* [gentoo-commits] repo/gentoo:master commit in: sys-libs/cracklib/files/, sys-libs/cracklib/
@ 2016-09-14 20:57 Thomas Deutschmann
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Deutschmann @ 2016-09-14 20:57 UTC (permalink / raw
To: gentoo-commits
commit: aac5b4f4a65ce70854e77014fa096b7bd2d34e43
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Sep 14 20:55:05 2016 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Sep 14 20:57:44 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aac5b4f4
sys-libs/cracklib: Revision bump to address CVE-2016-6318 and another buffer overflow
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
Gentoo-Bug: https://bugs.gentoo.org/591456
Package-Manager: portage-2.3.0
sys-libs/cracklib/cracklib-2.9.6-r1.ebuild | 108 +++++++++++++++++++++
.../files/cracklib-2.9.6-CVE-2016-6318.patch | 108 +++++++++++++++++++++
...acklib-2.9.6-fix-long-word-bufferoverflow.patch | 43 ++++++++
3 files changed, 259 insertions(+)
diff --git a/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild b/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild
new file mode 100644
index 00000000..3767e64
--- /dev/null
+++ b/sys-libs/cracklib/cracklib-2.9.6-r1.ebuild
@@ -0,0 +1,108 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+PYTHON_COMPAT=( python2_7 )
+DISTUTILS_OPTIONAL=1
+
+inherit eutils distutils-r1 libtool multilib-minimal toolchain-funcs
+
+MY_P=${P/_}
+DESCRIPTION="Password Checking Library"
+HOMEPAGE="https://github.com/cracklib/cracklib/"
+SRC_URI="https://github.com/${PN}/${PN}/releases/download/${P}/${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint"
+IUSE="nls python static-libs test zlib"
+
+RDEPEND="zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+ python? (
+ dev-python/setuptools[${PYTHON_USEDEP}]
+ test? ( dev-python/nose[${PYTHON_USEDEP}] )
+ )"
+RDEPEND="${RDEPEND}
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r6
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )"
+
+S=${WORKDIR}/${MY_P}
+
+do_python() {
+ multilib_is_native_abi || return 0
+ use python || return 0
+ pushd python > /dev/null || die
+ distutils-r1_src_${EBUILD_PHASE}
+ popd > /dev/null
+}
+
+pkg_setup() {
+ # workaround #195017
+ if has unmerge-orphans ${FEATURES} && has_version "<${CATEGORY}/${PN}-2.8.10" ; then
+ eerror "Upgrade path is broken with FEATURES=unmerge-orphans"
+ eerror "Please run: FEATURES=-unmerge-orphans emerge cracklib"
+ die "Please run: FEATURES=-unmerge-orphans emerge cracklib"
+ fi
+}
+
+src_prepare() {
+ epatch "${FILESDIR}"/cracklib-2.9.6-CVE-2016-6318.patch
+ epatch "${FILESDIR}"/cracklib-2.9.6-fix-long-word-bufferoverflow.patch
+
+ elibtoolize #269003
+ do_python
+}
+
+multilib_src_configure() {
+ export ac_cv_header_zlib_h=$(usex zlib)
+ export ac_cv_search_gzopen=$(usex zlib -lz no)
+ # use /usr/lib so that the dictionary is shared between ABIs
+ ECONF_SOURCE=${S} \
+ econf \
+ --with-default-dict='/usr/lib/cracklib_dict' \
+ --without-python \
+ $(use_enable nls) \
+ $(use_enable static-libs static)
+}
+
+multilib_src_compile() {
+ default
+ do_python
+}
+
+multilib_src_test() {
+ do_python
+}
+
+python_test() {
+ nosetests -w "${S}"/python || die "Tests fail with ${EPYTHON}"
+}
+
+multilib_src_install() {
+ default
+ # move shared libs to /
+ gen_usr_ldscript -a crack
+
+ do_python
+}
+
+multilib_src_install_all() {
+ einstalldocs
+ prune_libtool_files
+ rm -r "${ED}"/usr/share/cracklib
+
+ insinto /usr/share/dict
+ doins dicts/cracklib-small || die
+}
+
+pkg_postinst() {
+ if [[ ${ROOT} == "/" ]] ; then
+ ebegin "Regenerating cracklib dictionary"
+ create-cracklib-dict "${EPREFIX}"/usr/share/dict/* > /dev/null
+ eend $?
+ fi
+}
diff --git a/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch b/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch
new file mode 100644
index 00000000..bc47734
--- /dev/null
+++ b/sys-libs/cracklib/files/cracklib-2.9.6-CVE-2016-6318.patch
@@ -0,0 +1,108 @@
+From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:13:49 +0200
+Subject: [PATCH] Apply patch to fix CVE-2016-6318
+
+This patch fixes an issue with a stack-based buffer overflow whne
+parsing large GECOS field. See
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
+https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
+information.
