[Buildroot] [PATCH v3 1/2] cracklib: New package

[Buildroot] [PATCH v3 1/2] cracklib: New package

[Stefan Sørensen]

Changes since v2:
 * Add two upstream bugfixes
 * Add patch to force grep to treat the words file as text
 * Add $(HOST_MAKE_ENV) when build the dict 

Changes since v1:
 * Update DEVELOPERS file
 * Use SPDX license codes
 * Use the tools from host-cracklib for generating dictionary files

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 DEVELOPERS                                         |   1 +
 package/Config.in                                  |   1 +
 .../0001-Apply-patch-to-fix-CVE-2016-6318.patch    | 114 +++++++++++++++++++++
 ...x-a-buffer-overflow-processing-long-words.patch |  49 +++++++++
 ...to-treat-the-input-as-text-when-formattin.patch |  30 ++++++
 package/cracklib/Config.in                         |  28 +++++
 package/cracklib/cracklib.hash                     |   3 +
 package/cracklib/cracklib.mk                       |  36 +++++++
 8 files changed, 262 insertions(+)
 create mode 100644 package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
 create mode 100644 package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch
 create mode 100644 package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch
 create mode 100644 package/cracklib/Config.in
 create mode 100644 package/cracklib/cracklib.hash
 create mode 100644 package/cracklib/cracklib.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 123a8f9..4139a19 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1483,6 +1483,7 @@ F:	package/proxychains-ng/
 F:	package/yasm/
 
 N:	Stefan S?rensen <stefan.sorensen@spectralink.com>
+F:	package/cracklib/
 F:	package/libscrypt/
 
