COMMAND

    CrackLib

SYSTEMS AFFECTED

    Systems with CrackLib v2.5

PROBLEM

    Alec Muffett posted following info about vulnerability in CrackLib
    v2.5.   CrackLib  is  a  freely-available  software  library  that
    provides systems and application programmers with some control  to
    dissuade  users  from  utilising  easily-guessable  passwords   as
    authentication  tokens.   A  weakness  in  a  published version of
    CrackLib (v2.5, dated  1993) may be  open to exploitation  on Unix
    systems  utilising  CrackLib  in  setuid-root software, leading to
    compromise of system privileges.

    A  bug  in  CrackLib  v2.5  *may*  be  exploitable  to obtain root
    privileges when logged on machines where CrackLib is installed  as
    part of a SUID program, such as "/bin/passwd".  This problem  will
    also impact systems where CrackLib  is part of the PAM  (pluggable
    authentication  module)  installation;  where  you  are  using   a
    commercial operating system that utilises CrackLib (typically this
    applies to some Linux  and FreeBSD distributions) you  are advised
    to contact your vendor for a patch.  This was origimally found  by
    Jon Lewis.

SOLUTION

    A upgraded/fixed version  of CrackLib -  v2.6 - is  available from
    the  following  website,  together  with  patches  for  the   v2.5
    software:

        http://www.users.dircon.co.uk/~crypto/