[5802] in bugtraq
Re: buffer overflows in cracklib?!
daemon@ATHENA.MIT.EDU (Alec Muffett)
Tue Dec 16 01:54:47 1997
Date: Mon, 15 Dec 1997 20:59:26 +0000
Reply-To: Alec Muffett <alecm@CRYPTO.DIRCON.CO.UK>
From: Alec Muffett <alecm@CRYPTO.DIRCON.CO.UK>
X-To: Rick Byers <rickb@IAW.ON.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 15 Dec 1997 10:23:01 EST."
<Pine.NEB.3.96.971215102049.284B-100000@rn-re122a05>
>I just spoke with Alec Muffett, the author of cracklib and he pointed me
>to the new version (2.6) on his homepage:
>http://www.users.dircon.co.uk/~crypto/. I still see a lot of strcpy's,
>but that particular one is no longer a problem, and I havn't had the time
>to check the whole thing out thoroughly. CERT is supposed to be releasing
>and advisory about it soon...
Quite; indeed I enclose the posting I have made about it before in
other forums, and have forwarded to (eg) CERT to pass on "as they see fit".
I watch with interest to see what happens. JANET-CERT have already posted.
In the meantime - yes, there are still a few strcpy's, but I am not up
to rewriting the whole damn thing from scratch in a rush in the wee
hours of the morning and hoping to get it correct - however, fingers
crossed, there should be no avenues for unboundschecked data to leak
into the program and misbehave beyond the capabilities of the code to
control it.
If some clever-clogs *does* find such an attack in the thorough
nitpicking that I expect the new code to receive, I would ask that
they contact me *first*, and give me some time to work on it.
BUGTRAQ may be a full-disclosure list, but it does not have to be a
"shooting your mouth off to prove how very clever you are" list.
This comment is not directed at anyone in particular, I say it merely
to highlight the common courtesy that would have spared my having to
stay up until 3am in the morning getting a patch out.
- alec 8-)
>Following a report on the BUGTRAQ maillist (having received *no* prior
>warning of this from the author of that message, Grrrrr....) I have
>placed patches and a new distribution of CrackLib - the password-sanity
>enforcement library - on my website at the following URL:
>
> http://www.users.dircon.co.uk/~crypto/
>
> MD5-signatures filenames
> -------------- ---------
> 3933d0b56695f38535a5be3b57ccb60f cracklib26_small.diff
> ec0e3714bc95ab2f2352a4438de17e7c cracklib26_small.diff.asc
> 7181205d70afcf75bb2240678b6be855 cracklib26_small.tgz
> 247ad535f3e84bf586f7c31197ad1774 cracklib26_small.tgz.asc
>
>Please check the MD5 signatures before using, to ensure you have the
>correct software.
>
>These are preliminary patches to fix a security hole in CrackLib v2.5
>which *may* be exploitable to obtain root privileges on machines where
>CrackLib is installed as part of a SUID program, such as "/bin/passwd".
>
>This will also impact (eg) Linux systems where CrackLib is part of the
>PAM installation; where you are using a commercial operating system
>that utilises CrackLib, you are advised to contact your vendor for a patch.
>
>I would appreciate feedback from the security community as to the
>efficacy, completeness, and portability of these patches, to the
>properly-adjusted e-mail address, below; I have tested the patches as
>best I can in the timeframe that I have been given, but one can only
>do so much in four hours flat.
>
> - alec ("software, rots.")