 N:	Stephan Hoffmann <sho@relinux.de>
diff --git a/package/Config.in b/package/Config.in
index 4eaa95b..cf0d78d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1343,6 +1343,7 @@ menu "Other"
 	source "package/clapack/Config.in"
 	source "package/classpath/Config.in"
 	source "package/cppcms/Config.in"
+	source "package/cracklib/Config.in"
 	source "package/dawgdic/Config.in"
 	source "package/ding-libs/Config.in"
 	source "package/eigen/Config.in"
diff --git a/package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch b/package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
new file mode 100644
index 0000000..56b60b1
--- /dev/null
+++ b/package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
@@ -0,0 +1,114 @@
+From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:13:49 +0200
+Subject: [PATCH] Apply patch to fix CVE-2016-6318
+
+This patch fixes an issue with a stack-based buffer overflow whne
+parsing large GECOS field. See
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
+https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
+information.
+---
+
+Status: upstream, not yet released.
+
+ NEWS          |  1 +
+ lib/fascist.c | 57 ++++++++++++++++++++++++++++++++-----------------------
+ 2 files changed, 34 insertions(+), 24 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 26abeee..361a207 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,4 @@
++v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field
+ v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
+        migration to github
+        patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller)
+diff --git a/lib/fascist.c b/lib/fascist.c
+index a996509..d4deb15 100644
+--- a/lib/fascist.c
++++ b/lib/fascist.c
+@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
+     char gbuffer[STRINGSIZE];
+     char tbuffer[STRINGSIZE];
+     char *uwords[STRINGSIZE];
+-    char longbuffer[STRINGSIZE * 2];
++    char longbuffer[STRINGSIZE];
+ 
+     if (gecos == NULL)
+ 	gecos = "";
+@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
+     {
+ 	for (i = 0; i < j; i++)
+ 	{
+-	    strcpy(longbuffer, uwords[i]);
+-	    strcat(longbuffer, uwords[j]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
+ 	    {
+-		return _("it is derived from your password entry");
+-	    }
++		strcpy(longbuffer, uwords[i]);
++		strcat(longbuffer, uwords[j]);
+ 
+-	    strcpy(longbuffer, uwords[j]);
+-	    strcat(longbuffer, uwords[i]);
++		if (GTry(longbuffer, password))
++		{
++		    return _("it is derived from your password entry");
++		}
+ 
+-	    if (GTry(longbuffer, password))
+-	    {
+-		return _("it's derived from your password entry");
+-	    }
++		strcpy(longbuffer, uwords[j]);
++		strcat(longbuffer, uwords[i]);
+ 
+-	    longbuffer[0] = uwords[i][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[j]);
++		if (GTry(longbuffer, password))
++		{
++		   return _("it's derived from your password entry");
++		}
++	    }
+ 
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[j]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it is derivable from your password entry");
++		longbuffer[0] = uwords[i][0];
++		longbuffer[1] = '\0';
++		strcat(longbuffer, uwords[j]);
++
++		if (GTry(longbuffer, password))
++		{
++		    return _("it is derivable from your password entry");
++		}
+ 	    }
+ 
+-	    longbuffer[0] = uwords[j][0];
+-	    longbuffer[1] = '\0';
+-	    strcat(longbuffer, uwords[i]);
+-
+-	    if (GTry(longbuffer, password))
++	    if (strlen(uwords[i]) < STRINGSIZE - 1)
+ 	    {
+-		return _("it's derivable from your password entry");
++		longbuffer[0] = uwords[j][0];
++		longbuffer[1] = '\0';
++		strcat(longbuffer, uwords[i]);
++
++		if (GTry(longbuffer, password))
++		{
++		    return _("it's derivable from your password entry");
++		}
+ 	    }
+ 	}
+     }
+-- 
+2.9.3
+
diff --git a/package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch b/package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch
new file mode 100644
index 0000000..93cd4a8
--- /dev/null
+++ b/package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch
@@ -0,0 +1,49 @@
+From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:17:53 +0200
+Subject: [PATCH] Fix a buffer overflow processing long words
+
+A buffer overflow processing long words has been discovered. This commit
+applies the patch from
+https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
+by Howard Guo.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and
+http://www.openwall.com/lists/oss-security/2016/08/23/8
+---
+
+Status: upstream, not yet released.
+
+ NEWS        | 1 +
+ lib/rules.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 361a207..f1df3b0 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,4 +1,5 @@
+ v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field
++       fix a buffer overflow processing long words
+ v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
+        migration to github
+        patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller)
+diff --git a/lib/rules.c b/lib/rules.c
+index d193cc0..3a2aa46 100644
+--- a/lib/rules.c
++++ b/lib/rules.c
+@@ -434,9 +434,8 @@ Mangle(input, control)		/* returns a pointer to a controlled Mangle */
+ {
+     int limit;
+     register char *ptr;
+-    static char area[STRINGSIZE];
+-    char area2[STRINGSIZE];
+-    area[0] = '\0';
++    static char area[STRINGSIZE * 2] = {0};
++    char area2[STRINGSIZE * 2] = {0};
+     strcpy(area, input);
+ 
+     for (ptr = control; *ptr; ptr++)
+-- 
+2.9.3
+
diff --git a/package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch b/package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch
new file mode 100644
index 0000000..b05a69c
--- /dev/null
+++ b/package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch
@@ -0,0 +1,30 @@
+From d27062fe7a520d5791f7a56d175a5cb6a39bae61 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= <stefan.sorensen@spectralink.com>
+Date: Tue, 18 Apr 2017 12:00:39 +0200
+Subject: [PATCH] Force grep to treat the input as text when formatting word
+ files.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
+---
+ util/cracklib-format | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/cracklib-format b/util/cracklib-format
+index 1d7be5b..b1de8e8 100644
+--- a/util/cracklib-format
++++ b/util/cracklib-format
+@@ -4,7 +4,7 @@
+ # into cracklib-packer
+ #
+ gzip -cdf "$@" |
+-    grep -v '^\(#\|$\)' |
++    grep -a -v '^\(#\|$\)' |
+     tr '[A-Z]' '[a-z]' |
+     tr -cd '\012[a-z][0-9]' |
+     env LC_ALL=C sort -u
+-- 
+2.9.3
+
diff --git a/package/cracklib/Config.in b/package/cracklib/Config.in
new file mode 100644
index 0000000..4a0f43f
--- /dev/null
+++ b/package/cracklib/Config.in
@@ -0,0 +1,28 @@
+config BR2_PACKAGE_CRACKLIB
+	bool "cracklib"
+	help
+	  CrackLib tests passwords to determine whether they match
+	  certain security-oriented characteristics, with the purpose
+	  of stopping users from choosing passwords that are easy to
+	  guess. CrackLib performs several tests on passwords: it
+	  tries to generate words from a username and gecos entry and
+	  checks those words against the password; it checks for
+	  simplistic patterns in passwords; and it checks for the
+	  password in a dictionary.
+
+	  https://github.com/cracklib/cracklib
+
+if BR2_PACKAGE_CRACKLIB
+
+config BR2_PACKAGE_CRACKLIB_TOOLS
+	bool "install tools"
+	help
+	  Install cracklib command line tools for creating dicts.
+
+config BR2_PACKAGE_CRACKLIB_FULL_DICT
+	bool "full dict"
+	help
+	  Install the full cracklib dict (requires about 8Mb extra
+	  target space).
+
+endif
diff --git a/package/cracklib/cracklib.hash b/package/cracklib/cracklib.hash
new file mode 100644
index 0000000..3038a47
--- /dev/null
+++ b/package/cracklib/cracklib.hash
@@ -0,0 +1,3 @@
+# Locally calculated
+sha256	17cf76943de272fd579ed831a1fd85339b393f8d00bf9e0d17c91e972f583343	cracklib-2.9.6.tar.gz
+sha256	27973245225eeb9d0090e97f3dea4197dec99b64d9d3a791a60298f3b021824c	cracklib-words-2.9.6.gz
diff --git a/package/cracklib/cracklib.mk b/package/cracklib/cracklib.mk
new file mode 100644
index 0000000..0a1373a
--- /dev/null
+++ b/package/cracklib/cracklib.mk
@@ -0,0 +1,36 @@
+################################################################################
+#
+# cracklib
+#
+################################################################################
+
+CRACKLIB_VERSION = 2.9.6
+CRACKLIB_SITE = https://github.com/cracklib/cracklib/releases/download/cracklib-$(CRACKLIB_VERSION)
+CRACKLIB_LICENSE = LGPL-2.1
+CRACKLIB_LICENSE_FILES = COPYING.LIB
+CRACKLIB_INSTALL_STAGING = YES
+CRACKLIB_DEPENDENCIES = host-cracklib
+
+ifeq ($(BR2_PACKAGE_CRACKLIB_FULL_DICT),y)
+CRACKLIB_EXTRA_DOWNLOADS = cracklib-words-$(CRACKLIB_VERSION).gz
+CRACKLIB_DICT_SOURCE = $(DL_DIR)/cracklib-words-$(CRACKLIB_VERSION).gz
+else
+CRACKLIB_DICT_SOURCE = $(@D)/dicts/cracklib-small
+endif
+
+ifeq ($(BR2_PACKAGE_CRACKLIB_TOOLS),)
+define CRACKLIB_REMOVE_TOOLS
+	rm -f $(TARGET_DIR)/usr/sbin/*cracklib*
+endef
+CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_REMOVE_TOOLS
+endif
+
+define CRACKLIB_BUILD_DICT
+	$(HOST_MAKE_ENV) cracklib-format $(CRACKLIB_DICT_SOURCE) | \
+		$(HOST_MAKE_ENV) cracklib-packer $(TARGET_DIR)/usr/share/cracklib/pw_dict
+	rm $(TARGET_DIR)/usr/share/cracklib/cracklib-small
+endef
+CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_BUILD_DICT
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
2.9.3

[Buildroot] [PATCH v3 2/2] libpwquality: New package

[Stefan Sørensen]

No changes since v2

Changes since v1:
 * Update DEVELOPERS file
 * Use SPDX license codes
 * Use new github site
 * Remove unneeded autoreconf
 * Fix building when python is enabled

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 DEVELOPERS                                         |  1 +
 package/Config.in                                  |  1 +
 ...ith-disable-nls-on-platforms-without-libi.patch | 47 ++++++++++++++++++++++
 ...leak-in-settings-when-using-bad-word-list.patch | 26 ++++++++++++
 package/libpwquality/Config.in                     | 19 +++++++++
 package/libpwquality/libpwquality.hash             |  2 +
 package/libpwquality/libpwquality.mk               | 32 +++++++++++++++
 7 files changed, 128 insertions(+)
 create mode 100644 package/libpwquality/0001-Fix-build-with-disable-nls-on-platforms-without-libi.patch
 create mode 100644 package/libpwquality/0002-Fix-memory-leak-in-settings-when-using-bad-word-list.patch
 create mode 100644 package/libpwquality/Config.in
 create mode 100644 package/libpwquality/libpwquality.hash
 create mode 100644 package/libpwquality/libpwquality.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 4139a19..977ebfe 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1484,6 +1484,7 @@ F:	package/yasm/
 
