diff --git a/cracklib-2.9.0-simplistic.patch b/cracklib-2.9.0-simplistic.patch new file mode 100644 index 0000000..2d529eb --- /dev/null +++ b/cracklib-2.9.0-simplistic.patch @@ -0,0 +1,94 @@ +diff -up cracklib-2.9.0/lib/fascist.c.simplistic cracklib-2.9.0/lib/fascist.c +--- cracklib-2.9.0/lib/fascist.c.simplistic 2013-09-03 07:45:55.369653537 +0200 ++++ cracklib-2.9.0/lib/fascist.c 2013-09-03 07:48:58.686759120 +0200 +@@ -55,7 +55,6 @@ static char *r_destructors[] = { + + "/?p@?p", /* purging out punctuation/symbols/junk */ + "/?s@?s", +- "/?X@?X", + + /* attempt reverse engineering of password strings */ + +@@ -454,6 +453,12 @@ GTry(rawtext, password) + continue; + } + ++ if (len - strlen(mp) >= 3) ++ { ++ /* purged too much */ ++ continue; ++ } ++ + #ifdef DEBUG + printf("%-16s = %-16s (destruct %s)\n", mp, rawtext, r_destructors[i]); + #endif +@@ -480,6 +485,12 @@ GTry(rawtext, password) + continue; + } + ++ if (len - strlen(mp) >= 3) ++ { ++ /* purged too much */ ++ continue; ++ } ++ + #ifdef DEBUG + printf("%-16s = %-16s (construct %s)\n", mp, password, r_constructors[i]); + #endif +@@ -699,6 +710,7 @@ FascistLookUser(PWDICT *pwp, char *instr + char rpassword[STRINGSIZE]; + char area[STRINGSIZE]; + uint32_t notfound; ++ int len; + + notfound = PW_WORDS(pwp); + /* already truncated if from FascistCheck() */ +@@ -748,6 +760,7 @@ FascistLookUser(PWDICT *pwp, char *instr + return _("it is all whitespace"); + } + ++ len = strlen(password); + i = 0; + ptr = password; + while (ptr[0] && ptr[1]) +@@ -759,10 +772,9 @@ FascistLookUser(PWDICT *pwp, char *instr + ptr++; + } + +- /* Change by Ben Karsin from ITS at University of Hawaii at Manoa. Static MAXSTEP +- would generate many false positives for long passwords. */ +- maxrepeat = 3+(0.09*strlen(password)); +- if (i > maxrepeat) ++ /* We were still generating false positives for long passwords. ++ Just count systematic double as a single character. */ ++ if (len - i < MINLEN) + { + return _("it is too simplistic/systematic"); + } +@@ -795,6 +807,12 @@ FascistLookUser(PWDICT *pwp, char *instr + continue; + } + ++ if (len - strlen(a) >= 3) ++ { ++ /* purged too much */ ++ continue; ++ } ++ + #ifdef DEBUG + printf("%-16s (dict)\n", a); + #endif +@@ -815,6 +833,13 @@ FascistLookUser(PWDICT *pwp, char *instr + { + continue; + } ++ ++ if (len - strlen(a) >= 3) ++ { ++ /* purged too much */ ++ continue; ++ } ++ + #ifdef DEBUG + printf("%-16s (reversed dict)\n", a); + #endif diff --git a/cracklib.spec b/cracklib.spec index 9688d9e..7c263d1 100644 --- a/cracklib.spec +++ b/cracklib.spec @@ -5,7 +5,7 @@ Summary: A password-checking library Name: cracklib Version: 2.9.0 -Release: 4%{?dist} +Release: 5%{?dist} Group: System Environment/Libraries Source0: http://prdownloads.sourceforge.net/cracklib/cracklib-%{version}.tar.gz @@ -57,6 +57,7 @@ Patch2: cracklib-2.9.0-python-gzdicts.patch Patch3: cracklib-2.9.0-packlib-lookup.patch Patch4: cracklib-2.9.0-packlib-reentrant.patch Patch5: cracklib-2.9.0-packlib-gztype.patch +Patch6: cracklib-2.9.0-simplistic.patch URL: http://sourceforge.net/projects/cracklib/ License: LGPLv2+ Buildroot: %{_tmppath}/%{name}-%{version}-root @@ -130,6 +131,7 @@ install -p -m 644 %{SOURCE3} po/zh_CN.po %patch3 -p1 -b .lookup %patch4 -p1 -b .reentrant %patch5 -p1 -b .gztype +%patch6 -p1 -b .simplistic autoreconf -f -i mkdir cracklib-dicts @@ -256,6 +258,10 @@ EOF %{_libdir}/../lib/python*/site-packages/*.py* %changelog +* Tue Sep 3 2013 Tomáš Mráz - 2.9.0-5 +- make the simplistic check and the purging of special characters much + less aggressive (#1003624, #985378) + * Wed Aug 28 2013 Tomáš Mráz - 2.9.0-4 - revert compression of the dictionaries as the performance penalty is too big