Name | CVE-2016-6318 |
Description | Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-2220-1, DLA-599-1 |
Debian Bugs | 834502 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
cracklib2 (PTS) | bullseye | 2.9.6-3.4 | fixed |
| bookworm | 2.9.6-5 | fixed |
| trixie | 2.9.6-5.1 | fixed |
| sid | 2.9.6-5.2 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://bugzilla.redhat.com/attachment.cgi?id=1188599
In Debian compiled with CPPFLAGS="-D_FORTIFY_SOURCE=2" so, at most application crash