Bug#689588: Please unblock cracklib2/2.8.19-2

[Niels Thykier <niels@thykier.net>]

Control: tags -1 moreinfo

On 2012-12-08 12:25, Jan Dittberner wrote:
> retitle 689588 unblock: cracklib2/2.8.19-2
> thanks
> 
> Dear release managers,
> 
> please unblock cracklib2/2.8.19-2 that I uploaded to unstable. See the
> debdiff that is already attached to the bug. The change is minimal and
> backward compatible. The test suite runs without problems with all supported
> Python versions (2.6, 2.7, 3.2).
> 
> 
> Best regards
> Jan
> 

Hi,

I have to admit, I would have appreciated if this change had been
upstreamed.  Anyhow, I guess that will be your headache and not mine... :)

In regards to the actual changes, I suspect they are flawed in the
"error"-path, see "cracklib2.review".

~Niels

+-    const char *result;
++    int result;
++    char *errmsg;
            ^^^^^^
Uninitialized, but almost certainly not NULL

[...]

+     LOCK();
+-    result = FascistCheck(candidate, dict ? dict : defaultdict);
++    result = __DEBIAN_SPECIFIC__SafeFascistCheck(candidate,
++              dict ? dict : defaultdict, errmsg);

Passed as "char *" and not "char **", so the call will not change
to which string errmsg is pointing (but could change the content).

Note that __DEBIAN_SPECIFIC__SafeFascistCheck is trying to use it
by assigning to errmsg (see below), so I suspect you wanted to use
"&errmsg" here (and the changed below).

+     UNLOCK();

++      if (errmsg != NULL)
++      {
++          PyErr_SetString(PyExc_ValueError, errmsg);
                                              ^^^^^^

Use of uninitialized pointer...




++int
++__DEBIAN_SPECIFIC__SafeFascistCheck(password, path, errstr)
++    const char *password;
++    const char *path;
++    char *errstr;
      ^^^^^^^^^^^^^
I think this should have been "char **errstr;"



++    errstr = FascistLook(pwp, pwtrunced);
      ^^^^^^

... and this should have been:

      *errstr = FascistLook(pwp, pwtrunced);