CVE-2016-6318

Priority
Description
Stack-based buffer overflow in the FascistGecosUser function in
lib/fascist.c in cracklib allows local users to cause a denial of service
(application crash) or gain privileges via a long GECOS field, involving
longbuffer.
Notes
 tyhicks> Ubuntu's chfn limits the total GECOS field length to 84 characters
  which is well within cracklib2's buffer size of 2048.
 tyhicks> libpam-cracklib is not part of the default install so PAM cracklib
  support is not enabled in the majority of Ubuntu installs
 tyhicks> Ubuntu's /etc/login.defs only allows unprivileged users to set their
  room number, work phone, and home phone
Package
Upstream:needed
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.9.2-3)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (2.9.2-3)
Ubuntu 19.04 (Disco Dingo):not-affected (2.9.2-3)
Patches:
Upstream:https://bugzilla.redhat.com/attachment.cgi?id=1188599
More Information

Updated: 2019-01-14 21:19:46 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)