Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Dear Release Team,
I have prepared an update for the shadow package which may be released
as a stable update:
Changes:
shadow (1:4.4-4.1+deb9u1) stretch; urgency=medium
.
* Revert adding pts/0 and pts/1 to securetty.
Adding pts/* defeats the purpose of securetty. Let containers add it if
needed as described in #830255.
* Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
(Closes: #756630)
The Security Team suggested fixing those minor security-related issues via
proposed-updates rather than via stretch-security.
Thanks,
Balint
diff -Nru shadow-4.4/debian/changelog shadow-4.4/debian/changelog
--- shadow-4.4/debian/changelog 2017-05-17 13:59:59.000000000 +0200
+++ shadow-4.4/debian/changelog 2017-09-30 03:30:30.000000000 +0200
@@ -1,3 +1,13 @@
+shadow (1:4.4-4.1+deb9u1) stretch; urgency=medium
+
+ * Revert adding pts/0 and pts/1 to securetty.
+ Adding pts/* defeats the purpose of securetty. Let containers add it if
+ needed as described in #830255.
+ * Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
+ (Closes: #756630)
+
+ -- Balint Reczey <bal...@balintreczey.hu> Fri, 29 Sep 2017 21:30:30 -0400
+
shadow (1:4.4-4.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch
--- shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch 1970-01-01 01:00:00.000000000 +0100
+++ shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch 2017-09-30 03:30:30.000000000 +0200
@@ -0,0 +1,42 @@
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tm...@fedoraproject.org>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <tm...@fedoraproject.org>
+---
+ lib/commonio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index b10da06a..31edbaaf 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
+ for (ptr = db->head;
+ (NULL != ptr)
+ #if KEEP_NIS_AT_END
+- && (NULL != ptr->line)
+- && ( ('+' != ptr->line[0])
+- && ('-' != ptr->line[0]))
++ && ((NULL == ptr->line)
++ || (('+' != ptr->line[0])
++ && ('-' != ptr->line[0])))
+ #endif
+ ;
+ ptr = ptr->next) {
+ n++;
+ }
+ #if KEEP_NIS_AT_END
+- if ((NULL != ptr) && (NULL != ptr->line)) {
++ if (NULL != ptr) {
+ nis = ptr;
+ }
+ #endif
+--
+2.11.0
+
diff -Nru shadow-4.4/debian/patches/series shadow-4.4/debian/patches/series
--- shadow-4.4/debian/patches/series 2017-05-17 13:59:59.000000000 +0200
+++ shadow-4.4/debian/patches/series 2017-09-30 03:30:30.000000000 +0200
@@ -6,6 +6,7 @@
0006-French-manpage-translation.patch
0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
0008-su-properly-clear-child-PID.patch
+0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch
301-Reset-pid_child-only-if-waitpid-was-successful.patch
# These patches are only for the testsuite:
diff -Nru shadow-4.4/debian/securetty.linux shadow-4.4/debian/securetty.linux
--- shadow-4.4/debian/securetty.linux 2017-05-17 13:59:59.000000000 +0200
+++ shadow-4.4/debian/securetty.linux 2017-09-30 03:30:30.000000000 +0200
@@ -164,11 +164,6 @@
ttyM1
#...
-# Unix98 PTY slaves
-pts/0
-pts/1
-#...
-
# Technology Concepts serial card
ttyT0
ttyT1