 N:	Stefan S?rensen <stefan.sorensen@spectralink.com>
 F:	package/cracklib/
+F:	package/libpwquality/
 F:	package/libscrypt/
 
 N:	Stephan Hoffmann <sho@relinux.de>
diff --git a/package/Config.in b/package/Config.in
index cf0d78d..3955a04 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1386,6 +1386,7 @@ menu "Other"
 	source "package/libplist/Config.in"
 	source "package/libpthread-stubs/Config.in"
 	source "package/libpthsem/Config.in"
+	source "package/libpwquality/Config.in"
 	source "package/libseccomp/Config.in"
 	source "package/libsigc/Config.in"
 	source "package/libsigsegv/Config.in"
diff --git a/package/libpwquality/0001-Fix-build-with-disable-nls-on-platforms-without-libi.patch b/package/libpwquality/0001-Fix-build-with-disable-nls-on-platforms-without-libi.patch
new file mode 100644
index 0000000..3bae15c
--- /dev/null
+++ b/package/libpwquality/0001-Fix-build-with-disable-nls-on-platforms-without-libi.patch
@@ -0,0 +1,47 @@
+From fd1694c9d85666a39fe39e76518581b1ccd5a6c5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= <stefan.sorensen@spectralink.com>
+Date: Thu, 2 Feb 2017 11:16:49 +0100
+Subject: [PATCH] Fix build with --disable-nls on platforms without libintl
+ included in libc.
+
+Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
+
+---
+
+Status: accepted upstream, not yet released.
+
+diff --git a/src/pwmake.c b/src/pwmake.c
+index 5b8cfb8..81f7cd3 100644
+--- a/src/pwmake.c
++++ b/src/pwmake.c
+@@ -33,9 +33,11 @@ main(int argc, char *argv[])
+         int bits;
+         void *auxerror;
+ 
++#ifdef ENABLE_NLS
+         setlocale(LC_ALL, "");
+         bindtextdomain("libpwquality", "/usr/share/locale");
+         textdomain("libpwquality");
++#endif
+ 
+         if (argc != 2) {
+                 usage(basename(argv[0]));
+diff --git a/src/pwscore.c b/src/pwscore.c
+index 219a175..24c13f2 100644
+--- a/src/pwscore.c
++++ b/src/pwscore.c
+@@ -34,9 +34,11 @@ main(int argc, char *argv[])
+         size_t len;
+         char *user = NULL;
+ 
++#ifdef ENABLE_NLS
+         setlocale(LC_ALL, "");
+         bindtextdomain("libpwquality", "/usr/share/locale");
+         textdomain("libpwquality");
++#endif
+ 
+         if (argc > 2) {
+                 usage(basename(argv[0]));
+-- 
+2.9.3
+
diff --git a/package/libpwquality/0002-Fix-memory-leak-in-settings-when-using-bad-word-list.patch b/package/libpwquality/0002-Fix-memory-leak-in-settings-when-using-bad-word-list.patch
new file mode 100644
index 0000000..1b4f242
--- /dev/null
+++ b/package/libpwquality/0002-Fix-memory-leak-in-settings-when-using-bad-word-list.patch
@@ -0,0 +1,26 @@
+From b1f2f1f71894fa0af92041fb4d5b6146101d63e5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= <stefan.sorensen@spectralink.com>
+Date: Thu, 2 Feb 2017 11:17:26 +0100
+Subject: [PATCH] Fix memory leak in settings when using bad word list.
+
+Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
+
+---
+
+Status: accepted upstream, not yet released.
+
+diff --git a/src/settings.c b/src/settings.c
+index 5c38b30..4b026b1 100644
+--- a/src/settings.c
++++ b/src/settings.c
+@@ -46,6 +46,7 @@ pwquality_free_settings(pwquality_settings_t *pwq)
+ {
+         if (pwq) {
+                 free(pwq->dict_path);
++                free(pwq->bad_words);
+                 free(pwq);
+         }
+ }
+-- 
+2.9.3
+
diff --git a/package/libpwquality/Config.in b/package/libpwquality/Config.in
new file mode 100644
index 0000000..4e85525
--- /dev/null
+++ b/package/libpwquality/Config.in
@@ -0,0 +1,19 @@
+config BR2_PACKAGE_LIBPWQUALITY
+	bool "libpwquality"
+	help
+	  This is a library for password quality checks and generation
+	  of random passwords that pass the checks.  This library uses
+	  the cracklib and cracklib dictionaries to perform some of
+	  the checks.
+
+	  https://github.com/libpwquality/libpwquality
+
+if BR2_PACKAGE_LIBPWQUALITY
+
+config BR2_PACKAGE_LIBPWQUALITY_TOOLS
+	bool "install tools"
+	help
+	  Install libpwquality command line tools generating/checking
+	  passwords.
+
+endif
diff --git a/package/libpwquality/libpwquality.hash b/package/libpwquality/libpwquality.hash
new file mode 100644
index 0000000..0e3f9e3
--- /dev/null
+++ b/package/libpwquality/libpwquality.hash
@@ -0,0 +1,2 @@
+# Locally calculated
+sha256	74d2ea90e103323c1f2d6a6cc9617cdae6877573eddb31aaf31a40f354cc2d2a	libpwquality-1.3.0.tar.bz2
diff --git a/package/libpwquality/libpwquality.mk b/package/libpwquality/libpwquality.mk
new file mode 100644
index 0000000..4236ebd
--- /dev/null
+++ b/package/libpwquality/libpwquality.mk
@@ -0,0 +1,32 @@
+################################################################################
+#
+# libpwquality
+#
+################################################################################
+
+LIBPWQUALITY_VERSION = 1.3.0
+LIBPWQUALITY_SOURCE = libpwquality-$(LIBPWQUALITY_VERSION).tar.bz2
+LIBPWQUALITY_SITE = $(call github,libpwquality,libpwquality,$(LIBPWQUALITY_VERSION))
+LIBPWQUALITY_LICENSE = BSD-3-Clause or GPL-2.0+
+LIBPWQUALITY_INSTALL_STAGING = YES
+LIBPWQUALITY_DEPENDENCIES = cracklib
+LIBPWQUALITY_LICENSE_FILES = COPYING
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+LIBPWQUALITY_CONF_OPTS += --enable-python-bindings
+LIBPWQUALITY_DEPENDENCIES += python
+LIBPWQUALITY_MAKE_ENV += $(PKG_PYTHON_DISTUTILS_ENV)
+else
+LIBPWQUALITY_CONF_OPTS += --disable-python-bindings
+endif
+
+ifeq ($(BR2_PACKAGE_LIBPWQUALITY_TOOLS),)
+define LIBPWQUALITY_REMOVE_TOOLS
+	rm -f $(TARGET_DIR)/usr/bin/pwmake
+	rm -f $(TARGET_DIR)/usr/bin/pwscore
+endef
+
+LIBPWQUALITY_POST_INSTALL_TARGET_HOOKS += LIBPWQUALITY_REMOVE_TOOLS
+endif
+
+$(eval $(autotools-package))
-- 
2.9.3

