>I just spoke with Alec Muffett, the author of cracklib and he pointed me >to the new version (2.6) on his homepage: >http://www.users.dircon.co.uk/~crypto/. I still see a lot of strcpy's, >but that particular one is no longer a problem, and I havn't had the time >to check the whole thing out thoroughly. CERT is supposed to be releasing >and advisory about it soon... Quite; indeed I enclose the posting I have made about it before in other forums, and have forwarded to (eg) CERT to pass on "as they see fit". I watch with interest to see what happens. JANET-CERT have already posted. In the meantime - yes, there are still a few strcpy's, but I am not up to rewriting the whole damn thing from scratch in a rush in the wee hours of the morning and hoping to get it correct - however, fingers crossed, there should be no avenues for unboundschecked data to leak into the program and misbehave beyond the capabilities of the code to control it. If some clever-clogs *does* find such an attack in the thorough nitpicking that I expect the new code to receive, I would ask that they contact me *first*, and give me some time to work on it. BUGTRAQ may be a full-disclosure list, but it does not have to be a "shooting your mouth off to prove how very clever you are" list. This comment is not directed at anyone in particular, I say it merely to highlight the common courtesy that would have spared my having to stay up until 3am in the morning getting a patch out. - alec 8-) >Following a report on the BUGTRAQ maillist (having received *no* prior >warning of this from the author of that message, Grrrrr....) I have >placed patches and a new distribution of CrackLib - the password-sanity >enforcement library - on my website at the following URL: > > http://www.users.dircon.co.uk/~crypto/ > > MD5-signatures filenames > -------------- --------- > 3933d0b56695f38535a5be3b57ccb60f cracklib26_small.diff > ec0e3714bc95ab2f2352a4438de17e7c cracklib26_small.diff.asc > 7181205d70afcf75bb2240678b6be855 cracklib26_small.tgz > 247ad535f3e84bf586f7c31197ad1774 cracklib26_small.tgz.asc > >Please check the MD5 signatures before using, to ensure you have the >correct software. > >These are preliminary patches to fix a security hole in CrackLib v2.5 >which *may* be exploitable to obtain root privileges on machines where >CrackLib is installed as part of a SUID program, such as "/bin/passwd". > >This will also impact (eg) Linux systems where CrackLib is part of the >PAM installation; where you are using a commercial operating system >that utilises CrackLib, you are advised to contact your vendor for a patch. > >I would appreciate feedback from the security community as to the >efficacy, completeness, and portability of these patches, to the >properly-adjusted e-mail address, below; I have tested the patches as >best I can in the timeframe that I have been given, but one can only >do so much in four hours flat. > > - alec ("software, rots.")
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:36:13 PDT