CVE-2016-6318

Priority
Description
Stack-based buffer overflow in the FascistGecosUser function in
lib/fascist.c in cracklib allows local users to cause a denial of service
(application crash) or gain privileges via a long GECOS field, involving
longbuffer.
Notes
tyhicksUbuntu's chfn limits the total GECOS field length to 84 characters
which is well within cracklib2's buffer size of 2048.
libpam-cracklib is not part of the default install so PAM cracklib
support is not enabled in the majority of Ubuntu installs
Ubuntu's /etc/login.defs only allows unprivileged users to set their
room number, work phone, and home phone
Package
Upstream:needed
Ubuntu 18.04 LTS:not-affected (2.9.2-3)
Ubuntu 20.04 LTS:not-affected (2.9.2-3)
Ubuntu 21.10:not-affected (2.9.2-3)
Ubuntu 16.04 ESM:needed
Ubuntu 22.04 LTS:not-affected (2.9.2-3)
Ubuntu 14.04 ESM:needed
Patches:
Upstream:https://bugzilla.redhat.com/attachment.cgi?id=1188599
More Information

Updated: 2022-04-25 00:17:45 UTC (commit ecc1009cb19540b950de59270950018900f37f15)