[Buildroot] [PATCH v3 1/2] cracklib: New package

[Danomi Manchego]

Stefan,

On Wed, Apr 19, 2017 at 3:56 AM, Stefan S?rensen
<stefan.sorensen@spectralink.com> wrote:
...snip...
> @@ -0,0 +1,36 @@
> +################################################################################
> +#
> +# cracklib
> +#
> +################################################################################
> +
> +CRACKLIB_VERSION = 2.9.6
> +CRACKLIB_SITE = https://github.com/cracklib/cracklib/releases/download/cracklib-$(CRACKLIB_VERSION)
> +CRACKLIB_LICENSE = LGPL-2.1
> +CRACKLIB_LICENSE_FILES = COPYING.LIB
> +CRACKLIB_INSTALL_STAGING = YES
> +CRACKLIB_DEPENDENCIES = host-cracklib

It looks like cracklib's configure is checking for zlib.h.  To make
the build reproducible, maybe you should add:

ifeq ($(BR2_PACKAGE_ZLIB),y)
CRACKLIB_CONF_OPTS += --with-zlib
CRACKLIB_DEPENDENCIES += zlib
else
CRACKLIB_CONF_OPTS += --without-zlib
endif

HOST_CRACKLIB_CONF_OPTS += --without-zlib

Regards,
Danomi -


> +
> +ifeq ($(BR2_PACKAGE_CRACKLIB_FULL_DICT),y)
> +CRACKLIB_EXTRA_DOWNLOADS = cracklib-words-$(CRACKLIB_VERSION).gz
> +CRACKLIB_DICT_SOURCE = $(DL_DIR)/cracklib-words-$(CRACKLIB_VERSION).gz
> +else
> +CRACKLIB_DICT_SOURCE = $(@D)/dicts/cracklib-small
> +endif
> +
> +ifeq ($(BR2_PACKAGE_CRACKLIB_TOOLS),)
> +define CRACKLIB_REMOVE_TOOLS
> +       rm -f $(TARGET_DIR)/usr/sbin/*cracklib*
> +endef
> +CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_REMOVE_TOOLS
> +endif
> +
> +define CRACKLIB_BUILD_DICT
> +       $(HOST_MAKE_ENV) cracklib-format $(CRACKLIB_DICT_SOURCE) | \
> +               $(HOST_MAKE_ENV) cracklib-packer $(TARGET_DIR)/usr/share/cracklib/pw_dict
> +       rm $(TARGET_DIR)/usr/share/cracklib/cracklib-small
> +endef
> +CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_BUILD_DICT
> +
> +$(eval $(autotools-package))
> +$(eval $(host-autotools-package))
> --
> 2.9.3
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

[Buildroot] [PATCH v3 1/2] cracklib: New package

[Romain Naour]

Hi Stefan,

Le 19/04/2017 ? 09:56, Stefan S?rensen a ?crit :
> Changes since v2:
>  * Add two upstream bugfixes
>  * Add patch to force grep to treat the words file as text
>  * Add $(HOST_MAKE_ENV) when build the dict 
> 
> Changes since v1:
>  * Update DEVELOPERS file
>  * Use SPDX license codes
>  * Use the tools from host-cracklib for generating dictionary files
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
>  DEVELOPERS                                         |   1 +
>  package/Config.in                                  |   1 +
>  .../0001-Apply-patch-to-fix-CVE-2016-6318.patch    | 114 +++++++++++++++++++++
>  ...x-a-buffer-overflow-processing-long-words.patch |  49 +++++++++
>  ...to-treat-the-input-as-text-when-formattin.patch |  30 ++++++
>  package/cracklib/Config.in                         |  28 +++++
>  package/cracklib/cracklib.hash                     |   3 +
>  package/cracklib/cracklib.mk                       |  36 +++++++
>  8 files changed, 262 insertions(+)
>  create mode 100644 package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
>  create mode 100644 package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch
>  create mode 100644 package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch
>  create mode 100644 package/cracklib/Config.in
>  create mode 100644 package/cracklib/cracklib.hash
>  create mode 100644 package/cracklib/cracklib.mk
> 
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 123a8f9..4139a19 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -1483,6 +1483,7 @@ F:	package/proxychains-ng/
>  F:	package/yasm/
>  
>  N:	Stefan S?rensen <stefan.sorensen@spectralink.com>
> +F:	package/cracklib/
>  F:	package/libscrypt/
>  
>  N:	Stephan Hoffmann <sho@relinux.de>
> diff --git a/package/Config.in b/package/Config.in
> index 4eaa95b..cf0d78d 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1343,6 +1343,7 @@ menu "Other"
>  	source "package/clapack/Config.in"
>  	source "package/classpath/Config.in"
>  	source "package/cppcms/Config.in"
> +	source "package/cracklib/Config.in"
>  	source "package/dawgdic/Config.in"
>  	source "package/ding-libs/Config.in"
>  	source "package/eigen/Config.in"
> diff --git a/package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch b/package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
> new file mode 100644
> index 0000000..56b60b1
> --- /dev/null
> +++ b/package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
> @@ -0,0 +1,114 @@
> +From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001
> +From: Jan Dittberner <jan@dittberner.info>
> +Date: Thu, 25 Aug 2016 17:13:49 +0200
> +Subject: [PATCH] Apply patch to fix CVE-2016-6318
> +
> +This patch fixes an issue with a stack-based buffer overflow whne
> +parsing large GECOS field. See
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
> +https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
> +information.

