doesn't apply since all the GECOS manipulation code was removed from
the embedded CrackLib in this package.)
+ Patch the mkdict and packer in the embedded copy of CrackLib to force
+ C locale when sorting (avoiding a corrupted dictionary) and warn and
+ skip out-of-order words rather than creating a corrupted dictionary.
+ Patch from Mark Sirota.
+
Update to rra-c-util 6.2:
* Use calloc in preference to malloc wherever appropriate.
* Close the wfp file handle on PWClose if it's open.
* Applied various patches from distributions for security vulnerabilities.
* Changed the type of some variables to size_t to avoid truncation.
+ * Forced locale in mkdict to avoid problems with non-C-locale sort.
+ * Added a warning to packer if processing out-of-order words.
See the leading comments in each source file for a more detailed timeline
and list of changes.
# and upwards.
###
+# Modified as part of the krb5-strength project as follows:
+#
+# 2016-11-06 Russ Allbery <eagle@eyrie.org>
+# - Force C locale when sorting to avoid creating a corrupt dictionary.
+
### in case of explosion, invoke "sort" with "-T" option pointing to a lot
### of free space in a directory somewhere.
+# Force C locale, since that's what packer expects.
+LC_ALL=C; export LC_ALL
+
SORT="sort"
###SORT="sort -T /tmp"
* - Add ANSI C protototypes for all functions.
* 2010-03-14 Russ Allbery <eagle@eyrie.org>
* - Use unsigned long instead of int32 to avoid printf warnings.
+ * 2016-11-06 Mark Sirota <msirota@isc.upenn.edu>
+ * - Display a warning when processing out-of-order input.
*/
#include "packer.h"
unsigned long readed;
unsigned long wrote;
PWDICT *pwp;
- char buffer[STRINGSIZE];
+ char buffer[STRINGSIZE], prev[STRINGSIZE];
if (argc <= 1)
{
}
wrote = 0;
+ prev[0] = '\0';
for (readed = 0; fgets(buffer, STRINGSIZE, stdin); /* nothing */)
{
continue;
}
+ /*
+ * If this happens, strcmp() in FindPW() in packlib.c will be unhappy.
+ */
+ if (strcmp(buffer, prev) < 0)
+ {
+ fprintf(stderr, "warning: input out of order: '%s' should not"
+ " follow '%s' (line %lu), skipping\n", buffer, prev,
+ readed);
+ continue;
+ }
+ strcpy(prev, buffer);
+
if (PutPW(pwp, buffer))
{
fprintf(stderr, "error: PutPW '%s' line %luy\n", buffer, readed);