new file mode 100644

@@ -0,0 +1,74 @@

+diff -ruN shadow-4.2.1/libmisc/idmapping.c shadow-4.2.1.new/libmisc/idmapping.c

+--- shadow-4.2.1/libmisc/idmapping.c	2014-03-01 19:59:51.000000000 +0100

+@@ -77,6 +77,11 @@

+ 			return NULL;

+ 		if (!getulong(argv[argidx + 2], &mapping->count))

+ 			return NULL;

++

++		if (ULONG_MAX - mapping->upper <= mapping->count || ULONG_MAX - mapping->lower <= mapping->count) {

++			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);

++			exit(EXIT_FAILURE);

++		}

+ 	}

+ 	return mappings;

+ }

+diff -ruN shadow-4.2.1/libmisc/myname.c shadow-4.2.1.new/libmisc/myname.c

+--- shadow-4.2.1/libmisc/myname.c	2014-03-01 19:59:51.000000000 +0100

+@@ -44,25 +44,13 @@

+ /*@null@*/ /*@only@*/struct passwd *get_my_pwent (void)

+ {

+ 	struct passwd *pw;

+-	const char *cp = getlogin ();

+ 	uid_t ruid = getuid ();

+ 

+-	/*

+-	 * Try getlogin() first - if it fails or returns a non-existent

+-	 * username, or a username which doesn't match the real UID, fall

+-	 * back to getpwuid(getuid()).  This should work reasonably with

+-	 * usernames longer than the utmp limit (8 characters), as well as

+-	 * shared UIDs - but not both at the same time...

++	/* Do not use getlogin(). Its not suitable for suid binaries.

+ 	 *

+ 	 * XXX - when running from su, will return the current user (not

+ 	 * the original user, like getlogin() does).  Does this matter?

+ 	 */

+-	if ((NULL != cp) && ('\0' != *cp)) {

+-		pw = xgetpwnam (cp);

+-		if ((NULL != pw) && (pw->pw_uid == ruid)) {

+-			return pw;

+-		}

+-	}

+ 

+ 	return xgetpwuid (ruid);

+ }

+

+diff -ruN shadow-4.2.1/lib/getulong.c shadow-4.2.1.new/lib/getulong.c

+--- shadow-4.2.1/lib/getulong.c	2014-03-01 18:50:05.000000000 +0100

+@@ -44,22 +44,19 @@

+  */

+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)

+ {

+-	long long int val;

++	unsigned long int val;

+ 	char *endptr;

+ 

+ 	errno = 0;

+-	val = strtoll (numstr, &endptr, 0);

++	val = strtoul (numstr, &endptr, 0);

+ 	if (    ('\0' == *numstr)

+ 	     || ('\0' != *endptr)

+ 	     || (ERANGE == errno)

+-	     /*@+ignoresigns@*/

+-	     || (val != (unsigned long int)val)

+-	     /*@=ignoresigns@*/

+ 	   ) {

+ 		return 0;

+ 	}

+ 

+-	*result = (unsigned long int)val;

++	*result = val;

+ 	return 1;

+ }

new file mode 100644

@@ -0,0 +1,39 @@

+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001

+From: Tomas Mraz <tmraz@fedoraproject.org>

+Date: Fri, 31 Mar 2017 16:25:06 +0200

+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.

+

+If ptr->line == NULL for an entry, the first cycle will exit,

+but the second one will happily write past entries buffer.

+We actually do not want to exit the first cycle prematurely

+on ptr->line == NULL.

+Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>

+---

+ lib/commonio.c | 8 ++++----

+ 1 file changed, 4 insertions(+), 4 deletions(-)

+

+diff --git a/lib/commonio.c b/lib/commonio.c

+index b10da06a..31edbaaf 100644

+--- a/lib/commonio.c

+@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))

+ 	for (ptr = db->head;

+ 	        (NULL != ptr)

+ #if KEEP_NIS_AT_END

+-	     && (NULL != ptr->line)

+-	     && (   ('+' != ptr->line[0])

+-	         && ('-' != ptr->line[0]))

++	     && ((NULL == ptr->line)

++	         || (('+' != ptr->line[0])

++	             && ('-' != ptr->line[0])))

+ #endif

+ 	     ;

+ 	     ptr = ptr->next) {

+ 		n++;

+ 	}

+ #if KEEP_NIS_AT_END

+-	if ((NULL != ptr) && (NULL != ptr->line)) {

++	if (NULL != ptr) {

+ 		nis = ptr;

+ 	}

+ #endif

@@ -1,7 +1,7 @@

 Summary:        Programs for handling passwords in a secure way

 Name:           shadow

 Version:        4.2.1

-Release:        12%{?dist}

+Release:        13%{?dist}

 URL:            http://pkg-shadow.alioth.debian.org/

 License:        BSD

 Group:          Applications/System

@@ -12,6 +12,8 @@ Source0:        http://pkg-shadow.alioth.debian.org/releases/%{name}-%{version}.

 Source1:        PAM-Configuration-Files-1.5.tar.gz

 %define sha1    PAM=08052511f985e3b3072c194ac1287e036d9299fb

 Patch0:         chkname-allowcase.patch

+Patch1:         shadow-4.2.1-CVE-2016-6252-fix.patch

+Patch2:         shadow-4.2.1-CVE-2017-12424.patch

 BuildRequires:  cracklib

 BuildRequires:  cracklib-devel

 Requires:       cracklib

@@ -33,6 +35,8 @@ These are the additional language files of shadow.

 %setup -q -n %{name}-%{version}

 %setup -q -T -D -a 1

 %patch0 -p1

+%patch1 -p1

+%patch2 -p1

 sed -i 's/groups$(EXEEXT) //' src/Makefile.in

 find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;

 sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \

@@ -137,6 +141,8 @@ make %{?_smp_mflags} check

 %defattr(-,root,root)

 %changelog

+*   Tue Aug 15 2017 Anish Swaminathan <anishs@vmware.com> 4.2.1-13

+-   Added fix for CVE-2017-12424, CVE-2016-6252

 *   Thu Apr 27 2017 Divya Thaluru <dthaluru@vmware.com> 4.2.1-12

 -   Allow '.' in username

 *   Wed Dec 07 2016 Xiaolin Li <xiaolinl@vmware.com> 4.2.1-11