Your SoB line is missing

> +---
> +
> +Status: upstream, not yet released.
> +
> + NEWS          |  1 +
> + lib/fascist.c | 57 ++++++++++++++++++++++++++++++++-----------------------
> + 2 files changed, 34 insertions(+), 24 deletions(-)
> +
> +diff --git a/NEWS b/NEWS
> +index 26abeee..361a207 100644
> +--- a/NEWS
> ++++ b/NEWS
> +@@ -1,3 +1,4 @@
> ++v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field
> + v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
> +        migration to github
> +        patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller)

You can drop this part of the patch.

> +diff --git a/lib/fascist.c b/lib/fascist> +index a996509..d4deb15 100644
> +--- a/lib/fascist.c
> ++++ b/lib/fascist.c
> +@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
> +     char gbuffer[STRINGSIZE];
> +     char tbuffer[STRINGSIZE];
> +     char *uwords[STRINGSIZE];
> +-    char longbuffer[STRINGSIZE * 2];
> ++    char longbuffer[STRINGSIZE];
> + 
> +     if (gecos == NULL)
> + 	gecos = "";
> +@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
> +     {
> + 	for (i = 0; i < j; i++)
> + 	{
> +-	    strcpy(longbuffer, uwords[i]);
> +-	    strcat(longbuffer, uwords[j]);
> +-
> +-	    if (GTry(longbuffer, password))
> ++	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
> + 	    {
> +-		return _("it is derived from your password entry");
> +-	    }
> ++		strcpy(longbuffer, uwords[i]);
> ++		strcat(longbuffer, uwords[j]);
> + 
> +-	    strcpy(longbuffer, uwords[j]);
> +-	    strcat(longbuffer, uwords[i]);
> ++		if (GTry(longbuffer, password))
> ++		{
> ++		    return _("it is derived from your password entry");
> ++		}
> + 
> +-	    if (GTry(longbuffer, password))
> +-	    {
> +-		return _("it's derived from your password entry");
> +-	    }
> ++		strcpy(longbuffer, uwords[j]);
> ++		strcat(longbuffer, uwords[i]);
> + 
> +-	    longbuffer[0] = uwords[i][0];
> +-	    longbuffer[1] = '\0';
> +-	    strcat(longbuffer, uwords[j]);
> ++		if (GTry(longbuffer, password))
> ++		{
> ++		   return _("it's derived from your password entry");
> ++		}
> ++	    }
> + 
> +-	    if (GTry(longbuffer, password))
> ++	    if (strlen(uwords[j]) < STRINGSIZE - 1)
> + 	    {
> +-		return _("it is derivable from your password entry");
> ++		longbuffer[0] = uwords[i][0];
> ++		longbuffer[1] = '\0';
> ++		strcat(longbuffer, uwords[j]);
> ++
> ++		if (GTry(longbuffer, password))
> ++		{
> ++		    return _("it is derivable from your password entry");
> ++		}
> + 	    }
> + 
> +-	    longbuffer[0] = uwords[j][0];
> +-	    longbuffer[1] = '\0';
> +-	    strcat(longbuffer, uwords[i]);
> +-
> +-	    if (GTry(longbuffer, password))
> ++	    if (strlen(uwords[i]) < STRINGSIZE - 1)
> + 	    {
> +-		return _("it's derivable from your password entry");
> ++		longbuffer[0] = uwords[j][0];
> ++		longbuffer[1] = '\0';
> ++		strcat(longbuffer, uwords[i]);
> ++
> ++		if (GTry(longbuffer, password))
> ++		{
> ++		    return _("it's derivable from your password entry");
> ++		}
> + 	    }
> + 	}
> +     }
> +-- 
> +2.9.3
> +
> diff --git a/package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch b/package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch
> new file mode 100644
> index 0000000..93cd4a8
> --- /dev/null
> +++ b/package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch
> @@ -0,0 +1,49 @@
> +From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001
> +From: Jan Dittberner <jan@dittberner.info>
> +Date: Thu, 25 Aug 2016 17:17:53 +0200
> +Subject: [PATCH] Fix a buffer overflow processing long words
> +
> +A buffer overflow processing long words has been discovered. This commit
> +applies the patch from
> +https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
> +by Howard Guo.
> +
> +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and
> +http://www.openwall.com/lists/oss-security/2016/08/23/8

Your SoB line is missing

> +---
> +
> +Status: upstream, not yet released.
> +
> + NEWS        | 1 +
> + lib/rules.c | 5 ++---
> + 2 files changed, 3 insertions(+), 3 deletions(-)
> +
> +diff --git a/NEWS b/NEWS
> +index 361a207..f1df3b0 100644
> +--- a/NEWS
> ++++ b/NEWS
> +@@ -1,4 +1,5 @@
> + v2.9.x apply patch to fix CVE-2016-6318 Stack-based buffer overflow when parsing large GECOS field
> ++       fix a buffer overflow processing long words
> + v2.9.6 updates to cracklib-words to add a bunch of other dictionary lists
> +        migration to github
> +        patch to add some particularly bad cases to the cracklib small dictionary (Matthew Miller)

You can drop this part of the patch.

> +diff --git a/lib/rules.c b/lib/rules.c
> +index d193cc0..3a2aa46 100644
> +--- a/lib/rules.c
> ++++ b/lib/rules.c
> +@@ -434,9 +434,8 @@ Mangle(input, control)		/* returns a pointer to a controlled Mangle */
> + {
> +     int limit;
> +     register char *ptr;
> +-    static char area[STRINGSIZE];
> +-    char area2[STRINGSIZE];
> +-    area[0] = '\0';
> ++    static char area[STRINGSIZE * 2] = {0};
> ++    char area2[STRINGSIZE * 2] = {0};
> +     strcpy(area, input);
> + 
> +     for (ptr = control; *ptr; ptr++)
> +-- 
> +2.9.3
> +
> diff --git a/package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch b/package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch
> new file mode 100644
> index 0000000..b05a69c
> --- /dev/null
> +++ b/package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch
> @@ -0,0 +1,30 @@
> +From d27062fe7a520d5791f7a56d175a5cb6a39bae61 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= <stefan.sorensen@spectralink.com>
> +Date: Tue, 18 Apr 2017 12:00:39 +0200
> +Subject: [PATCH] Force grep to treat the input as text when formatting word
> + files.
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> +---
> + util/cracklib-format | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/util/cracklib-format b/util/cracklib-format
> +index 1d7be5b..b1de8e8 100644
> +--- a/util/cracklib-format
> ++++ b/util/cracklib-format
> +@@ -4,7 +4,7 @@
> + # into cracklib-packer
> + #
> + gzip -cdf "$@" |
> +-    grep -v '^\(#\|$\)' |
> ++    grep -a -v '^\(#\|$\)' |
> +     tr '[A-Z]' '[a-z]' |
> +     tr -cd '\012[a-z][0-9]' |
> +     env LC_ALL=C sort -u
> +-- 
> +2.9.3
> +
> diff --git a/package/cracklib/Config.in b/package/cracklib/Config.in
> new file mode 100644
> index 0000000..4a0f43f
> --- /dev/null
> +++ b/package/cracklib/Config.in
> @@ -0,0 +1,28 @@
> +config BR2_PACKAGE_CRACKLIB
> +	bool "cracklib"
> +	help
> +	  CrackLib tests passwords to determine whether they match
> +	  certain security-oriented characteristics, with the purpose
> +	  of stopping users from choosing passwords that are easy to
> +	  guess. CrackLib performs several tests on passwords: it
> +	  tries to generate words from a username and gecos entry and
> +	  checks those words against the password; it checks for
> +	  simplistic patterns in passwords; and it checks for the
> +	  password in a dictionary.
> +
> +	  https://github.com/cracklib/cracklib
> +
> +if BR2_PACKAGE_CRACKLIB
> +
> +config BR2_PACKAGE_CRACKLIB_TOOLS
> +	bool "install tools"
> +	help
> +	  Install cracklib command line tools for creating dicts.
> +
> +config BR2_PACKAGE_CRACKLIB_FULL_DICT
> +	bool "full dict"
> +	help
> +	  Install the full cracklib dict (requires about 8Mb extra
> +	  target space).
> +
> +endif
> diff --git a/package/cracklib/cracklib.hash b/package/cracklib/cracklib.hash
> new file mode 100644
> index 0000000..3038a47
> --- /dev/null
> +++ b/package/cracklib/cracklib.hash
> @@ -0,0 +1,3 @@
> +# Locally calculated
> +sha256	17cf76943de272fd579ed831a1fd85339b393f8d00bf9e0d17c91e972f583343	cracklib-2.9.6.tar.gz
> +sha256	27973245225eeb9d0090e97f3dea4197dec99b64d9d3a791a60298f3b021824c	cracklib-words-2.9.6.gz
> diff --git a/package/cracklib/cracklib.mk b/package/cracklib/cracklib.mk
> new file mode 100644
> index 0000000..0a1373a
> --- /dev/null
> +++ b/package/cracklib/cracklib.mk
> @@ -0,0 +1,36 @@
> +################################################################################
> +#
> +# cracklib
> +#
> +################################################################################
> +
> +CRACKLIB_VERSION = 2.9.6
> +CRACKLIB_SITE = https://github.com/cracklib/cracklib/releases/download/cracklib-$(CRACKLIB_VERSION)
> +CRACKLIB_LICENSE = LGPL-2.1
> +CRACKLIB_LICENSE_FILES = COPYING.LIB
> +CRACKLIB_INSTALL_STAGING = YES
> +CRACKLIB_DEPENDENCIES = host-cracklib

As noticed by Danomi Manchego, you should add zlib package dependency handling.

In addition, I would suggest to add this line to disable the python module:
HOST_CRACKLIB_CONF_OPTS += --without-python

Also since the python dependency is not handled for the target, you should add:
CRACKLIB_CONF_OPTS += --without-python
(In case python2 or python3 is build before cracklib)

> +
> +ifeq ($(BR2_PACKAGE_CRACKLIB_FULL_DICT),y)
> +CRACKLIB_EXTRA_DOWNLOADS = cracklib-words-$(CRACKLIB_VERSION).gz
> +CRACKLIB_DICT_SOURCE = $(DL_DIR)/cracklib-words-$(CRACKLIB_VERSION).gz
> +else
> +CRACKLIB_DICT_SOURCE = $(@D)/dicts/cracklib-small
> +endif
> +
> +ifeq ($(BR2_PACKAGE_CRACKLIB_TOOLS),)
> +define CRACKLIB_REMOVE_TOOLS
> +	rm -f $(TARGET_DIR)/usr/sbin/*cracklib*

Maybe this part can be done in a post install script instead ?

> +endef
> +CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_REMOVE_TOOLS
> +endif
> +
> +define CRACKLIB_BUILD_DICT
> +	$(HOST_MAKE_ENV) cracklib-format $(CRACKLIB_DICT_SOURCE) | \
> +		$(HOST_MAKE_ENV) cracklib-packer $(TARGET_DIR)/usr/share/cracklib/pw_dict
> +	rm $(TARGET_DIR)/usr/share/cracklib/cracklib-small

Why do you remove cracklib-small binary ?

Best regards,
Romain

> +endef
> +CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_BUILD_DICT
> +
> +$(eval $(autotools-package))
> +$(eval $(host-autotools-package))
> 

[Buildroot] [PATCH v3 2/2] libpwquality: New package

[Romain Naour]

