File pwdutils-3.2.14-CVE-2011-2483.diff of Package pwdutils.import4943

Index: pwdutils-3.2.14/src/chpasswd.c
===================================================================
--- pwdutils-3.2.14.orig/src/chpasswd.c
+++ pwdutils-3.2.14/src/chpasswd.c
@@ -342,7 +342,7 @@ main (int argc, char *argv[])
 	      /* blowfish has a limit of 72 characters */
 	      if (use_crypt == BLOWFISH && strlen (cp) > 72)
 		cp[72] = '\0';
-	      salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */);
+	      salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */);
 	      if (salt != NULL)
 		pw_data->newpassword = strdup (crypt_r (cp, salt, &output));
 	      else
Index: pwdutils-3.2.14/src/gpasswd.c
===================================================================
--- pwdutils-3.2.14.orig/src/gpasswd.c
+++ pwdutils-3.2.14/src/gpasswd.c
@@ -432,7 +432,7 @@ main (int argc, char **argv)
 	      /* blowfish has a limit of 72 characters */
 	      if (use_crypt == BLOWFISH && strlen (p1) > 72)
 		p1[72] = '\0';
-              salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */);
+              salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */);
               if (salt != NULL)
                 gr_data->newpassword = strdup (crypt_r (p1, salt, &output));
               else
Index: pwdutils-3.2.14/etc/default/passwd
===================================================================
--- pwdutils-3.2.14.orig/etc/default/passwd
+++ pwdutils-3.2.14/etc/default/passwd
@@ -26,3 +26,20 @@ BLOWFISH_CRYPT_FILES=10
 
 # For NIS, we should always use DES:
 CRYPT_YP=des
+ 
+# In June 2011 it was discovered that the Linux crypt_blowfish
+# implementation contained a bug that made passwords with non-ASCII
+# characters easier to crack (CVE-2011-2483). Affected passwords are
+# also incompatible with the original, correct OpenBSD
+# implementation. Therefore the $2a hash identifier previously used
+# for blowfish now is ambiguous as it could mean the hash was
+# generated with the correct implementation on OpenBSD or the buggy
+# one on Linux. To avoid the ambiguity two new identifier were
+# introduced. $2x now explicitly identifies hashes that were
+# generated with the buggy algorithm while $2y is used for hashes
+# generated with the correct algorithm. New passwords are now
+# generated with the $2y identifier.
+#
+# Setting the following option to "yes" tells the sytem that $2a
+# hashes are to be treated as generated with the buggy algorithm.
+BLOWFISH_2a2x=yes
openSUSE Build Service is sponsored by