Bugtraq mailing list archives
Re: buffer overflows in cracklib?!
From: alecm () CRYPTO DIRCON CO UK (Alec Muffett)
Date: Mon, 15 Dec 1997 20:59:26 +0000
I just spoke with Alec Muffett, the author of cracklib and he pointed me to the new version (2.6) on his homepage: http://www.users.dircon.co.uk/~crypto/. I still see a lot of strcpy's, but that particular one is no longer a problem, and I havn't had the time to check the whole thing out thoroughly. CERT is supposed to be releasing and advisory about it soon...
Quite; indeed I enclose the posting I have made about it before in other forums, and have forwarded to (eg) CERT to pass on "as they see fit". I watch with interest to see what happens. JANET-CERT have already posted. In the meantime - yes, there are still a few strcpy's, but I am not up to rewriting the whole damn thing from scratch in a rush in the wee hours of the morning and hoping to get it correct - however, fingers crossed, there should be no avenues for unboundschecked data to leak into the program and misbehave beyond the capabilities of the code to control it. If some clever-clogs *does* find such an attack in the thorough nitpicking that I expect the new code to receive, I would ask that they contact me *first*, and give me some time to work on it. BUGTRAQ may be a full-disclosure list, but it does not have to be a "shooting your mouth off to prove how very clever you are" list. This comment is not directed at anyone in particular, I say it merely to highlight the common courtesy that would have spared my having to stay up until 3am in the morning getting a patch out. - alec 8-)
Following a report on the BUGTRAQ maillist (having received *no* prior warning of this from the author of that message, Grrrrr....) I have placed patches and a new distribution of CrackLib - the password-sanity enforcement library - on my website at the following URL: http://www.users.dircon.co.uk/~crypto/ MD5-signatures filenames -------------- --------- 3933d0b56695f38535a5be3b57ccb60f cracklib26_small.diff ec0e3714bc95ab2f2352a4438de17e7c cracklib26_small.diff.asc 7181205d70afcf75bb2240678b6be855 cracklib26_small.tgz 247ad535f3e84bf586f7c31197ad1774 cracklib26_small.tgz.asc Please check the MD5 signatures before using, to ensure you have the correct software. These are preliminary patches to fix a security hole in CrackLib v2.5 which *may* be exploitable to obtain root privileges on machines where CrackLib is installed as part of a SUID program, such as "/bin/passwd". This will also impact (eg) Linux systems where CrackLib is part of the PAM installation; where you are using a commercial operating system that utilises CrackLib, you are advised to contact your vendor for a patch. I would appreciate feedback from the security community as to the efficacy, completeness, and portability of these patches, to the properly-adjusted e-mail address, below; I have tested the patches as best I can in the timeframe that I have been given, but one can only do so much in four hours flat. - alec ("software, rots.")
Current thread:
- buffer overflows in cracklib?! Jon Lewis (Dec 14)
- Re: buffer overflows in cracklib?! Rick Byers (Dec 15)
- debian pppd chatscript Stephen Hardman (Dec 15)
- Re: debian pppd chatscript TARBY (Dec 16)
- Re: debian pppd chatscript Wichert Akkerman (Dec 16)
- Word Perfect for Linux v7.0.0116 Hans Petter Bieker (Dec 15)
- Re: buffer overflows in cracklib?! Alec Muffett (Dec 15)
- debian pppd chatscript Stephen Hardman (Dec 15)
- Re: buffer overflows in cracklib?! Rick Byers (Dec 15)