Hi Stefan,

Le 19/04/2017 ? 09:56, Stefan S?rensen a ?crit :
> No changes since v2
> 
> Changes since v1:
>  * Update DEVELOPERS file
>  * Use SPDX license codes
>  * Use new github site
>  * Remove unneeded autoreconf
>  * Fix building when python is enabled
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
>  DEVELOPERS                                         |  1 +
>  package/Config.in                                  |  1 +
>  ...ith-disable-nls-on-platforms-without-libi.patch | 47 ++++++++++++++++++++++
>  ...leak-in-settings-when-using-bad-word-list.patch | 26 ++++++++++++
>  package/libpwquality/Config.in                     | 19 +++++++++
>  package/libpwquality/libpwquality.hash             |  2 +
>  package/libpwquality/libpwquality.mk               | 32 +++++++++++++++
>  7 files changed, 128 insertions(+)
>  create mode 100644 package/libpwquality/0001-Fix-build-with-disable-nls-on-platforms-without-libi.patch
>  create mode 100644 package/libpwquality/0002-Fix-memory-leak-in-settings-when-using-bad-word-list.patch
>  create mode 100644 package/libpwquality/Config.in
>  create mode 100644 package/libpwquality/libpwquality.hash
>  create mode 100644 package/libpwquality/libpwquality.mk
> 
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 4139a19..977ebfe 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -1484,6 +1484,7 @@ F:	package/yasm/
>  
>  N:	Stefan S?rensen <stefan.sorensen@spectralink.com>
>  F:	package/cracklib/
> +F:	package/libpwquality/
>  F:	package/libscrypt/
>  
>  N:	Stephan Hoffmann <sho@relinux.de>
> diff --git a/package/Config.in b/package/Config.in
> index cf0d78d..3955a04 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1386,6 +1386,7 @@ menu "Other"
>  	source "package/libplist/Config.in"
>  	source "package/libpthread-stubs/Config.in"
>  	source "package/libpthsem/Config.in"
> +	source "package/libpwquality/Config.in"
>  	source "package/libseccomp/Config.in"
>  	source "package/libsigc/Config.in"
>  	source "package/libsigsegv/Config.in"
> diff --git a/package/libpwquality/0001-Fix-build-with-disable-nls-on-platforms-without-libi.patch b/package/libpwquality/0001-Fix-build-with-disable-nls-on-platforms-without-libi.patch
> new file mode 100644
> index 0000000..3bae15c
> --- /dev/null
> +++ b/package/libpwquality/0001-Fix-build-with-disable-nls-on-platforms-without-libi.patch
> @@ -0,0 +1,47 @@
> +From fd1694c9d85666a39fe39e76518581b1ccd5a6c5 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= <stefan.sorensen@spectralink.com>
> +Date: Thu, 2 Feb 2017 11:16:49 +0100
> +Subject: [PATCH] Fix build with --disable-nls on platforms without libintl
> + included in libc.
> +
> +Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> +
> +---
> +
> +Status: accepted upstream, not yet released.
> +
> +diff --git a/src/pwmake.c b/src/pwmake.c
> +index 5b8cfb8..81f7cd3 100644
> +--- a/src/pwmake.c
> ++++ b/src/pwmake.c
> +@@ -33,9 +33,11 @@ main(int argc, char *argv[])
> +         int bits;
> +         void *auxerror;
> + 
> ++#ifdef ENABLE_NLS
> +         setlocale(LC_ALL, "");
> +         bindtextdomain("libpwquality", "/usr/share/locale");
> +         textdomain("libpwquality");
> ++#endif
> + 
> +         if (argc != 2) {
> +                 usage(basename(argv[0]));
> +diff --git a/src/pwscore.c b/src/pwscore.c
> +index 219a175..24c13f2 100644
> +--- a/src/pwscore.c
> ++++ b/src/pwscore.c
> +@@ -34,9 +34,11 @@ main(int argc, char *argv[])
> +         size_t len;
> +         char *user = NULL;
> + 
> ++#ifdef ENABLE_NLS
> +         setlocale(LC_ALL, "");
> +         bindtextdomain("libpwquality", "/usr/share/locale");
> +         textdomain("libpwquality");
> ++#endif
> + 
> +         if (argc > 2) {
> +                 usage(basename(argv[0]));
> +-- 
> +2.9.3
> +
> diff --git a/package/libpwquality/0002-Fix-memory-leak-in-settings-when-using-bad-word-list.patch b/package/libpwquality/0002-Fix-memory-leak-in-settings-when-using-bad-word-list.patch
> new file mode 100644
> index 0000000..1b4f242
> --- /dev/null
> +++ b/package/libpwquality/0002-Fix-memory-leak-in-settings-when-using-bad-word-list.patch
> @@ -0,0 +1,26 @@
> +From b1f2f1f71894fa0af92041fb4d5b6146101d63e5 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= <stefan.sorensen@spectralink.com>
> +Date: Thu, 2 Feb 2017 11:17:26 +0100
> +Subject: [PATCH] Fix memory leak in settings when using bad word list.
> +
> +Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> +
> +---
> +
> +Status: accepted upstream, not yet released.
> +
> +diff --git a/src/settings.c b/src/settings.c
> +index 5c38b30..4b026b1 100644
> +--- a/src/settings.c
> ++++ b/src/settings.c
> +@@ -46,6 +46,7 @@ pwquality_free_settings(pwquality_settings_t *pwq)
> + {
> +         if (pwq) {
> +                 free(pwq->dict_path);
> ++                free(pwq->bad_words);
> +                 free(pwq);
> +         }
> + }
> +-- 
> +2.9.3
> +
> diff --git a/package/libpwquality/Config.in b/package/libpwquality/Config.in
> new file mode 100644
> index 0000000..4e85525
> --- /dev/null
> +++ b/package/libpwquality/Config.in
> @@ -0,0 +1,19 @@
> +config BR2_PACKAGE_LIBPWQUALITY
> +	bool "libpwquality"
> +	help
> +	  This is a library for password quality checks and generation
> +	  of random passwords that pass the checks.  This library uses
> +	  the cracklib and cracklib dictionaries to perform some of
> +	  the checks.
> +
> +	  https://github.com/libpwquality/libpwquality
> +
> +if BR2_PACKAGE_LIBPWQUALITY
> +
> +config BR2_PACKAGE_LIBPWQUALITY_TOOLS
> +	bool "install tools"
> +	help
> +	  Install libpwquality command line tools generating/checking
> +	  passwords.
> +
> +endif
> diff --git a/package/libpwquality/libpwquality.hash b/package/libpwquality/libpwquality.hash
> new file mode 100644
> index 0000000..0e3f9e3
> --- /dev/null
> +++ b/package/libpwquality/libpwquality.hash
> @@ -0,0 +1,2 @@
> +# Locally calculated
> +sha256	74d2ea90e103323c1f2d6a6cc9617cdae6877573eddb31aaf31a40f354cc2d2a	libpwquality-1.3.0.tar.bz2
> diff --git a/package/libpwquality/libpwquality.mk b/package/libpwquality/libpwquality.mk
> new file mode 100644
> index 0000000..4236ebd
> --- /dev/null
> +++ b/package/libpwquality/libpwquality.mk
> @@ -0,0 +1,32 @@
> +################################################################################
> +#
> +# libpwquality
> +#
> +################################################################################
> +
> +LIBPWQUALITY_VERSION = 1.3.0
> +LIBPWQUALITY_SOURCE = libpwquality-$(LIBPWQUALITY_VERSION).tar.bz2
> +LIBPWQUALITY_SITE = $(call github,libpwquality,libpwquality,$(LIBPWQUALITY_VERSION))

