Change-Id: Id804c814afefd7f5bc9ab4e370ef6616a566e309
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3542
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,74 @@ |
0 |
+diff -ruN shadow-4.2.1/libmisc/idmapping.c shadow-4.2.1.new/libmisc/idmapping.c |
|
1 |
+--- shadow-4.2.1/libmisc/idmapping.c 2014-03-01 19:59:51.000000000 +0100 |
|
2 |
+@@ -77,6 +77,11 @@ |
|
3 |
+ return NULL; |
|
4 |
+ if (!getulong(argv[argidx + 2], &mapping->count)) |
|
5 |
+ return NULL; |
|
6 |
++ |
|
7 |
++ if (ULONG_MAX - mapping->upper <= mapping->count || ULONG_MAX - mapping->lower <= mapping->count) { |
|
8 |
++ fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog); |
|
9 |
++ exit(EXIT_FAILURE); |
|
10 |
++ } |
|
11 |
+ } |
|
12 |
+ return mappings; |
|
13 |
+ } |
|
14 |
+diff -ruN shadow-4.2.1/libmisc/myname.c shadow-4.2.1.new/libmisc/myname.c |
|
15 |
+--- shadow-4.2.1/libmisc/myname.c 2014-03-01 19:59:51.000000000 +0100 |
|
16 |
+@@ -44,25 +44,13 @@ |
|
17 |
+ /*@null@*/ /*@only@*/struct passwd *get_my_pwent (void) |
|
18 |
+ { |
|
19 |
+ struct passwd *pw; |
|
20 |
+- const char *cp = getlogin (); |
|
21 |
+ uid_t ruid = getuid (); |
|
22 |
+ |
|
23 |
+- /* |
|
24 |
+- * Try getlogin() first - if it fails or returns a non-existent |
|
25 |
+- * username, or a username which doesn't match the real UID, fall |
|
26 |
+- * back to getpwuid(getuid()). This should work reasonably with |
|
27 |
+- * usernames longer than the utmp limit (8 characters), as well as |
|
28 |
+- * shared UIDs - but not both at the same time... |
|
29 |
++ /* Do not use getlogin(). Its not suitable for suid binaries. |
|
30 |
+ * |
|
31 |
+ * XXX - when running from su, will return the current user (not |
|
32 |
+ * the original user, like getlogin() does). Does this matter? |
|
33 |
+ */ |
|
34 |
+- if ((NULL != cp) && ('\0' != *cp)) { |
|
35 |
+- pw = xgetpwnam (cp); |
|
36 |
+- if ((NULL != pw) && (pw->pw_uid == ruid)) { |
|
37 |
+- return pw; |
|
38 |
+- } |
|
39 |
+- } |
|
40 |
+ |
|
41 |
+ return xgetpwuid (ruid); |
|
42 |
+ } |
|
43 |
+ |
|
44 |
+diff -ruN shadow-4.2.1/lib/getulong.c shadow-4.2.1.new/lib/getulong.c |
|
45 |
+--- shadow-4.2.1/lib/getulong.c 2014-03-01 18:50:05.000000000 +0100 |
|
46 |
+@@ -44,22 +44,19 @@ |
|
47 |
+ */ |
|
48 |
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result) |
|
49 |
+ { |
|
50 |
+- long long int val; |
|
51 |
++ unsigned long int val; |
|
52 |
+ char *endptr; |
|
53 |
+ |
|
54 |
+ errno = 0; |
|
55 |
+- val = strtoll (numstr, &endptr, 0); |
|
56 |
++ val = strtoul (numstr, &endptr, 0); |
|
57 |
+ if ( ('\0' == *numstr) |
|
58 |
+ || ('\0' != *endptr) |
|
59 |
+ || (ERANGE == errno) |
|
60 |
+- /*@+ignoresigns@*/ |
|
61 |
+- || (val != (unsigned long int)val) |
|
62 |
+- /*@=ignoresigns@*/ |
|
63 |
+ ) { |
|
64 |
+ return 0; |
|
65 |
+ } |
|
66 |
+ |
|
67 |
+- *result = (unsigned long int)val; |
|
68 |
++ *result = val; |
|
69 |
+ return 1; |
|
70 |
+ } |
0 | 71 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,39 @@ |
0 |
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Tomas Mraz <tmraz@fedoraproject.org> |
