From: Fabrice Fontaine Date: Mon, 11 Mar 2019 18:42:35 +0000 (+0100) Subject: package/cracklib: bump to version 2.9.7 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=428a5029c7ab31bcb85d65f50f0a8b8189fc35e4;p=buildroot.git package/cracklib: bump to version 2.9.7 - Remove first two patches (already in version) - Add hash for license file Signed-off-by: Fabrice Fontaine Signed-off-by: Thomas Petazzoni --- diff --git a/package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch b/package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch deleted file mode 100644 index 6180c4ba55..0000000000 --- a/package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001 -From: Jan Dittberner -Date: Thu, 25 Aug 2016 17:13:49 +0200 -Subject: [PATCH] Apply patch to fix CVE-2016-6318 - -This patch fixes an issue with a stack-based buffer overflow whne -parsing large GECOS field. See -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and -https://security-tracker.debian.org/tracker/CVE-2016-6318 for more -information. - -Signed-off-by: Stefan Sørensen ---- - -Status: upstream, not yet released. - - lib/fascist.c | 57 ++++++++++++++++++++++++++++++++----------------------- - 2 files changed, 34 insertions(+), 24 deletions(-) - -diff --git a/lib/fascist.c b/lib/fascist.c -index a996509..d4deb15 100644 ---- a/lib/fascist.c -+++ b/lib/fascist.c -@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos) - char gbuffer[STRINGSIZE]; - char tbuffer[STRINGSIZE]; - char *uwords[STRINGSIZE]; -- char longbuffer[STRINGSIZE * 2]; -+ char longbuffer[STRINGSIZE]; - - if (gecos == NULL) - gecos = ""; -@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos) - { - for (i = 0; i < j; i++) - { -- strcpy(longbuffer, uwords[i]); -- strcat(longbuffer, uwords[j]); -- -- if (GTry(longbuffer, password)) -+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) - { -- return _("it is derived from your password entry"); -- } -+ strcpy(longbuffer, uwords[i]); -+ strcat(longbuffer, uwords[j]); - -- strcpy(longbuffer, uwords[j]); -- strcat(longbuffer, uwords[i]); -+ if (GTry(longbuffer, password)) -+ { -+ return _("it is derived from your password entry"); -+ } - -- if (GTry(longbuffer, password)) -- { -- return _("it's derived from your password entry"); -- } -+ strcpy(longbuffer, uwords[j]); -+ strcat(longbuffer, uwords[i]); - -- longbuffer[0] = uwords[i][0]; -- longbuffer[1] = '\0'; -- strcat(longbuffer, uwords[j]); -+ if (GTry(longbuffer, password)) -+ { -+ return _("it's derived from your password entry"); -+ } -+ } - -- if (GTry(longbuffer, password)) -+ if (strlen(uwords[j]) < STRINGSIZE - 1) - { -- return _("it is derivable from your password entry"); -+ longbuffer[0] = uwords[i][0]; -+ longbuffer[1] = '\0'; -+ strcat(longbuffer, uwords[j]); -+ -+ if (GTry(longbuffer, password)) -+ { -+ return _("it is derivable from your password entry"); -+ } - } - -- longbuffer[0] = uwords[j][0]; -- longbuffer[1] = '\0'; -- strcat(longbuffer, uwords[i]); -- -- if (GTry(longbuffer, password)) -+ if (strlen(uwords[i]) < STRINGSIZE - 1) - { -- return _("it's derivable from your password entry"); -+ longbuffer[0] = uwords[j][0]; -+ longbuffer[1] = '\0'; -+ strcat(longbuffer, uwords[i]); -+ -+ if (GTry(longbuffer, password)) -+ { -+ return _("it's derivable from your password entry"); -+ } - } - } - } --- -2.9.3 - diff --git a/package/cracklib/0001-Force-grep-to-treat-the-input-as-text-when-formattin.patch b/package/cracklib/0001-Force-grep-to-treat-the-input-as-text-when-formattin.patch new file mode 100644 index 0000000000..b05a69caa2 --- /dev/null +++ b/package/cracklib/0001-Force-grep-to-treat-the-input-as-text-when-formattin.patch @@ -0,0 +1,30 @@ +From d27062fe7a520d5791f7a56d175a5cb6a39bae61 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= +Date: Tue, 18 Apr 2017 12:00:39 +0200 +Subject: [PATCH] Force grep to treat the input as text when formatting word + files. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Stefan Sørensen +--- + util/cracklib-format | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/cracklib-format b/util/cracklib-format +index 1d7be5b..b1de8e8 100644 +--- a/util/cracklib-format ++++ b/util/cracklib-format +@@ -4,7 +4,7 @@ + # into cracklib-packer + # + gzip -cdf "$@" | +- grep -v '^\(#\|$\)' | ++ grep -a -v '^\(#\|$\)' | + tr '[A-Z]' '[a-z]' | + tr -cd '\012[a-z][0-9]' | + env LC_ALL=C sort -u +-- +2.9.3 + diff --git a/package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch b/package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch deleted file mode 100644 index 63525cc73d..0000000000 --- a/package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001 -From: Jan Dittberner -Date: Thu, 25 Aug 2016 17:17:53 +0200 -Subject: [PATCH] Fix a buffer overflow processing long words - -A buffer overflow processing long words has been discovered. This commit -applies the patch from -https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch -by Howard Guo. - -See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and -http://www.openwall.com/lists/oss-security/2016/08/23/8 - -Signed-off-by: Stefan Sørensen ---- - -Status: upstream, not yet released. - - lib/rules.c | 5 ++--- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/lib/rules.c b/lib/rules.c -index d193cc0..3a2aa46 100644 ---- a/lib/rules.c -+++ b/lib/rules.c -@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */ - { - int limit; - register char *ptr; -- static char area[STRINGSIZE]; -- char area2[STRINGSIZE]; -- area[0] = '\0'; -+ static char area[STRINGSIZE * 2] = {0}; -+ char area2[STRINGSIZE * 2] = {0}; - strcpy(area, input); - - for (ptr = control; *ptr; ptr++) --- -2.9.3 - diff --git a/package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch b/package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch deleted file mode 100644 index b05a69caa2..0000000000 --- a/package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d27062fe7a520d5791f7a56d175a5cb6a39bae61 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= -Date: Tue, 18 Apr 2017 12:00:39 +0200 -Subject: [PATCH] Force grep to treat the input as text when formatting word - files. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Stefan Sørensen ---- - util/cracklib-format | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/util/cracklib-format b/util/cracklib-format -index 1d7be5b..b1de8e8 100644 ---- a/util/cracklib-format -+++ b/util/cracklib-format -@@ -4,7 +4,7 @@ - # into cracklib-packer - # - gzip -cdf "$@" | -- grep -v '^\(#\|$\)' | -+ grep -a -v '^\(#\|$\)' | - tr '[A-Z]' '[a-z]' | - tr -cd '\012[a-z][0-9]' | - env LC_ALL=C sort -u --- -2.9.3 - diff --git a/package/cracklib/cracklib.hash b/package/cracklib/cracklib.hash index 3038a47a36..9bc8e3d28a 100644 --- a/package/cracklib/cracklib.hash +++ b/package/cracklib/cracklib.hash @@ -1,3 +1,4 @@ # Locally calculated -sha256 17cf76943de272fd579ed831a1fd85339b393f8d00bf9e0d17c91e972f583343 cracklib-2.9.6.tar.gz -sha256 27973245225eeb9d0090e97f3dea4197dec99b64d9d3a791a60298f3b021824c cracklib-words-2.9.6.gz +sha256 8b6fd202f3f1d8fa395d3b7a5d821227cfd8bb4a9a584a7ae30cf62cea6287dd cracklib-2.9.7.tar.gz +sha256 7f0c45faf84a2494f15d1e2720394aca4a379163a70c4acad948186c0047d389 cracklib-words-2.9.7.gz +sha256 f18a0811fa0e220ccbc42f661545e77f0388631e209585ed582a1c693029c6aa COPYING.LIB diff --git a/package/cracklib/cracklib.mk b/package/cracklib/cracklib.mk index aeee60d1e7..b9e3dc0d75 100644 --- a/package/cracklib/cracklib.mk +++ b/package/cracklib/cracklib.mk @@ -4,8 +4,8 @@ # ################################################################################ -CRACKLIB_VERSION = 2.9.6 -CRACKLIB_SITE = https://github.com/cracklib/cracklib/releases/download/cracklib-$(CRACKLIB_VERSION) +CRACKLIB_VERSION = 2.9.7 +CRACKLIB_SITE = https://github.com/cracklib/cracklib/releases/download/v$(CRACKLIB_VERSION) CRACKLIB_LICENSE = LGPL-2.1 CRACKLIB_LICENSE_FILES = COPYING.LIB CRACKLIB_INSTALL_STAGING = YES