207 100644
+--- a/src/NEWS
++++ b/src/NEWS
+@@ -1,3 +1,4 @@
++v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field
+ v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
+        migration to github
+        patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller)
+diff --git a/src/lib/fascist.c b/src/lib/fascist.c
+index a996509..d4deb15 100644
+--- a/src/lib/fascist.c
++++ b/src/lib/fascist.c
+@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
+     char gbuffer[STRINGSIZE];
+     char tbuffer[STRINGSIZE];
+     char *uwords[STRINGSIZE];
+-    char longbuffer[STRINGSIZE * 2];
++    char longbuffer[STRINGSIZE];
+ 
+     if (gecos == NULL)
+ 	gecos = "";
+@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
+     {
+ 	for (i = 0; i < j; i++)
+ 	{
+-	    strcpy(longbuffer, uwords[i]);
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+ 	    {
+-		return _("it is derived from your password entry");
+-	    }
++		strcpy(longbuffer, uwords[i]);
++		strcat(longbuffer, uwords[j]);
+ 
+-	    strcpy(longbuffer, uwords[j]);
+-	    strcat(longbuffer, uwords[i]);
++		if (GTry(longbuffer, password))
++		{
++		    return _("it is derived from your password entry");
++		}
+ 
+-	    if (GTry(longbuffer, password))
+-	    {
+-		return _("it's derived from your password entry");
+-	    }
++		strcpy(longbuffer, uwords[j]);
++		strcat(longbuffer, uwords[i]);
+ 
+-	    longbuffer[0] = uwords[i][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[j]);
++		if (GTry(longbuffer, password))
++		{
++		   return _("it's derived from your password entry");
++		}
++	    }
+ 
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[j]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it is derivable from your password entry");
++		longbuffer[0] = uwords[i][0];
++		longbuffer[1] = '\0';
++		strcat(longbuffer, uwords[j]);
++
++		if (GTry(longbuffer, password))
++		{
++		    return _("it is derivable from your password entry");
++		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[j][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[i]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it's derivable from your password entry");
++		longbuffer[0] = uwords[j][0];
++		longbuffer[1] = '\0';
++		strcat(longbuffer, uwords[i]);
++
++		if (GTry(longbuffer, password))
++		{
++		    return _("it's derivable from your password entry");
++		}
+ 	    }
+ 	}
+     }

diff --git a/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch b/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch
new file mode 100644
index 00000000..59dc9e5
--- /dev/null
+++ b/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch
@@ -0,0 +1,43 @@
+From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:17:53 +0200
+Subject: [PATCH] Fix a buffer overflow processing long words
+
+A buffer overflow processing long words has been discovered. This commit
+applies the patch from
+https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
+by Howard Guo.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and
+http://www.openwall.com/lists/oss-security/2016/08/23/8
+---
+ src/NEWS        | 1 +
+ src/lib/rules.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/NEWS b/src/NEWS
+index 361a207..f1df3b0 100644
+--- a/src/NEWS
++++ b/src/NEWS
+@@ -1,4 +1,5 @@
+ v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field
++       fix a buffer overflow processing long words
+ v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
+        migration to github
+        patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller)
+diff --git a/src/lib/rules.c b/src/lib/rules.c
+index d193cc0..3a2aa46 100644
+--- a/src/lib/rules.c
++++ b/src/lib/rules.c
+@@ -434,9 +434,8 @@ Mangle(input, control)		/* returns a pointer to a controlled Mangle */
+ {
+     int limit;
+     register char *ptr;
+-    static char area[STRINGSIZE];
+-    char area2[STRINGSIZE];
+-    area[0] = '\0';
++    static char area[STRINGSIZE * 2] = {0};
++    char area2[STRINGSIZE * 2] = {0};
+     strcpy(area, input);
+ 
+     for (ptr = control; *ptr; ptr++)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: sys-libs/cracklib/files/, sys-libs/cracklib/
@ 2023-03-17  2:25 Sam James
  0 siblings, 0 replies; 2+ messages in thread
From: Sam James @ 2023-03-17  2:25 UTC (permalink / raw
  To: gentoo-commits

commit:     27b7d30f1513c8aa741f0118ebd8af45984ea6c6
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Mar 17 02:24:43 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Mar 17 02:24:58 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27b7d30f

sys-libs/cracklib: fix Python bindings

- Fix Python bindings build and clean it up to be more idiomatic
- Use PEP517 for Python build too

Closes: https://bugs.gentoo.org/901719
Signed-off-by: Sam James <sam <AT> gentoo.org>