|
2 |
+Date: Fri, 31 Mar 2017 16:25:06 +0200 |
|
3 |
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db. |
|
4 |
+ |
|
5 |
+If ptr->line == NULL for an entry, the first cycle will exit, |
|
6 |
+but the second one will happily write past entries buffer. |
|
7 |
+We actually do not want to exit the first cycle prematurely |
|
8 |
+on ptr->line == NULL. |
|
9 |
+Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org> |
|
10 |
+--- |
|
11 |
+ lib/commonio.c | 8 ++++---- |
|
12 |
+ 1 file changed, 4 insertions(+), 4 deletions(-) |
|
13 |
+ |
|
14 |
+diff --git a/lib/commonio.c b/lib/commonio.c |
|
15 |
+index b10da06a..31edbaaf 100644 |
|
16 |
+--- a/lib/commonio.c |
|
17 |
+@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *)) |
|
18 |
+ for (ptr = db->head; |
|
19 |
+ (NULL != ptr) |
|
20 |
+ #if KEEP_NIS_AT_END |
|
21 |
+- && (NULL != ptr->line) |
|
22 |
+- && ( ('+' != ptr->line[0]) |
|
23 |
+- && ('-' != ptr->line[0])) |
|
24 |
++ && ((NULL == ptr->line) |
|
25 |
++ || (('+' != ptr->line[0]) |
|
26 |
++ && ('-' != ptr->line[0]))) |
|
27 |
+ #endif |
|
28 |
+ ; |
|
29 |
+ ptr = ptr->next) { |
|
30 |
+ n++; |
|
31 |
+ } |
|
32 |
+ #if KEEP_NIS_AT_END |
|
33 |
+- if ((NULL != ptr) && (NULL != ptr->line)) { |
|
34 |
++ if (NULL != ptr) { |
|
35 |
+ nis = ptr; |
|
36 |
+ } |
|
37 |
+ #endif |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Programs for handling passwords in a secure way |
2 | 2 |
Name: shadow |
3 | 3 |
Version: 4.2.1 |
4 |
-Release: 12%{?dist} |
|
4 |
+Release: 13%{?dist} |
|
5 | 5 |
URL: http://pkg-shadow.alioth.debian.org/ |
6 | 6 |
License: BSD |
7 | 7 |
Group: Applications/System |
... | ... |
@@ -12,6 +12,8 @@ Source0: http://pkg-shadow.alioth.debian.org/releases/%{name}-%{version}. |
12 | 12 |
Source1: PAM-Configuration-Files-1.5.tar.gz |
13 | 13 |
%define sha1 PAM=08052511f985e3b3072c194ac1287e036d9299fb |
14 | 14 |
Patch0: chkname-allowcase.patch |
15 |
+Patch1: shadow-4.2.1-CVE-2016-6252-fix.patch |
|
16 |
+Patch2: shadow-4.2.1-CVE-2017-12424.patch |
|
15 | 17 |
BuildRequires: cracklib |
16 | 18 |
BuildRequires: cracklib-devel |
17 | 19 |
Requires: cracklib |
... | ... |
@@ -33,6 +35,8 @@ These are the additional language files of shadow. |
33 | 33 |
%setup -q -n %{name}-%{version} |
34 | 34 |
%setup -q -T -D -a 1 |
35 | 35 |
%patch0 -p1 |
36 |
+%patch1 -p1 |
|
37 |
+%patch2 -p1 |
|
36 | 38 |
sed -i 's/groups$(EXEEXT) //' src/Makefile.in |
37 | 39 |
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; |
38 | 40 |
sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ |
... | ... |
@@ -137,6 +141,8 @@ make %{?_smp_mflags} check |
137 | 137 |
%defattr(-,root,root) |
138 | 138 |
|
139 | 139 |
%changelog |
140 |
+* Tue Aug 15 2017 Anish Swaminathan <anishs@vmware.com> 4.2.1-13 |
|
141 |
+- Added fix for CVE-2017-12424, CVE-2016-6252 |
|
140 | 142 |
* Thu Apr 27 2017 Divya Thaluru <dthaluru@vmware.com> 4.2.1-12 |
141 | 143 |
- Allow '.' in username |
142 | 144 |
* Wed Dec 07 2016 Xiaolin Li <xiaolinl@vmware.com> 4.2.1-11 |