[ SOURCE: http://www.secureroot.com/security/advisories/9641780403.html ]

******************************************************************************



Topic:  CrackLib

Source: Alec Muffett <alecm@crypto.dircon.co.uk>



- - --------------------------------



Problem: Vulnerability in CrackLib v2.5



I. Description



     CrackLib is a freely-available software library that provides

     systems and application programmers with some control to dissuade

     users from utilising easily-guessable passwords as authentication

     tokens.



     A weakness in a published version of CrackLib (v2.5, dated 1993)

     may be open to exploitation on Unix systems utilising CrackLib in

     setuid-root software, leading to compromise of system privileges.



II. Impact



     A bug in CrackLib v2.5 *may* be exploitable to obtain root

     privileges when logged on machines where CrackLib is installed as

     part of a SUID program, such as "/bin/passwd".



     This problem will also impact systems where CrackLib is part of

     the PAM (pluggable authentication module) installation; where you

     are using a commercial operating system that utilises CrackLib

     (typically this applies to some Linux and FreeBSD distributions)

     you are advised to contact your vendor for a patch.



III. Solution



      A upgraded/fixed version of CrackLib - v2.6 - is available from

      the following website, together with patches for the v2.5 software:



                http://www.users.dircon.co.uk/~crypto/



          MD5-signatures                    filenames

          --------------                    ---------

          7181205d70afcf75bb2240678b6be855  cracklib26_small.tgz

          247ad535f3e84bf586f7c31197ad1774  cracklib26_small.tgz.asc

          3933d0b56695f38535a5be3b57ccb60f  cracklib26_small.diff

          ec0e3714bc95ab2f2352a4438de17e7c  cracklib26_small.diff.asc



     ...and contact information is also available from that website.



******************************************************************************



- -----BEGIN PGP SIGNATURE-----

Version: 2.6ui



iQCVAwUBNJcC8SkVdfDiK/dBAQH/cgP/XOrNN87QJ7/OzORHsa4wumVaiJ900fiM

htLGtlQB3zJZJHxN9p3zPZteU45RQcW3CIYCKJpwIfc1jclgQb94nZyKXI+T86Yc

Yg/jmK30dIqYDf5mRgKr8dh2IGICU+GEq8OE1MfqAa4r09MJ7VmhmNTZxp/09a8c

QNxsRXFm4qE=

=/6eR

- -----END PGP SIGNATURE-----