No duplicating rules are enabled for the default rule set that is
run by the krb5-strength package, but close the latent security
vulnerability anyway.
Patch from Howard Guo <hguo@suse.com>.
* Close the dictionary after each password lookup.
* Set hidden visibility on all CrackLib symbols.
* Close the wfp file handle on PWClose if it's open.
+ * Applied various patches from distributions for security vulnerabilities.
+
+See the leading comments in each source file for a more detailed timeline
+and list of changes.
Below is the original changelog for CrackLib:
/*
* Modified as part of the krb5-strength project as follows:
*
+ * 2016-08-17 Howard Guo <hguo@suse.com>
+ * - Double the length of buffers in Mangle to provide enough space to
+ * handle duplicating rules.
* 2007-03-22 Russ Allbery <eagle@eyrie.org>
* - Cap deletion of leading or trailing characters at one more than half
* the length of the password string and no more than five characters.
int limit, min_to_shift;
register int j;
const char *ptr;
- static char area[STRINGSIZE];
- char area2[STRINGSIZE];
- area[0] = '\0';
+ static char area[STRINGSIZE * 2] = "";
+ char area2[STRINGSIZE * 2] = "";
strcpy(area, input);
j = strlen(input);