- Update from 4.4.23 to 4.4.25 - Update of rootfile not required - Changelog Version 4.4.25 * Add support for Python 3.11 in the configure script. * Stricter checking of invalid salt characters (issue #135). Hashed passphrases are always entirely printable ASCII, and do not contain any whitespace or the characters ':', ';', '*', '!', or ''. (These characters are used as delimiters and special markers in the passwd(5) and shadow(5) files.) Version 4.4.24 * Add hash group for Debian in lib/hashes.conf. Debian has switched to use the yescrypt hashing algorithm as the default for new user passwords, so we should add a group for this distribution. * Overhaul the badsalt test. Test patterns are now mostly generated rather than manually coded into a big table. Not reading past the end of the “setting” part of the string is tested more thoroughly (this would have caught the sunmd5 $$ bug if it had been available at the time). Test logs are tidier. * Add ‘test-programs’ utility target to Makefile. It is sometimes useful to compile all the test programs but not run them. Add a Makefile target that does this. * Fix incorrect bcrypt-related ifdeffage in test/badsalt.c. The four variants of bcrypt are independently configurable, but the badsalt tests for them were all being toggled by INCLUDE_bcrypt, which is only the macro for the $2b$ variant. * Fix bigcrypt-related test cases in test/badsalt.c. The test spec was only correct when both or neither of bigcrypt and descrypt were enabled. * Detect ASan in configure and disable incompatible tests. ASan’s “interceptors” for crypt and crypt_r have a semantic conflict with libxcrypt, requiring a few tests to be disabled for builds with -fsanitize-address. See commentary in test/crypt-badargs.c for an explanation of the conflict, and the commentary in build-aux/zw_detect_asan.m4 for why a configure test is required. * Fix several issues found by Covscan in the testsuite. These include: - CWE-170: String not null terminated (STRING_NULL) - CWE-188: Reliance on integer endianness (INCOMPATIBLE_CAST) - CWE-190: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN) - CWE-569: Wrong sizeof argument (SIZEOF_MISMATCH) - CWE-573: Missing varargs init or cleanup (VARARGS) - CWE-687: Argument cannot be negative (NEGATIVE_RETURNS)
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/libxcrypt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/libxcrypt b/lfs/libxcrypt index 16ebb1dc5..f2fd7f331 100644 --- a/lfs/libxcrypt +++ b/lfs/libxcrypt @@ -24,7 +24,7 @@
include Config
-VER = 4.4.23 +VER = 4.4.25
THISAPP = libxcrypt-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 405116b5cc90b72216afccc54025afbc +$(DL_FILE)_MD5 = 4828b1530f5bf35af0b45b35acc4db1d
install : $(TARGET)
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 24 Aug 2021, at 22:28, Adolf Belka adolf.belka@ipfire.org wrote:
- Update from 4.4.23 to 4.4.25
- Update of rootfile not required
- Changelog Version 4.4.25
Version 4.4.24
- Add support for Python 3.11 in the configure script.
- Stricter checking of invalid salt characters (issue #135). Hashed passphrases are always entirely printable ASCII, and do not contain any whitespace or the characters ':', ';', '*', '!', or ''. (These characters are used as delimiters and special markers in the passwd(5) and shadow(5) files.)
- Add hash group for Debian in lib/hashes.conf. Debian has switched to use the yescrypt hashing algorithm as the default for new user passwords, so we should add a group for this distribution.
- Overhaul the badsalt test. Test patterns are now mostly generated rather than manually coded into a big table. Not reading past the end of the “setting” part of the string is tested more thoroughly (this would have caught the sunmd5 $$ bug if it had been available at the time). Test logs are tidier.
- Add ‘test-programs’ utility target to Makefile. It is sometimes useful to compile all the test programs but not run them. Add a Makefile target that does this.
- Fix incorrect bcrypt-related ifdeffage in test/badsalt.c. The four variants of bcrypt are independently configurable, but the badsalt tests for them were all being toggled by INCLUDE_bcrypt, which is only the macro for the $2b$ variant.
- Fix bigcrypt-related test cases in test/badsalt.c. The test spec was only correct when both or neither of bigcrypt and descrypt were enabled.
- Detect ASan in configure and disable incompatible tests. ASan’s “interceptors” for crypt and crypt_r have a semantic conflict with libxcrypt, requiring a few tests to be disabled for builds with -fsanitize-address. See commentary in test/crypt-badargs.c for an explanation of the conflict, and the commentary in build-aux/zw_detect_asan.m4 for why a configure test is required.
- Fix several issues found by Covscan in the testsuite. These include:
- CWE-170: String not null terminated (STRING_NULL)
- CWE-188: Reliance on integer endianness (INCOMPATIBLE_CAST)
- CWE-190: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
- CWE-569: Wrong sizeof argument (SIZEOF_MISMATCH)
- CWE-573: Missing varargs init or cleanup (VARARGS)
- CWE-687: Argument cannot be negative (NEGATIVE_RETURNS)
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
lfs/libxcrypt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/libxcrypt b/lfs/libxcrypt index 16ebb1dc5..f2fd7f331 100644 --- a/lfs/libxcrypt +++ b/lfs/libxcrypt @@ -24,7 +24,7 @@
include Config
-VER = 4.4.23 +VER = 4.4.25
THISAPP = libxcrypt-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 405116b5cc90b72216afccc54025afbc +$(DL_FILE)_MD5 = 4828b1530f5bf35af0b45b35acc4db1d
install : $(TARGET)
-- 2.33.0
-
Adolf Belka -
Michael Tremer