[screen] check crypt output (#815605)

Thu Apr 26 10:40:22 UTC 2012

commit d105766b04a52cdaa9f7904f945a30ffd5c9cb0e
Author: Lukas Nykryn <lnykryn at redhat.com>
Date:   Thu Apr 26 12:22:45 2012 +0200

    check crypt output (#815605)

 screen-4.1.0-crypt.patch |  114 ++++++++++++++++++++++++++++++++++++++++++++++
 screen.spec              |    7 ++-
 2 files changed, 120 insertions(+), 1 deletions(-)
---

diff --git a/screen-4.1.0-crypt.patch b/screen-4.1.0-crypt.patch
new file mode 100644
index 0000000..0a61591
--- /dev/null
+++ b/screen-4.1.0-crypt.patch
@@ -0,0 +1,114 @@
+diff -Naur screen-orig/src/acls.c screen/src/acls.c
+--- screen-orig/src/acls.c	2012-03-07 06:05:35.000000000 -0500
++++ screen/src/acls.c	2012-04-23 22:57:03.595468724 -0400
+@@ -544,12 +544,25 @@
+ 
+       if (pw2 && *pw2 && *pw2 != '\377')	/* provided a system password */
+         {
+-	  if (!*pass ||				/* but needed none */
+-	      strcmp(crypt(pw2, pass), pass))
++	  if (!*pass)	 			/* but needed none */
+ 	    {
+ 	      debug("System password mismatch\n");
+ 	      sorry++;
+ 	    }
++	  else
++	    {
++	      char *cryptbuf =  crypt(pw2, pass);
++	      if(cryptbuf == NULL) 
++	       {
++	        debug("System crypt() failed\n");
++	        sorry++;
++	       }
++	      else if (strcmp(cryptbuf, pass))
++	       {
++	      debug("System password mismatch\n");
++	      sorry++;
++	       }
++	    }
+ 	}
+       else					/* no pasword provided */
+         if (*pass)				/* but need one */
+@@ -557,12 +570,29 @@
+ #endif
+       if (pw1 && *pw1 && *pw1 != '\377')	/* provided a screen password */
+ 	{
+-	  if (!*u->u_password ||		/* but needed none */
+-	      strcmp(crypt(pw1, u->u_password), u->u_password))
++	 char *cryptbuf;
++	  if (!*u->u_password)		/* but needed none */
+ 	    {
+ 	      debug("screen password mismatch\n");
+-              sorry++;
++	      sorry++;
+ 	    }
++	  else
++	   {
++	    cryptbuf = crypt(pw1, u->u_password);
++	    if (cryptbuf == NULL)
++	      {
++		debug("crypt() failed\n");
++		sorry++;
++	      }
++	    else
++	      {
++	      if(strcmp(cryptbuf, u->u_password))
++	       {
++		debug("screen password mismatch\n");
++		sorry++;
++	       }
++	      }
++	   }   
+ 	}
+       else					/* no pasword provided */
+         if (*u->u_password)			/* but need one */
+diff -Naur screen-orig/src/misc.c screen/src/misc.c
+--- screen-orig/src/misc.c	2012-03-07 06:05:35.000000000 -0500
++++ screen/src/misc.c	2012-04-23 22:34:56.740665509 -0400
+@@ -56,6 +56,8 @@
+ {
+   register char *cp;
+ 
++  if(str == NULL)
++    Panic(0, "SaveStr() received NULL - possibly failed crypt()");
+   if ((cp = malloc(strlen(str) + 1)) == NULL)
+     Panic(0, "%s", strnomem);
+   else
+diff -Naur screen-orig/src/process.c screen/src/process.c
+--- screen-orig/src/process.c	2012-03-07 06:05:35.000000000 -0500
++++ screen/src/process.c	2012-04-23 22:41:09.318930088 -0400
+@@ -6343,6 +6343,10 @@
+ 	salt[st] = 'A' + (int)((time(0) >> 6 * st) % 26);
+       salt[2] = 0;
+       buf = crypt(u->u_password, salt);
++      if(buf == NULL) {
++        Msg(0, "[ no working crypt() - no secure ]");
++	return;
++      }
+       bzero(u->u_password, strlen(u->u_password));
+       free((char *)u->u_password);
+       u->u_password = SaveStr(buf);
+diff -Naur screen-orig/src/socket.c screen/src/socket.c
+--- screen-orig/src/socket.c	2012-04-23 22:17:55.678316716 -0400
++++ screen/src/socket.c	2012-04-23 22:29:12.225173900 -0400
+@@ -1565,13 +1565,18 @@
+       c = *(unsigned char *)ibuf++;
+       if (c == '\r' || c == '\n')
+ 	{
++	  char *buf;
+ 	  up = D_user->u_password;
+ 	  pwdata->buf[l] = 0;
+-	  if (strncmp(crypt(pwdata->buf, up), up, strlen(up)))
++	  buf = crypt(pwdata->buf, up);
++	  if((buf == NULL) || (strncmp(buf, up, strlen(up))))
+ 	    {
+ 	      /* uh oh, user failed */
+ 	      bzero(pwdata->buf, sizeof(pwdata->buf));
+-	      AddStr("\r\nPassword incorrect.\r\n");
++	      if(buf==NULL)
++	      	AddStr("\r\ncrypt() failed.\r\n");
++	      else
++	      	AddStr("\r\nPassword incorrect.\r\n");
+ 	      D_processinputdata = 0;	/* otherwise freed by FreeDis */
+ 	      FreeDisplay();
+ 	      Msg(0, "Illegal reattach attempt from terminal %s.", pwdata->m.m_tty);
diff --git a/screen.spec b/screen.spec
index 80d40ac..e02d852 100644
--- a/screen.spec
+++ b/screen.spec
@@ -3,7 +3,7 @@
 Summary: A screen manager that supports multiple logins on one terminal
 Name: screen
 Version: 4.1.0
-Release: 0.9.20120314git3c2946%{?dist}
+Release: 0.10.20120314git3c2946%{?dist}
 License: GPLv2+
 Group: Applications/System
 URL: http://www.gnu.org/software/screen
@@ -26,6 +26,7 @@ Patch4: screen-cc.patch
 Patch5: screen-E3.patch
 Patch6: screen-4.1.0-suppress_remap.patch
 Patch7: screen-4.1.0-reattach.patch
+Patch8: screen-4.1.0-crypt.patch
 
 %description
 The screen utility allows you to have multiple logins on just one
@@ -46,6 +47,7 @@ support multiple logins on one terminal.
 %patch5 -p2 -b .E3
 %patch6 -p1 -b .suppress_remap
 %patch7 -p2 -b .reattach
+%patch8 -p2 -b .crypto
 
 
 %build
@@ -142,6 +144,9 @@ fi
 %endif
 
 %changelog
+* Wed Mar 28 2012 Lukáš Nykrýn <lnykryn at redhat.com> - 4.1.0-0.10.20120314git3c2946
+- check crypt output (#815605)
+
 * Wed Mar 28 2012 Lukáš Nykrýn <lnykryn at redhat.com> - 4.1.0-0.9.20120314git3c2946
 - fix for resuming screen in screen (#752622)
 