The github helper doesn't work when you want to download a release archive:

LIBPWQUALITY_SITE =
https://github.com/libpwquality/libpwquality/releases/download/libpwquality-$(LIBPWQUALITY_VERSION)

> +LIBPWQUALITY_LICENSE = BSD-3-Clause or GPL-2.0+
> +LIBPWQUALITY_INSTALL_STAGING = YES
> +LIBPWQUALITY_DEPENDENCIES = cracklib
> +LIBPWQUALITY_LICENSE_FILES = COPYING
> +
> +ifeq ($(BR2_PACKAGE_PYTHON),y)
> +LIBPWQUALITY_CONF_OPTS += --enable-python-bindings
> +LIBPWQUALITY_DEPENDENCIES += python
> +LIBPWQUALITY_MAKE_ENV += $(PKG_PYTHON_DISTUTILS_ENV)
> +else
> +LIBPWQUALITY_CONF_OPTS += --disable-python-bindings
> +endif
> +
> +ifeq ($(BR2_PACKAGE_LIBPWQUALITY_TOOLS),)
> +define LIBPWQUALITY_REMOVE_TOOLS
> +	rm -f $(TARGET_DIR)/usr/bin/pwmake
> +	rm -f $(TARGET_DIR)/usr/bin/pwscore
> +endef

Same remark as for clracklib. This can be done by a post install script.

Otherwise looks good.

Best regards,
Romain

> +
> +LIBPWQUALITY_POST_INSTALL_TARGET_HOOKS += LIBPWQUALITY_REMOVE_TOOLS
> +endif
> +
> +$(eval $(autotools-package))
> 

[Buildroot] [PATCH v3 1/2] cracklib: New package

[Sørensen, Stefan]

On Sun, 2017-04-30 at 15:36 +0200, Romain Naour wrote:

> +ifeq ($(BR2_PACKAGE_CRACKLIB_TOOLS),)
> > +define CRACKLIB_REMOVE_TOOLS
> > +	rm -f $(TARGET_DIR)/usr/sbin/*cracklib*
> 
> Maybe this part can be done in a post install script instead ?

Post install script? I can't find any reference to what that is.

> > +	rm $(TARGET_DIR)/usr/share/cracklib/cracklib-small
> 
> Why do you remove cracklib-small binary ?

This is not a binary, but rather the source for the small dictionary.
It is not needed on the target.


Stefan

[Buildroot] [PATCH v3 1/2] cracklib: New package

[Thomas Petazzoni]

Hello,

On Wed, 19 Apr 2017 09:56:01 +0200, Stefan S?rensen wrote:
> Changes since v2:
>  * Add two upstream bugfixes
>  * Add patch to force grep to treat the words file as text
>  * Add $(HOST_MAKE_ENV) when build the dict 
> 
> Changes since v1:
>  * Update DEVELOPERS file
>  * Use SPDX license codes
>  * Use the tools from host-cracklib for generating dictionary files
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
>  DEVELOPERS                                         |   1 +
>  package/Config.in                                  |   1 +
>  .../0001-Apply-patch-to-fix-CVE-2016-6318.patch    | 114 +++++++++++++++++++++
>  ...x-a-buffer-overflow-processing-long-words.patch |  49 +++++++++
>  ...to-treat-the-input-as-text-when-formattin.patch |  30 ++++++
>  package/cracklib/Config.in                         |  28 +++++
>  package/cracklib/cracklib.hash                     |   3 +
>  package/cracklib/cracklib.mk                       |  36 +++++++
>  8 files changed, 262 insertions(+)
>  create mode 100644 package/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
>  create mode 100644 package/cracklib/0002-Fix-a-buffer-overflow-processing-long-words.patch
>  create mode 100644 package/cracklib/0003-Force-grep-to-treat-the-input-as-text-when-formattin.patch
>  create mode 100644 package/cracklib/Config.in
>  create mode 100644 package/cracklib/cracklib.hash
>  create mode 100644 package/cracklib/cracklib.mk

You received quite a bit of feedback from Danomi and Romain. Could you
take it into account and send an updated version?

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v3 1/2] cracklib: New package

[Romain Naour]

Hi Stefan, all,

Le 04/05/2017 ? 09:10, S?rensen, Stefan a ?crit :
> On Sun, 2017-04-30 at 15:36 +0200, Romain Naour wrote:
> 
>> +ifeq ($(BR2_PACKAGE_CRACKLIB_TOOLS),)
>>> +define CRACKLIB_REMOVE_TOOLS
>>> +	rm -f $(TARGET_DIR)/usr/sbin/*cracklib*
>>
>> Maybe this part can be done in a post install script instead ?
> 
> Post install script? I can't find any reference to what that is.

Sorry, I meant post build scripts, see BR2_ROOTFS_POST_BUILD_SCRIPT option.

> 
>>> +	rm $(TARGET_DIR)/usr/share/cracklib/cracklib-small
>>
>> Why do you remove cracklib-small binary ?
> 
> This is not a binary, but rather the source for the small dictionary.
> It is not needed on the target.

Ok, thanks for the explanation.

Best regards,
Romain

> 
> 
> Stefan
> 

[Buildroot] [PATCH v3 1/2] cracklib: New package

[Sørensen, Stefan]

On Thu, 2017-05-04 at 23:34 +0200, Romain Naour wrote:
> Hi Stefan, all,
> 
> Le 04/05/2017 ? 09:10, S?rensen, Stefan a ?crit :
> > On Sun, 2017-04-30 at 15:36 +0200, Romain Naour wrote:
> > 
> > > +ifeq ($(BR2_PACKAGE_CRACKLIB_TOOLS),)
> > > > +define CRACKLIB_REMOVE_TOOLS
> > > > +	rm -f $(TARGET_DIR)/usr/sbin/*cracklib*
> > > 
> > > Maybe this part can be done in a post install script instead ?
> > 
> > Post install script? I can't find any reference to what that is.
> 
> Sorry, I meant post build scripts, see BR2_ROOTFS_POST_BUILD_SCRIPT
> option.

The tools mostly for creating password dictionaries. I guess that these
will rarely be used on the target, so to me it seems better to remove
them in the package, rather than in post build scripts for everybody
that does not need them.

Stefan