 ...lib-2.9.10.ebuild => cracklib-2.9.10-r1.ebuild} | 45 ++++++++++++++--------
 .../files/cracklib-2.9.10-python-inc.patch         | 20 ++++++++++
 2 files changed, 48 insertions(+), 17 deletions(-)

diff --git a/sys-libs/cracklib/cracklib-2.9.10.ebuild b/sys-libs/cracklib/cracklib-2.9.10-r1.ebuild
similarity index 74%
rename from sys-libs/cracklib/cracklib-2.9.10.ebuild
rename to sys-libs/cracklib/cracklib-2.9.10-r1.ebuild
index 71fddeb64779..0553dfd808a8 100644
--- a/sys-libs/cracklib/cracklib-2.9.10.ebuild
+++ b/sys-libs/cracklib/cracklib-2.9.10-r1.ebuild
@@ -6,6 +6,7 @@ EAPI=8
 # Note: ideally bump with sys-apps/cracklib-words
 
 DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
 PYTHON_COMPAT=( python3_{9..11} )
 inherit distutils-r1 libtool multilib-minimal usr-ldscript
 
@@ -31,19 +32,14 @@ DEPEND="
 "
 BDEPEND="
 	nls? ( sys-devel/gettext )
-	python? (
-		dev-python/setuptools[${PYTHON_USEDEP}]
-	)
+	python? ( ${DISTUTILS_DEPS} )
 "
 
-do_python() {
-	multilib_is_native_abi || return 0
-	use python || return 0
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.9.10-python-inc.patch
+)
 
-	pushd python > /dev/null || die
-	distutils-r1_src_${EBUILD_PHASE}
-	popd > /dev/null || die
-}
+distutils_enable_tests unittest
 
 pkg_setup() {
 	# Workaround bug #195017
@@ -57,10 +53,12 @@ pkg_setup() {
 src_prepare() {
 	default
 
-	# bug ##269003
+	# bug #269003
 	elibtoolize
 
-	do_python
+	if use python ; then
+		distutils-r1_src_prepare
+	fi
 }
 
 multilib_src_configure() {
@@ -81,18 +79,28 @@ multilib_src_configure() {
 multilib_src_compile() {
 	default
 
-	do_python
+	if multilib_is_native_abi && use python ; then
+		local -x CFLAGS="${CFLAGS} -DLOCALEDIR='\"${EPREFIX}/usr/share/locale\"' -DDEFAULT_CRACKLIB_DICT=\'${EPREFIX}/usr/lib/cracklib_dict\'"
+		cd python || die
+		distutils-r1_src_compile
+	fi
 }
 
 multilib_src_test() {
 	default
 
-	# Make sure we load the freshly built library
-	LD_LIBRARY_PATH="${BUILD_DIR}/lib/.libs:${LD_LIBRARY_PATH}" do_python
+	if multilib_is_native_abi && use python ; then
+		distutils-r1_src_test
+	fi
 }
 
 python_test() {
-	${EPYTHON} -m unittest test_cracklib || die "Tests fail with ${EPYTHON}"
+	cd "${S}"/python || die
+
+	# Make sure we load the freshly built library
+	local -x LD_LIBRARY_PATH="${BUILD_DIR/-${EPYTHON/./_}}/lib/.libs:${BUILD_DIR}/lib:${LD_LIBRARY_PATH}"
+
+	eunittest
 }
 
 multilib_src_install() {
@@ -101,7 +109,10 @@ multilib_src_install() {
 	# Move shared libs to /
 	gen_usr_ldscript -a crack
 
-	do_python
+	if multilib_is_native_abi && use python ; then
+		cd python || die
+		distutils-r1_src_install
+	fi
 }
 
 multilib_src_install_all() {

diff --git a/sys-libs/cracklib/files/cracklib-2.9.10-python-inc.patch b/sys-libs/cracklib/files/cracklib-2.9.10-python-inc.patch
new file mode 100644
index 000000000000..fd9960df0e8f
--- /dev/null
+++ b/sys-libs/cracklib/files/cracklib-2.9.10-python-inc.patch
@@ -0,0 +1,20 @@
+https://github.com/cracklib/cracklib/pull/61
+
+From 802cbc426779489d44d7fc19e695e7d962c65665 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Fri, 17 Mar 2023 02:20:19 +0000
+Subject: [PATCH] python: adjust include path for builddir
+
+We need this for config.h added by 2e0f854bada720ff4fbd13aed4f87087d466274d.
+--- a/python/setup.py.in
++++ b/python/setup.py.in
+@@ -22,7 +22,7 @@ from setuptools import setup, Extension
+ extensions = [
+     Extension("_cracklib",
+         ["@srcdir@/_cracklib.c"],
+-        include_dirs = ["@top_srcdir@/lib"],
++        include_dirs = ["@top_builddir@", "@top_srcdir@/lib"],
+         libraries = ["crack"],
+         library_dirs = ["@top_builddir@/lib/.libs"]),
+ ]
+


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-03-17  2:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-14 20:57 [gentoo-commits] repo/gentoo:master commit in: sys-libs/cracklib/files/, sys-libs/cracklib/ Thomas Deutschmann
  -- strict thread matches above, loose matches on Subject: below --
2023-03-17  2:25 Sam James

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox