Hello community, here is the log from the commit of package pwdutils for openSUSE:11.3 checked in at Fri Jul 29 18:06:11 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.3/all/pwdutils/pwdutils.changes 2010-07-01 14:10:29.000000000 +0200 +++ 11.3/pwdutils/pwdutils.changes 2011-07-20 17:22:42.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Jul 20 15:22:01 UTC 2011 - lnussel@suse.de + +- change blowfish id from 2a to 2y (bnc#700876, CVE-2011-2483) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/pwdutils Destination is old-versions/11.3/UPDATES/all/pwdutils calling whatdependson for 11.3-i586 New: ---- pwdutils-3.2.14-CVE-2011-2483.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pwdutils.spec ++++++ --- /var/tmp/diff_new_pack.j9fkPP/_old 2011-07-29 18:05:30.000000000 +0200 +++ /var/tmp/diff_new_pack.j9fkPP/_new 2011-07-29 18:05:30.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package pwdutils (Version 3.2.10) +# spec file for package pwdutils # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,14 +29,16 @@ Group: System/Base AutoReqProv: on Version: 3.2.10 -Release: 1 +Release: 2.<RELEASE2> Summary: Utilities to Manage User and Group Accounts Requires: pam-modules +Requires: libxcrypt-crypt_blowfish >= 1.2 Source: pwdutils-%{version}.tar.bz2 Source2: ldap.conf Source3: useradd.default Source4: baselibs.conf Patch0: %{name}-selinux-useradd.patch +Patch1: pwdutils-3.2.14-CVE-2011-2483.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -77,6 +79,7 @@ %prep %setup -q %patch0 +%patch1 -p1 %build %configure --with-ldap-conf-file=/etc/ldap.conf \ ++++++ pwdutils-3.2.14-CVE-2011-2483.diff ++++++ Index: pwdutils-3.2.10/src/chpasswd.c =================================================================== --- pwdutils-3.2.10.orig/src/chpasswd.c +++ pwdutils-3.2.10/src/chpasswd.c @@ -342,7 +342,7 @@ main (int argc, char *argv[]) /* blowfish has a limit of 72 characters */ if (use_crypt == BLOWFISH && strlen (cp) > 72) cp[72] = '\0'; - salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */); + salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */); if (salt != NULL) pw_data->newpassword = strdup (crypt_r (cp, salt, &output)); else Index: pwdutils-3.2.10/src/gpasswd.c =================================================================== --- pwdutils-3.2.10.orig/src/gpasswd.c +++ pwdutils-3.2.10/src/gpasswd.c @@ -432,7 +432,7 @@ main (int argc, char **argv) /* blowfish has a limit of 72 characters */ if (use_crypt == BLOWFISH && strlen (p1) > 72) p1[72] = '\0'; - salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */); + salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */); if (salt != NULL) gr_data->newpassword = strdup (crypt_r (p1, salt, &output)); else Index: pwdutils-3.2.10/etc/default/passwd =================================================================== --- pwdutils-3.2.10.orig/etc/default/passwd +++ pwdutils-3.2.10/etc/default/passwd @@ -26,3 +26,20 @@ BLOWFISH_CRYPT_FILES=10 # For NIS, we should always use DES: CRYPT_YP=des + +# In June 2011 it was discovered that the Linux crypt_blowfish +# implementation contained a bug that made passwords with non-ASCII +# characters easier to crack (CVE-2011-2483). Affected passwords are +# also incompatible with the original, correct OpenBSD +# implementation. Therefore the $2a hash identifier previously used +# for blowfish now is ambiguous as it could mean the hash was +# generated with the correct implementation on OpenBSD or the buggy +# one on Linux. To avoid the ambiguity two new identifier were +# introduced. $2x now explicitly identifies hashes that were +# generated with the buggy algorithm while $2y is used for hashes +# generated with the correct algorithm. New passwords are now +# generated with the $2y identifier. +# +# Setting the following option to "yes" tells the sytem that $2a +# hashes are to be treated as generated with the buggy algorithm. +BLOWFISH_2a2x=yes ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org