[cracklib] make the simplistic check and the purging of special characters much

Tomáš Mráz tmraz at fedoraproject.org
Tue Sep 3 06:00:31 UTC 2013 

commit d8d736852f9a8d0cc98fa65cf2bd0c2048975da7
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Tue Sep 3 08:00:17 2013 +0200

    make the simplistic check and the purging of special characters much
    
      less aggressive (#1003624, #985378)

 cracklib-2.9.0-simplistic.patch |   94 +++++++++++++++++++++++++++++++++++++++
 cracklib.spec                   |    8 +++-
 2 files changed, 101 insertions(+), 1 deletions(-)
---
diff --git a/cracklib-2.9.0-simplistic.patch b/cracklib-2.9.0-simplistic.patch
new file mode 100644
index 0000000..2d529eb
--- /dev/null
+++ b/cracklib-2.9.0-simplistic.patch
@@ -0,0 +1,94 @@
+diff -up cracklib-2.9.0/lib/fascist.c.simplistic cracklib-2.9.0/lib/fascist.c
+--- cracklib-2.9.0/lib/fascist.c.simplistic	2013-09-03 07:45:55.369653537 +0200
++++ cracklib-2.9.0/lib/fascist.c	2013-09-03 07:48:58.686759120 +0200
+@@ -55,7 +55,6 @@ static char *r_destructors[] = {
+ 
+     "/?p@?p",                   /* purging out punctuation/symbols/junk */
+     "/?s@?s",
+-    "/?X@?X",
+ 
+     /* attempt reverse engineering of password strings */
+ 
+@@ -454,6 +453,12 @@ GTry(rawtext, password)
+ 	    continue;
+ 	}
+ 
++	if (len - strlen(mp) >= 3)
++	{
++	    /* purged too much */
++	    continue;
++	}
++
+ #ifdef DEBUG
+ 	printf("%-16s = %-16s (destruct %s)\n", mp, rawtext, r_destructors[i]);
+ #endif
+@@ -480,6 +485,12 @@ GTry(rawtext, password)
+ 	    continue;
+ 	}
+ 
++	if (len - strlen(mp) >= 3)
++	{
++	    /* purged too much */
++	    continue;
++	}
++
+ #ifdef DEBUG
+ 	printf("%-16s = %-16s (construct %s)\n", mp, password, r_constructors[i]);
+ #endif
+@@ -699,6 +710,7 @@ FascistLookUser(PWDICT *pwp, char *instr
+     char rpassword[STRINGSIZE];
+     char area[STRINGSIZE];
+     uint32_t notfound;
++    int len;
+ 
+     notfound = PW_WORDS(pwp);
+     /* already truncated if from FascistCheck() */
+@@ -748,6 +760,7 @@ FascistLookUser(PWDICT *pwp, char *instr
+ 	return _("it is all whitespace");
+     }
+ 
++    len = strlen(password);
+     i = 0;
+     ptr = password;
+     while (ptr[0] && ptr[1])
+@@ -759,10 +772,9 @@ FascistLookUser(PWDICT *pwp, char *instr
+ 	ptr++;
+     }
+ 
+-    /*  Change by Ben Karsin from ITS at University of Hawaii at Manoa.  Static MAXSTEP 
+-        would generate many false positives for long passwords. */
+-    maxrepeat = 3+(0.09*strlen(password));
+-    if (i > maxrepeat)
++    /*  We were still generating false positives for long passwords.
++        Just count systematic double as a single character. */
++    if (len - i < MINLEN)
+     {
+ 	return _("it is too simplistic/systematic");
+     }
+@@ -795,6 +807,12 @@ FascistLookUser(PWDICT *pwp, char *instr
+ 	    continue;
+ 	}
+ 
++	if (len - strlen(a) >= 3)
++	{
++	    /* purged too much */
++	    continue;
++	}
++
+ #ifdef DEBUG
+ 	printf("%-16s (dict)\n", a);
+ #endif
+@@ -815,6 +833,13 @@ FascistLookUser(PWDICT *pwp, char *instr
+ 	{
+ 	    continue;
+ 	}
++
++	if (len - strlen(a) >= 3)
++	{
++	    /* purged too much */
++	    continue;
++	}
++
+ #ifdef DEBUG
+ 	printf("%-16s (reversed dict)\n", a);
+ #endif
diff --git a/cracklib.spec b/cracklib.spec
index 9688d9e..7c263d1 100644
--- a/cracklib.spec
+++ b/cracklib.spec
@@ -5,7 +5,7 @@
 Summary: A password-checking library
 Name: cracklib
 Version: 2.9.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group: System Environment/Libraries
 Source0: http://prdownloads.sourceforge.net/cracklib/cracklib-%{version}.tar.gz
 
@@ -57,6 +57,7 @@ Patch2: cracklib-2.9.0-python-gzdicts.patch
 Patch3: cracklib-2.9.0-packlib-lookup.patch
 Patch4: cracklib-2.9.0-packlib-reentrant.patch
 Patch5: cracklib-2.9.0-packlib-gztype.patch
+Patch6: cracklib-2.9.0-simplistic.patch
 URL: http://sourceforge.net/projects/cracklib/
 License: LGPLv2+
 Buildroot: %{_tmppath}/%{name}-%{version}-root
@@ -130,6 +131,7 @@ install -p -m 644 %{SOURCE3} po/zh_CN.po
 %patch3 -p1 -b .lookup
 %patch4 -p1 -b .reentrant
 %patch5 -p1 -b .gztype
+%patch6 -p1 -b .simplistic
 
 autoreconf -f -i
 mkdir cracklib-dicts
@@ -256,6 +258,10 @@ EOF
 %{_libdir}/../lib/python*/site-packages/*.py*
 
 %changelog
+* Tue Sep  3 2013 Tomáš Mráz <tmraz at redhat.com> - 2.9.0-5
+- make the simplistic check and the purging of special characters much
+  less aggressive (#1003624, #985378)
+
 * Wed Aug 28 2013 Tomáš Mráz <tmraz at redhat.com> - 2.9.0-4
 - revert compression of the dictionaries as the performance penalty is too big

More information about the scm-commits mailing list