[OE-core] [PATCH 1/1] shadow: fix CVE-2017-12424
Jussi Kukkonen
jussi.kukkonen at intel.com
Wed Aug 16 11:34:16 UTC 2017
On 16 August 2017 at 13:28, Chen Qi <Qi.Chen at windriver.com> wrote:
> Backport a patch to fix CVE-2017-12424.
>
> In shadow before 4.5, the newusers tool could be made to manipulate
> internal data structures in ways unintended by the authors.
>
> Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424
>
> CVE: CVE-2017-12424
>
I don't object to the patch but I'm wondering if there is a reason we are
taking the shadow sources from debian instead of the upstream github*?
shadow 4.5 seems to have been out for months already but Debian hasn't
taken it yet...
*) https://github.com/shadow-maint/shadow
Jussi
>
> Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
> ---
> .../shadow/files/0001-shadow-CVE-2017-12424 | 46
> ++++++++++++++++++++++
> meta/recipes-extended/shadow/shadow.inc | 1 +
> 2 files changed, 47 insertions(+)
> create mode 100644 meta/recipes-extended/shadow/
> files/0001-shadow-CVE-2017-12424
>
> diff --git a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> new file mode 100644
> index 0000000..4d3e1e0
> --- /dev/null
> +++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> @@ -0,0 +1,46 @@
> +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
> +From: Tomas Mraz <tmraz at fedoraproject.org>
> +Date: Fri, 31 Mar 2017 16:25:06 +0200
> +Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
> +
> +If ptr->line == NULL for an entry, the first cycle will exit,
> +but the second one will happily write past entries buffer.
> +We actually do not want to exit the first cycle prematurely
> +on ptr->line == NULL.
> +Signed-off-by: Tomas Mraz <tmraz at fedoraproject.org>
> +
> +CVE: CVE-2017-12424
> +Upstream-Status: Backport
> +Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
> +---
> + lib/commonio.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/commonio.c b/lib/commonio.c
> +index b10da06..31edbaa 100644
> +--- a/lib/commonio.c
> ++++ b/lib/commonio.c
> +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp)
> (const void *, const void *))
> + for (ptr = db->head;
> + (NULL != ptr)
> + #if KEEP_NIS_AT_END
> +- && (NULL != ptr->line)
> +- && ( ('+' != ptr->line[0])
> +- && ('-' != ptr->line[0]))
> ++ && ((NULL == ptr->line)
> ++ || (('+' != ptr->line[0])
> ++ && ('-' != ptr->line[0])))
> + #endif
> + ;
> + ptr = ptr->next) {
> + n++;
> + }
> + #if KEEP_NIS_AT_END
> +- if ((NULL != ptr) && (NULL != ptr->line)) {
> ++ if (NULL != ptr) {
> + nis = ptr;
> + }
> + #endif
> +--
> +2.1.0
> +
> diff --git a/meta/recipes-extended/shadow/shadow.inc
> b/meta/recipes-extended/shadow/shadow.inc
> index 5e6b0bd..cc18964 100644
> --- a/meta/recipes-extended/shadow/shadow.inc
> +++ b/meta/recipes-extended/shadow/shadow.inc
> @@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth.
> debian.org/releases/${BPN}-${PV}.tar.xz \
> file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
> file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch
> \
> file://0001-useradd-copy-extended-attributes-of-home.patch \
> + file://0001-shadow-CVE-2017-12424 \
> ${@bb.utils.contains('PACKAGECONFIG', 'pam',
> '${PAM_SRC_URI}', '', d)} \
> "
>
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20170816/28e60dfd/attachment-0002.html>
More information about the Openembedded-core
mailing list