[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/1] Cracklib security CVE-2016-6318

From: Leo Famulari
Subject: [PATCH 0/1] Cracklib security CVE-2016-6318
Date: Tue, 16 Aug 2016 22:49:54 -0400

A stack overflow in Cracklib that could potentially lead to arbitrary
code execution was just disclosed:

"When an application compiled against the cracklib libary, such as
"passwd" is used to parse the GECOS field, it could cause the
application to crash or execute arbitary code with the permissions of
the user running such an application."

The message recommends this patch:

For us, cracklib is used by libpwquality, which is used in turn by

Passwd is safe:
$ guix build --check shadow
shadow will be compiled with the following features:

        auditing support:               no
        CrackLib support:               no
        PAM support:                    yes
        suid account management tools:  yes
        SELinux support:                no
        ACL support:                    no
        Extended Attributes support:    no
        tcb support (incomplete):       no
        shadow group support:           yes
        S/Key support:                  no
        SHA passwords encryption:       yes
        nscd support:                   yes
        subordinate IDs support:        yes

Leo Famulari (1):
  gnu: cracklib: Fix CVE-2016-6318.

 gnu/                                      |  1 +
 gnu/packages/password-utils.scm                   |  2 +
 gnu/packages/patches/cracklib-CVE-2016-6318.patch | 95 +++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 gnu/packages/patches/cracklib-CVE-2016-6318.patch


reply via email to

[Prev in Thread] Current Thread [Next in Thread]