On 16 August 2017 at 13:28, Chen Qi <[email protected]> wrote: > Backport a patch to fix CVE-2017-12424. > > In shadow before 4.5, the newusers tool could be made to manipulate > internal data structures in ways unintended by the authors. > > Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424 > > CVE: CVE-2017-12424 >
I don't object to the patch but I'm wondering if there is a reason we are taking the shadow sources from debian instead of the upstream github*? shadow 4.5 seems to have been out for months already but Debian hasn't taken it yet... *) https://github.com/shadow-maint/shadow Jussi > > Signed-off-by: Chen Qi <[email protected]> > --- > .../shadow/files/0001-shadow-CVE-2017-12424 | 46 > ++++++++++++++++++++++ > meta/recipes-extended/shadow/shadow.inc | 1 + > 2 files changed, 47 insertions(+) > create mode 100644 meta/recipes-extended/shadow/ > files/0001-shadow-CVE-2017-12424 > > diff --git a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > new file mode 100644 > index 0000000..4d3e1e0 > --- /dev/null > +++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > @@ -0,0 +1,46 @@ > +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001 > +From: Tomas Mraz <[email protected]> > +Date: Fri, 31 Mar 2017 16:25:06 +0200 > +Subject: [PATCH] Fix buffer overflow if NULL line is present in db. > + > +If ptr->line == NULL for an entry, the first cycle will exit, > +but the second one will happily write past entries buffer. > +We actually do not want to exit the first cycle prematurely > +on ptr->line == NULL. > +Signed-off-by: Tomas Mraz <[email protected]> > + > +CVE: CVE-2017-12424 > +Upstream-Status: Backport > +Signed-off-by: Chen Qi <[email protected]> > +--- > + lib/commonio.c | 8 ++++---- > + 1 file changed, 4 insertions(+), 4 deletions(-) > + > +diff --git a/lib/commonio.c b/lib/commonio.c > +index b10da06..31edbaa 100644 > +--- a/lib/commonio.c > ++++ b/lib/commonio.c > +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) > (const void *, const void *)) > + for (ptr = db->head; > + (NULL != ptr) > + #if KEEP_NIS_AT_END > +- && (NULL != ptr->line) > +- && ( ('+' != ptr->line[0]) > +- && ('-' != ptr->line[0])) > ++ && ((NULL == ptr->line) > ++ || (('+' != ptr->line[0]) > ++ && ('-' != ptr->line[0]))) > + #endif > + ; > + ptr = ptr->next) { > + n++; > + } > + #if KEEP_NIS_AT_END > +- if ((NULL != ptr) && (NULL != ptr->line)) { > ++ if (NULL != ptr) { > + nis = ptr; > + } > + #endif > +-- > +2.1.0 > + > diff --git a/meta/recipes-extended/shadow/shadow.inc > b/meta/recipes-extended/shadow/shadow.inc > index 5e6b0bd..cc18964 100644 > --- a/meta/recipes-extended/shadow/shadow.inc > +++ b/meta/recipes-extended/shadow/shadow.inc > @@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth. > debian.org/releases/${BPN}-${PV}.tar.xz \ > file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ > file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch > \ > file://0001-useradd-copy-extended-attributes-of-home.patch \ > + file://0001-shadow-CVE-2017-12424 \ > ${@bb.utils.contains('PACKAGECONFIG', 'pam', > '${PAM_SRC_URI}', '', d)} \ > " > > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-core mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-core >
-- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