+---
+ src/NEWS | 1 +
+ src/lib/fascist.c | 57 ++++++++++++++++++++++++++++++++-----------------------
+ 2 files changed, 34 insertions(+), 24 deletions(-)
+
+diff --git a/src/NEWS b/src/NEWS
+index 26abeee..361a207 100644
+--- a/src/NEWS
++++ b/src/NEWS
+@@ -1,3 +1,4 @@
++v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field
+ v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
+ migration to github
+ patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller)
+diff --git a/src/lib/fascist.c b/src/lib/fascist.c
+index a996509..d4deb15 100644
+--- a/src/lib/fascist.c
++++ b/src/lib/fascist.c
+@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
+ char gbuffer[STRINGSIZE];
+ char tbuffer[STRINGSIZE];
+ char *uwords[STRINGSIZE];
+- char longbuffer[STRINGSIZE * 2];
++ char longbuffer[STRINGSIZE];
+
+ if (gecos == NULL)
+ gecos = "";
+@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
+ {
+ for (i = 0; i < j; i++)
+ {
+- strcpy(longbuffer, uwords[i]);
+- strcat(longbuffer, uwords[j]);
+-
+- if (GTry(longbuffer, password))
++ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+ {
+- return _("it is derived from your password entry");
+- }
++ strcpy(longbuffer, uwords[i]);
++ strcat(longbuffer, uwords[j]);
+
+- strcpy(longbuffer, uwords[j]);
+- strcat(longbuffer, uwords[i]);
++ if (GTry(longbuffer, password))
++ {
++ return _("it is derived from your password entry");
++ }
+
+- if (GTry(longbuffer, password))
+- {
+- return _("it's derived from your password entry");
+- }
++ strcpy(longbuffer, uwords[j]);
++ strcat(longbuffer, uwords[i]);
+
+- longbuffer[0] = uwords[i][0];
+- longbuffer[1] = '\0';
+- strcat(longbuffer, uwords[j]);
++ if (GTry(longbuffer, password))
++ {
++ return _("it's derived from your password entry");
++ }
++ }
+
+- if (GTry(longbuffer, password))
++ if (strlen(uwords[j]) < STRINGSIZE - 1)
+ {
+- return _("it is derivable from your password entry");
++ longbuffer[0] = uwords[i][0];
++ longbuffer[1] = '\0';
++ strcat(longbuffer, uwords[j]);
++
++ if (GTry(longbuffer, password))
++ {
++ return _("it is derivable from your password entry");
++ }
+ }
+
+- longbuffer[0] = uwords[j][0];
+- longbuffer[1] = '\0';
+- strcat(longbuffer, uwords[i]);
+-
+- if (GTry(longbuffer, password))
++ if (strlen(uwords[i]) < STRINGSIZE - 1)
+ {
+- return _("it's derivable from your password entry");
++ longbuffer[0] = uwords[j][0];
++ longbuffer[1] = '\0';
++ strcat(longbuffer, uwords[i]);
++
++ if (GTry(longbuffer, password))
++ {
++ return _("it's derivable from your password entry");
++ }
+ }
+ }
+ }
diff --git a/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch b/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch
new file mode 100644
index 00000000..59dc9e5
--- /dev/null
+++ b/sys-libs/cracklib/files/cracklib-2.9.6-fix-long-word-bufferoverflow.patch
@@ -0,0 +1,43 @@
+From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:17:53 +0200
+Subject: [PATCH] Fix a buffer overflow processing long words
+
+A buffer overflow processing long words has been discovered. This commit
+applies the patch from
+https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
+by Howard Guo.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and
+http://www.openwall.com/lists/oss-security/2016/08/23/8
+---
+ src/NEWS | 1 +
+ src/lib/rules.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/NEWS b/src/NEWS
+index 361a207..f1df3b0 100644
+--- a/src/NEWS
++++ b/src/NEWS
+@@ -1,4 +1,5 @@
+ v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field
++ fix a buffer overflow processing long words
+ v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
+ migration to github
+ patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller)
+diff --git a/src/lib/rules.c b/src/lib/rules.c
+index d193cc0..3a2aa46 100644
+--- a/src/lib/rules.c
++++ b/src/lib/rules.c
+@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */
+ {
+ int limit;
+ register char *ptr;
+- static char area[STRINGSIZE];
+- char area2[STRINGSIZE];
+- area[0] = '\0';
++ static char area[STRINGSIZE * 2] = {0};
++ char area2[STRINGSIZE * 2] = {0};
+ strcpy(area, input);
+
+ for (ptr = control; *ptr; ptr++)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-libs/cracklib/files/, sys-libs/cracklib/
@ 2023-03-17 2:25 Sam James
0 siblings, 0 replies; 2+ messages in thread
From: Sam James @ 2023-03-17 2:25 UTC (permalink / raw
