From 5d7f1bce7d8eea31f4baeb68bcc3124b35acc751 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Wed, 22 Nov 2023 08:38:33 +0100 Subject: posix: Revert the removal of the crypt prototype from Many applications still rely on this prototype. Rebuilds without this prototype result in an implicit function declaration, which can introduce security vulnerabilities due to 32-bit pointer truncation. --- NEWS | 5 ++++- posix/unistd.h | 13 +++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 139cfef1b0..8c1c149f91 100644 --- a/NEWS +++ b/NEWS @@ -52,7 +52,10 @@ Deprecated and removed features, and other changes affecting compatibility: * libcrypt has been removed from the GNU C Library. The configure options "--enable-crypt" and "--enable-nss-crypt" are no longer available. , libcrypt.a, and libcrypt.so.1 will not be - installed, and will not declare the crypt function. + installed. For now continues to declare the crypt + function by default, to avoid introducing vulnerabilities into + existing applications due to a missing prototype. This declaration + is deprecated and may be removed in a future glibc release. The replacement for libcrypt is libxcrypt, maintained separately from GNU libc, but available under compatible licensing terms, and providing diff --git a/posix/unistd.h b/posix/unistd.h index 1f9cd8cbf0..5b91ad4aaa 100644 --- a/posix/unistd.h +++ b/posix/unistd.h @@ -1150,6 +1150,19 @@ ssize_t copy_file_range (int __infd, __off64_t *__pinoff, extern int fdatasync (int __fildes); #endif /* Use POSIX199309 */ +#ifdef __USE_MISC +/* One-way hash PHRASE, returning a string suitable for storage in the + user database. SALT selects the one-way function to use, and + ensures that no two users' hashes are the same, even if they use + the same passphrase. The return value points to static storage + which will be overwritten by the next call to crypt. + + This declaration is deprecated; applications should include + instead. */ +extern char *crypt (const char *__key, const char *__salt) + __THROW __nonnull ((1, 2)); +#endif + #ifdef __USE_XOPEN /* Swab pairs bytes in the first N bytes of the area pointed to by FROM and copy the result to TO. The value of TO must not be in the -- cgit 1.4.1