On Wed, Dec 12, 2012 at 09:26:01AM +0100, Niels Thykier wrote: > On 2012-12-12 09:04, Niels Thykier wrote: > > Control: tags -1 moreinfo > > > > On 2012-12-08 12:25, Jan Dittberner wrote: > >> please unblock cracklib2/2.8.19-2 that I uploaded to unstable. See the > >> debdiff that is already attached to the bug. The change is minimal and > >> backward compatible. The test suite runs without problems with all supported > >> Python versions (2.6, 2.7, 3.2). > >> > >> > >> Best regards > >> Jan > > > > I have to admit, I would have appreciated if this change had been > > upstreamed. Anyhow, I guess that will be your headache and not mine... :) > > > > [...] > > I just saw your original mail from Oct. 4th, so never mind the above > comment. I think the use of __DEBIAN_SPECIFIC__SafeFascistCheck will be > okay for Wheezy (considering it avoids an API transition). > > Sorry for the delay in getting back to you (on your mail from Oct.), I just uploaded an updated package with Markus' updated patch (cracklib2_2.8.19-3) to unstable. The debdiffs from the version in testing (2.8.19-1) and the version you already looked at (2.8.19-2) are attached to this mail. Please unblock the new version. Best regards Jan -- Jan Dittberner - Debian Developer GPG-key: 4096R/558FB8DD 2009-05-10 B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD http://www.dittberner.info/
diff -Nru cracklib2-2.8.19/debian/changelog cracklib2-2.8.19/debian/changelog --- cracklib2-2.8.19/debian/changelog 2012-05-20 01:24:15.000000000 +0200 +++ cracklib2-2.8.19/debian/changelog 2012-12-12 22:57:15.000000000 +0100 @@ -1,3 +1,20 @@ +cracklib2 (2.8.19-3) unstable; urgency=low + + * update debian/patches/libcrack2-error-safer-check-variant.patch with + fixed version from http://bugs.debian.org/cgi- + bin/bugreport.cgi?bug=689588#29 + + -- Jan Dittberner <jandd@debian.org> Wed, 12 Dec 2012 22:56:46 +0100 + +cracklib2 (2.8.19-2) unstable; urgency=low + + * add debian/patches/libcrack2-error-safer-check-variant.patch to provide + __DEBIAN_SPECIFIC__SafeFascistCheck that does not call exit (Closes: + #682735) + * add __DEBIAN_SPECIFIC__SafeFascistCheck to debian/libcrack2.symbols + + -- Jan Dittberner <jandd@debian.org> Tue, 02 Oct 2012 09:15:16 +0200 + cracklib2 (2.8.19-1) unstable; urgency=low * New upstream version diff -Nru cracklib2-2.8.19/debian/libcrack2.symbols cracklib2-2.8.19/debian/libcrack2.symbols --- cracklib2-2.8.19/debian/libcrack2.symbols 2012-05-20 01:24:15.000000000 +0200 +++ cracklib2-2.8.19/debian/libcrack2.symbols 2012-12-12 22:57:15.000000000 +0100 @@ -27,3 +27,4 @@ Trim@Base 2.8.12 Uppercase@Base 2.8.12 GetDefaultCracklibDict@Base 2.8.14 + __DEBIAN_SPECIFIC__SafeFascistCheck@Base 2.8.19-2~ diff -Nru cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch --- cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch 1970-01-01 01:00:00.000000000 +0100 +++ cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch 2012-12-12 22:57:15.000000000 +0100 @@ -0,0 +1,189 @@ +Subject: add a safer check variant +Author: Markus Wanner <markus@bluegap.ch> +Bug-Debian: http://bugs.debian.org/682735 +--- a/lib/fascist.c ++++ b/lib/fascist.c +@@ -879,6 +879,48 @@ + return res; + } + ++/* This Debian specific method is a work-around for Debian #682735. Please ++ do not rely on it being available in future verisons of cracklib2. */ ++int ++__DEBIAN_SPECIFIC__SafeFascistCheck(password, path, errstr) ++ const char *password; ++ const char *path; ++ char **errstr; ++{ ++ PWDICT *pwp; ++ char pwtrunced[STRINGSIZE]; ++ ++ /* If passed null for the path, use a compiled-in default */ ++ if ( ! path ) ++ { ++ path = DEFAULT_CRACKLIB_DICT; ++ } ++ ++ /* security problem: assume we may have been given a really long ++ password (buffer attack) and so truncate it to a workable size; ++ try to define workable size as something from which we cannot ++ extend a buffer beyond its limits in the rest of the code */ ++ ++ strncpy(pwtrunced, password, TRUNCSTRINGSIZE); ++ pwtrunced[TRUNCSTRINGSIZE - 1] = '\0'; /* enforce */ ++ ++ /* perhaps someone should put something here to check if password ++ is really long and syslog() a message denoting buffer attacks? */ ++ ++ if (!(pwp = PWOpen(path, "r"))) ++ { ++ return 0; ++ } ++ ++ /* sure seems like we should close the database, since we're only likely to check one password */ ++ *errstr = FascistLook(pwp, pwtrunced); ++ ++ PWClose(pwp); ++ pwp = (PWDICT *)0; ++ ++ return 1; ++} ++ + const char * + GetDefaultCracklibDict() + { +--- a/python/_cracklibmodule.c ++++ b/python/_cracklibmodule.c +@@ -42,6 +42,7 @@ + #ifdef HAVE_LIBINTL_H + #include <libintl.h> + #endif ++#include <errno.h> + + #ifdef HAVE_PTHREAD_H + static pthread_mutex_t cracklib_mutex = PTHREAD_MUTEX_INITIALIZER; +@@ -74,7 +75,8 @@ + { + char *candidate, *dict; + char *defaultdict = NULL; +- const char *result; ++ int result; ++ char *errmsg; + struct stat st; + char *keywords[] = {"pw", "dictpath", NULL}; + char *dictfile; +@@ -148,7 +150,8 @@ + #endif + + LOCK(); +- result = FascistCheck(candidate, dict ? dict : defaultdict); ++ result = __DEBIAN_SPECIFIC__SafeFascistCheck(candidate, ++ dict ? dict : defaultdict, &errmsg); + UNLOCK(); + + if (defaultdict != NULL) +@@ -156,11 +159,26 @@ + free(defaultdict); + } + +- if (result != NULL) ++ if (result) + { +- PyErr_SetString(PyExc_ValueError, result); +- return NULL; ++ if (errmsg != NULL) ++ { ++ PyErr_SetString(PyExc_ValueError, errmsg); ++ return NULL; ++ } ++ } else { ++ if (errno == 0) ++ { ++ PyErr_SetString(PyExc_RuntimeError, "Unable to read cracklib dictionary."); ++ return NULL; ++ } ++ else ++ { ++ PyErr_SetFromErrnoWithFilename(PyExc_ValueError, "/var/cache/cracklib_dict.*"); ++ return NULL; ++ } + } ++ + return Py_BuildValue("s", candidate); + } + +--- a/lib/crack.h ++++ b/lib/crack.h +@@ -15,6 +15,14 @@ + + extern const char *FascistCheck(const char *pw, const char *dictpath); + ++/* This Debian specific method is a work-around for Debian #682735. Please ++ do not rely on it being available in future verisons of cracklib2. ++ Returns 1 (true) for success and 0 (false) in case an error occurred ++ opening or reading the dictionary. In the later case, please check ++ errno. */ ++extern int __DEBIAN_SPECIFIC__SafeFascistCheck(const char *pw, ++ const char *dictpath, char **errmsg); ++ + /* This function returns the compiled in value for DEFAULT_CRACKLIB_DICT. + */ + extern const char *GetDefaultCracklibDict(void); +--- a/lib/packlib.c ++++ b/lib/packlib.c +@@ -16,6 +16,7 @@ + #ifdef HAVE_STDINT_H + #include <stdint.h> + #endif ++#include <errno.h> + #include "packer.h" + + static const char vers_id[] = "packlib.c : v2.3p2 Alec Muffett 18 May 1993"; +@@ -156,6 +157,7 @@ + if (!fread((char *) &pdesc.header, sizeof(pdesc.header), 1, ifp)) + { + fprintf(stderr, "%s: error reading header\n", prefix); ++ errno = 0; + + pdesc.header.pih_magic = 0; + fclose(ifp); +@@ -179,6 +181,7 @@ + if (!fread((char *) &pdesc64.header, sizeof(pdesc64.header), 1, ifp)) + { + fprintf(stderr, "%s: error reading header\n", prefix); ++ errno = 0; + + pdesc.header.pih_magic = 0; + fclose(ifp); +@@ -198,6 +201,7 @@ + { + /* nope, not "64-bit" after all */ + fprintf(stderr, "%s: error reading header\n", prefix); ++ errno = 0; + + pdesc.header.pih_magic = 0; + fclose(ifp); +@@ -224,6 +228,7 @@ + if (pdesc.header.pih_magic != PIH_MAGIC) + { + fprintf(stderr, "%s: magic mismatch\n", prefix); ++ errno = 0; + + pdesc.header.pih_magic = 0; + fclose(ifp); +@@ -244,6 +249,7 @@ + if (pdesc.header.pih_numwords < 1) + { + fprintf(stderr, "%s: invalid word count\n", prefix); ++ errno = 0; + + pdesc.header.pih_magic = 0; + fclose(ifp); +@@ -263,6 +269,7 @@ + if (pdesc.header.pih_blocklen != NUMWORDS) + { + fprintf(stderr, "%s: size mismatch\n", prefix); ++ errno = 0; + + pdesc.header.pih_magic = 0; + fclose(ifp); diff -Nru cracklib2-2.8.19/debian/patches/series cracklib2-2.8.19/debian/patches/series --- cracklib2-2.8.19/debian/patches/series 2012-05-20 01:24:15.000000000 +0200 +++ cracklib2-2.8.19/debian/patches/series 2012-12-12 22:57:15.000000000 +0100 @@ -1,2 +1,3 @@ install-debian-python-modules.patch pass-dict-to-cracklib-test.patch +libcrack2-error-safer-check-variant.patch
diff -Nru cracklib2-2.8.19/debian/changelog cracklib2-2.8.19/debian/changelog --- cracklib2-2.8.19/debian/changelog 2012-10-02 09:15:24.000000000 +0200 +++ cracklib2-2.8.19/debian/changelog 2012-12-12 22:57:15.000000000 +0100 @@ -1,3 +1,11 @@ +cracklib2 (2.8.19-3) unstable; urgency=low + + * update debian/patches/libcrack2-error-safer-check-variant.patch with + fixed version from http://bugs.debian.org/cgi- + bin/bugreport.cgi?bug=689588#29 + + -- Jan Dittberner <jandd@debian.org> Wed, 12 Dec 2012 22:56:46 +0100 + cracklib2 (2.8.19-2) unstable; urgency=low * add debian/patches/libcrack2-error-safer-check-variant.patch to provide diff -Nru cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch --- cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch 2012-10-02 09:15:24.000000000 +0200 +++ cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch 2012-12-12 22:57:15.000000000 +0100 @@ -13,7 +13,7 @@ +__DEBIAN_SPECIFIC__SafeFascistCheck(password, path, errstr) + const char *password; + const char *path; -+ char *errstr; ++ char **errstr; +{ + PWDICT *pwp; + char pwtrunced[STRINGSIZE]; @@ -41,7 +41,7 @@ + } + + /* sure seems like we should close the database, since we're only likely to check one password */ -+ errstr = FascistLook(pwp, pwtrunced); ++ *errstr = FascistLook(pwp, pwtrunced); + + PWClose(pwp); + pwp = (PWDICT *)0; @@ -78,7 +78,7 @@ LOCK(); - result = FascistCheck(candidate, dict ? dict : defaultdict); + result = __DEBIAN_SPECIFIC__SafeFascistCheck(candidate, -+ dict ? dict : defaultdict, errmsg); ++ dict ? dict : defaultdict, &errmsg); UNLOCK(); if (defaultdict != NULL) @@ -124,7 +124,7 @@ + opening or reading the dictionary. In the later case, please check + errno. */ +extern int __DEBIAN_SPECIFIC__SafeFascistCheck(const char *pw, -+ const char *dictpath, char *errmsg); ++ const char *dictpath, char **errmsg); + /* This function returns the compiled in value for DEFAULT_CRACKLIB_DICT. */
Attachment:
signature.asc
Description: Digital signature