Fix CVE-2016-6318. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 Patch copied from Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6318 https://bugzilla.redhat.com/attachment.cgi?id=1188599&action=diff It is not safe to pass words longer than STRINGSIZE further to cracklib so the longbuffer cannot be longer than STRINGSIZE. diff -up cracklib-2.9.0/lib/fascist.c.longgecos cracklib-2.9.0/lib/fascist.c --- cracklib-2.9.0/lib/fascist.c.longgecos 2014-02-06 16:03:59.000000000 +0100 +++ cracklib-2.9.0/lib/fascist.c 2016-08-08 12:05:40.279235815 +0200 @@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c char gbuffer[STRINGSIZE]; char tbuffer[STRINGSIZE]; char *uwords[STRINGSIZE]; - char longbuffer[STRINGSIZE * 2]; + char longbuffer[STRINGSIZE]; if (gecos == NULL) gecos = ""; @@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c { for (i = 0; i < j; i++) { - strcpy(longbuffer, uwords[i]); - strcat(longbuffer, uwords[j]); - - if (GTry(longbuffer, password)) + if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) { - return _("it is derived from your password entry"); - } - - strcpy(longbuffer, uwords[j]); - strcat(longbuffer, uwords[i]); + strcpy(longbuffer, uwords[i]); + strcat(longbuffer, uwords[j]); - if (GTry(longbuffer, password)) - { - return _("it's derived from your password entry"); + if (GTry(longbuffer, password)) + { + return _("it is derived from your password entry"); + } + + strcpy(longbuffer, uwords[j]); + strcat(longbuffer, uwords[i]); + + if (GTry(longbuffer, password)) + { + return _("it's derived from your password entry"); + } } - longbuffer[0] = uwords[i][0]; - longbuffer[1] = '\0'; - strcat(longbuffer, uwords[j]); - - if (GTry(longbuffer, password)) + if (strlen(uwords[j]) < STRINGSIZE - 1) { - return _("it is derivable from your password entry"); + longbuffer[0] = uwords[i][0]; + longbuffer[1] = '\0'; + strcat(longbuffer, uwords[j]); + + if (GTry(longbuffer, password)) + { + return _("it is derivable from your password entry"); + } } - longbuffer[0] = uwords[j][0]; - longbuffer[1] = '\0'; - strcat(longbuffer, uwords[i]); - - if (GTry(longbuffer, password)) + if (strlen(uwords[i]) < STRINGSIZE - 1) { - return _("it's derivable from your password entry"); + longbuffer[0] = uwords[j][0]; + longbuffer[1] = '\0'; + strcat(longbuffer, uwords[i]); + + if (GTry(longbuffer, password)) + { + return _("it's derivable from your password entry"); + } } } }