Package: libc6
Version: 2.17-6
Severity: important

Hi,

GNU libc6 in sid is breaking GNU CVS; some operations can
cause a segfault. I’ve tracked it down to:

tglase@tglase:~ $ cat x.c
#define _GNU_SOURCE
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

void tst(const char *, const char *);
void tst(const char *x, const char *y) {
        const char *z;
        int e;

        z = crypt(x, y);
        e = errno;
        printf("tst(\"%s\", \"%s\")\n -> %p %s\n -> %s\n",
            x, y, z, z?z:"(null)", z?"(ok)":strerror(e));
}

int main(void) {
        tst("foo", "xy7k69x/M/s7g");
        tst("bar", "xy7k69x/M/s7g");
        tst("   ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d");
        return (0);
}
tglase@tglase:~ $ gcc -O2 -o x x.c -lcrypt
tglase@tglase:~ $ ./x
tst("foo", "xy7k69x/M/s7g")
 -> 0xf77b7140 xy7k69x/M/s7g
 -> (ok)
tst("bar", "xy7k69x/M/s7g")
 -> 0xf77b7140 xy5FOaP3Hea0k
 -> (ok)
tst("   ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d")
 -> (nil) (null)
 -> Invalid argument
tglase@tglase:~ $ scp x ${wheezysystem}:
x                                                                              
100% 5707     5.6KB/s   00:00
tglase@tglase:~ $ ssh ${wheezysystem} ./x
tst("foo", "xy7k69x/M/s7g")
 -> 0xb7742140 xy7k69x/M/s7g
 -> (ok)
tst("bar", "xy7k69x/M/s7g")
 -> 0xb7742140 xy5FOaP3Hea0k
 -> (ok)
tst("   ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d")
 -> 0xb7742140 %q7LLO/mNILqg
 -> (ok)

POSIX says crypt(3) only fails with ENOSYS if it’s not supported
at all, but then it’d fail consistently:

    ERRORS                                                                      
                                 
                                                                                
                                 
     The crypt() function shall fail if:                                        
                                 
   [ENOSYS]                                                                     
                                 
          The functionality is not supported on this implementation.            
                                 

POSIX then goes on to use crypt() just like GNU CVS does:

        if (strcmp(p->pw_passwd, crypt(oldpasswd, p->pw_passwd)) == 0) {        
                                 

Other implementations (like BSD) also strongly suggest that,
unless a different algorithm is selected ($1$, $2a$, etc.)
DES is used, which the above example clearly states is supported,
and overlong salts are just cut off / their trail end ignored.

23:51⎜<dalias> in musl, we return "*" on error

If this is an error at all… on wheezy it was none, and BSD agrees:

tg@blau:~ $ uname -a; ./x                                                       
                                
MirBSD blau.mirbsd.org 10 Kv#10uB2-20130517 GENERIC#1405 i386
tst("foo", "xy7k69x/M/s7g")
 -> 0x23af3720 xy7k69x/M/s7g
 -> (ok)
tst("bar", "xy7k69x/M/s7g")
 -> 0x23af3720 xy5FOaP3Hea0k
 -> (ok)
tst("   ", "%qb?,db=yu'd,0h0%db:3?,c?=,d dZ,?=I:yZZ30 eZy=a%0 d")
 -> 0x23af3720 %q3ge9F/nF3ec
 -> (ok)

Although the output on wheezy differs (it shouldn’t).


Please fix this to at least never return NULL with something
else than an ENOSYS condition (crypt(3) not implemented at all),
because this *will* break unrelated software.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.9-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh

Versions of packages libc6 depends on:
ii  libgcc1  1:4.8.1-4

Versions of packages libc6 recommends:
ii  libc6-i686  2.17-6

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.50
ii  glibc-doc              2.17-6
ii  locales-all [locales]  2.17-6

-- debconf information:
* glibc/upgrade: true
  glibc/disable-screensaver:
  glibc/restart-failed:
* glibc/restart-services: postfix openbsd-inetd cups cron
* libraries/restart-without-asking: true


-- 
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130626220647.9086.25208.report...@tglase.lan.tarent.de

Reply via email to