Skip to content

E
ez-zynq7
Switch branch/tag
Find file
Normal viewHistoryPermalink
0001-Apply-patch-to-fix-CVE-2016-6318.patch 2.88 KB
Newer Older
initial commit
b6eff43d
 
정종선 committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 
From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jan@dittberner.info>
Date: Thu, 25 Aug 2016 17:13:49 +0200
Subject: [PATCH] Apply patch to fix CVE-2016-6318

This patch fixes an issue with a stack-based buffer overflow whne
parsing large GECOS field. See
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
information.

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---

Status: upstream, not yet released.

 lib/fascist.c | 57 ++++++++++++++++++++++++++++++++-----------------------
 2 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/lib/fascist.c b/lib/fascist.c
index a996509..d4deb15 100644
--- a/lib/fascist.c
+++ b/lib/fascist.c
@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
     char gbuffer[STRINGSIZE];
     char tbuffer[STRINGSIZE];
     char *uwords[STRINGSIZE];
-    char longbuffer[STRINGSIZE * 2];
+    char longbuffer[STRINGSIZE];
 
     if (gecos == NULL)
 	gecos = "";
@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
     {
 	for (i = 0; i < j; i++)
 	{
-	    strcpy(longbuffer, uwords[i]);
-	    strcat(longbuffer, uwords[j]);
-
-	    if (GTry(longbuffer, password))
+	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
 	    {
-		return _("it is derived from your password entry");
-	    }
+		strcpy(longbuffer, uwords[i]);
+		strcat(longbuffer, uwords[j]);
 
-	    strcpy(longbuffer, uwords[j]);
-	    strcat(longbuffer, uwords[i]);
+		if (GTry(longbuffer, password))
+		{
+		    return _("it is derived from your password entry");
+		}
 
-	    if (GTry(longbuffer, password))
-	    {
-		return _("it's derived from your password entry");
-	    }
+		strcpy(longbuffer, uwords[j]);
+		strcat(longbuffer, uwords[i]);
 
-	    longbuffer[0] = uwords[i][0];
-	    longbuffer[1] = '\0';
-	    strcat(longbuffer, uwords[j]);
+		if (GTry(longbuffer, password))
+		{
+		   return _("it's derived from your password entry");
+		}
+	    }
 
-	    if (GTry(longbuffer, password))
+	    if (strlen(uwords[j]) < STRINGSIZE - 1)
 	    {
-		return _("it is derivable from your password entry");
+		longbuffer[0] = uwords[i][0];
+		longbuffer[1] = '\0';
+		strcat(longbuffer, uwords[j]);
+
+		if (GTry(longbuffer, password))
+		{
+		    return _("it is derivable from your password entry");
+		}
 	    }
 
-	    longbuffer[0] = uwords[j][0];
-	    longbuffer[1] = '\0';
-	    strcat(longbuffer, uwords[i]);
-
-	    if (GTry(longbuffer, password))
+	    if (strlen(uwords[i]) < STRINGSIZE - 1)
 	    {
-		return _("it's derivable from your password entry");
+		longbuffer[0] = uwords[j][0];
+		longbuffer[1] = '\0';
+		strcat(longbuffer, uwords[i]);
+
+		if (GTry(longbuffer, password))
+		{
+		    return _("it's derivable from your password entry");
+		}
 	    }
 	}
     }
-- 
2.9.3