To: gentoo-commits
commit: 27b7d30f1513c8aa741f0118ebd8af45984ea6c6
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Mar 17 02:24:43 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Mar 17 02:24:58 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27b7d30f
sys-libs/cracklib: fix Python bindings
- Fix Python bindings build and clean it up to be more idiomatic
- Use PEP517 for Python build too
Closes: https://bugs.gentoo.org/901719
Signed-off-by: Sam James <sam <AT> gentoo.org>
...lib-2.9.10.ebuild => cracklib-2.9.10-r1.ebuild} | 45 ++++++++++++++--------
.../files/cracklib-2.9.10-python-inc.patch | 20 ++++++++++
2 files changed, 48 insertions(+), 17 deletions(-)
diff --git a/sys-libs/cracklib/cracklib-2.9.10.ebuild b/sys-libs/cracklib/cracklib-2.9.10-r1.ebuild
similarity index 74%
rename from sys-libs/cracklib/cracklib-2.9.10.ebuild
rename to sys-libs/cracklib/cracklib-2.9.10-r1.ebuild
index 71fddeb64779..0553dfd808a8 100644
--- a/sys-libs/cracklib/cracklib-2.9.10.ebuild
+++ b/sys-libs/cracklib/cracklib-2.9.10-r1.ebuild
@@ -6,6 +6,7 @@ EAPI=8
# Note: ideally bump with sys-apps/cracklib-words
DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
PYTHON_COMPAT=( python3_{9..11} )
inherit distutils-r1 libtool multilib-minimal usr-ldscript
@@ -31,19 +32,14 @@ DEPEND="
"
BDEPEND="
nls? ( sys-devel/gettext )
- python? (
- dev-python/setuptools[${PYTHON_USEDEP}]
- )
+ python? ( ${DISTUTILS_DEPS} )
"
-do_python() {
- multilib_is_native_abi || return 0
- use python || return 0
+PATCHES=(
+ "${FILESDIR}"/${PN}-2.9.10-python-inc.patch
+)
- pushd python > /dev/null || die
- distutils-r1_src_${EBUILD_PHASE}
- popd > /dev/null || die
-}
+distutils_enable_tests unittest
pkg_setup() {
# Workaround bug #195017
@@ -57,10 +53,12 @@ pkg_setup() {
src_prepare() {
default
- # bug ##269003
+ # bug #269003
elibtoolize
- do_python
+ if use python ; then
+ distutils-r1_src_prepare
+ fi
}
multilib_src_configure() {
@@ -81,18 +79,28 @@ multilib_src_configure() {
multilib_src_compile() {
default
- do_python
+ if multilib_is_native_abi && use python ; then
+ local -x CFLAGS="${CFLAGS} -DLOCALEDIR='\"${EPREFIX}/usr/share/locale\"' -DDEFAULT_CRACKLIB_DICT=\'${EPREFIX}/usr/lib/cracklib_dict\'"
+ cd python || die
+ distutils-r1_src_compile
+ fi
}
multilib_src_test() {
default
- # Make sure we load the freshly built library
- LD_LIBRARY_PATH="${BUILD_DIR}/lib/.libs:${LD_LIBRARY_PATH}" do_python
+ if multilib_is_native_abi && use python ; then
+ distutils-r1_src_test
+ fi
}
python_test() {
- ${EPYTHON} -m unittest test_cracklib || die "Tests fail with ${EPYTHON}"
+ cd "${S}"/python || die
+
+ # Make sure we load the freshly built library
+ local -x LD_LIBRARY_PATH="${BUILD_DIR/-${EPYTHON/./_}}/lib/.libs:${BUILD_DIR}/lib:${LD_LIBRARY_PATH}"
+
+ eunittest
}
multilib_src_install() {
@@ -101,7 +109,10 @@ multilib_src_install() {
# Move shared libs to /
gen_usr_ldscript -a crack
- do_python
+ if multilib_is_native_abi && use python ; then
+ cd python || die
+ distutils-r1_src_install
+ fi
}
multilib_src_install_all() {
diff --git a/sys-libs/cracklib/files/cracklib-2.9.10-python-inc.patch b/sys-libs/cracklib/files/cracklib-2.9.10-python-inc.patch
new file mode 100644
index 000000000000..fd9960df0e8f
--- /dev/null
+++ b/sys-libs/cracklib/files/cracklib-2.9.10-python-inc.patch
@@ -0,0 +1,20 @@
+https://github.com/cracklib/cracklib/pull/61
+
+From 802cbc426779489d44d7fc19e695e7d962c65665 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Fri, 17 Mar 2023 02:20:19 +0000
+Subject: [PATCH] python: adjust include path for builddir
+
+We need this for config.h added by 2e0f854bada720ff4fbd13aed4f87087d466274d.
+--- a/python/setup.py.in
++++ b/python/setup.py.in
+@@ -22,7 +22,7 @@ from setuptools import setup, Extension
+ extensions = [
+ Extension("_cracklib",
+ ["@srcdir@/_cracklib.c"],
+- include_dirs = ["@top_srcdir@/lib"],
++ include_dirs = ["@top_builddir@", "@top_srcdir@/lib"],
+ libraries = ["crack"],
+ library_dirs = ["@top_builddir@/lib/.libs"]),
+ ]
+
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-17 2:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-14 20:57 [gentoo-commits] repo/gentoo:master commit in: sys-libs/cracklib/files/, sys-libs/cracklib/ Thomas Deutschmann
-- strict thread matches above, loose matches on Subject: below --
2023-03-17 2:25 Sam James
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox