[Cracklib-devel] Patches for long-standing cracklib bug
Brought to you by:
nneul
Menu
▾
▴
[Cracklib-devel] Patches for long-standing cracklib bug
|
From: Mark S. <ms...@is...> - 2015-05-15 06:11:41
|
I've just found and fixed a very long-standing bug in cracklib. Patches attached. EFFECTS: The standard distribution is allowing some passwords which are in the dictionary. Other distributions, such as the one that ships with Russ Allbery's krb5-strength-3.0, will end up disallowing many passwords that should be allowed, because it handles the case in FindPW() where GetPW() returns NULL differently. CAUSE: Cracklib zeroes in on the right entry in the dictionary using strcmp(), which assumes that the input is sorted in order. However, the dictionary is normally sorted with sort(1). Modern sort(1) is localized, and the default is usually UTF-8. In order to get it to output the results that strcmp() is expecting, sort(1) needs to be run in the C locale. DETECTION: To determine whether you're being bitten by this, try sorting your word list the way you do today before passing it into packer, then set LC_ALL=C and sort again. Compare the results. If there are any differences at all, you've got a problem. HISTORY: It appears that in the past this bug has caused crashes, and code was introduced in r12 (February 2005, for version 2.7 I believe) to debug and avoid these crashes, but it seems nobody got to the root cause. In the current distribution, see lines 571-576 in lib/packlib.c -- those are clearly designed to address a situation which should never arise. https://sourceforge.net/p/cracklib/code/HEAD/tree/trunk/cracklib/lib/packlib.c#l571 See also all the brute-force diagnostics wrapped with #if DEBUG to inspect the LWM and HWM. When the dictionary is out of order, sometimes the HWM will end up below the LWM, and it looks like someone had determined that this was happening and worked around it to avoid a crash, but never figured out why. That fix is incomplete. It addresses the crash and helps when the sort order problem is with the first character of two adjacent passwords, but doesn't help when the problem is anywhere other than the first character. As a result, it will sometimes fail to find a password that it should find, because it's looking in the wrong part of the dictionary. PATCHES: I've attached two patches. The first simply adds "export LC_ALL=C" to the util/cracklib-format script, which ensures that sort(1) will output in the correct order. (One might argue that the locale should only be set for the sort command, not for the entire script. I'll leave it to others to determine whether that matters.) The second adds a warning to util/packer.c so this can be detected as early as possible -- when building the dictionary. It only generates a warning because I didn't want to leave a half-built dictionary, but I could see doing more to raise the alarm. Mark -- Mark Sirota, Associate Director, Identity and Access Management University of Pennsylvania, Information Systems and Computing ms...@up..., +1 215 573 7214 |