[OE-core] [PATCH 1/1] shadow: fix CVE-2017-12424
Randy MacLeod
randy.macleod at windriver.com
Fri Aug 18 20:20:43 UTC 2017
On 2017-08-16 07:34 AM, Jussi Kukkonen wrote:
> On 16 August 2017 at 13:28, Chen Qi <Qi.Chen at windriver.com
> <mailto:Qi.Chen at windriver.com>> wrote:
>
> Backport a patch to fix CVE-2017-12424.
>
> In shadow before 4.5, the newusers tool could be made to manipulate
> internal data structures in ways unintended by the authors.
>
> Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424
> <https://nvd.nist.gov/vuln/detail/CVE-2017-12424>
>
> CVE: CVE-2017-12424
>
>
> I don't object to the patch but I'm wondering if there is a reason we
> are taking the shadow sources from debian instead of the upstream
> github*? shadow 4.5 seems to have been out for months already but Debian
> hasn't taken it yet...
>
> *) https://github.com/shadow-maint/shadow
>
> Jussi
Good point. It's late in the release but maybe
not too late to update shadow.
Qi,
If you could give it a try and let us know if there are any
'gotchas' that would prevent or make the upgrade risky,
that would be great.
There are quite a few functional changes:
$ git diff 4.2.1..4.5 etc lib libmisc man src | diffstat| tail -1
83 files changed, 4011 insertions(+), 2020 deletions(-)
and a HUGE number of other changes:
$ git diff 4.2.1..4.5 | diffstat| tail -1
9818 files changed, 390853 insertions(+), 7556 deletions(-)
mainly in tests:
$ git diff 4.2.1..4.5 tests/| diffstat| tail -1
9690 files changed, 369156 insertions(+)
that could, say just post-M3, be added as ptests.
../Randy
>
>
> Signed-off-by: Chen Qi <Qi.Chen at windriver.com
> <mailto:Qi.Chen at windriver.com>>
> ---
> .../shadow/files/0001-shadow-CVE-2017-12424 | 46
> ++++++++++++++++++++++
> meta/recipes-extended/shadow/shadow.inc | 1 +
> 2 files changed, 47 insertions(+)
> create mode 100644
> meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
>
> diff --git
> a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> new file mode 100644
> index 0000000..4d3e1e0
> --- /dev/null
> +++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> @@ -0,0 +1,46 @@
> +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
> +From: Tomas Mraz <tmraz at fedoraproject.org
> <mailto:tmraz at fedoraproject.org>>
> +Date: Fri, 31 Mar 2017 16:25:06 +0200
> +Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
> +
> +If ptr->line == NULL for an entry, the first cycle will exit,
> +but the second one will happily write past entries buffer.
> +We actually do not want to exit the first cycle prematurely
> +on ptr->line == NULL.
> +Signed-off-by: Tomas Mraz <tmraz at fedoraproject.org
> <mailto:tmraz at fedoraproject.org>>
> +
> +CVE: CVE-2017-12424
> +Upstream-Status: Backport
> +Signed-off-by: Chen Qi <Qi.Chen at windriver.com
> <mailto:Qi.Chen at windriver.com>>
> +---
> + lib/commonio.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/commonio.c b/lib/commonio.c
> +index b10da06..31edbaa 100644
> +--- a/lib/commonio.c
> ++++ b/lib/commonio.c
> +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int
> (*cmp) (const void *, const void *))
> + for (ptr = db->head;
> + (NULL != ptr)
> + #if KEEP_NIS_AT_END
> +- && (NULL != ptr->line)
> +- && ( ('+' != ptr->line[0])
> +- && ('-' != ptr->line[0]))
> ++ && ((NULL == ptr->line)
> ++ || (('+' != ptr->line[0])
> ++ && ('-' != ptr->line[0])))
> + #endif
> + ;
> + ptr = ptr->next) {
> + n++;
> + }
> + #if KEEP_NIS_AT_END
> +- if ((NULL != ptr) && (NULL != ptr->line)) {
> ++ if (NULL != ptr) {
> + nis = ptr;
> + }
> + #endif
> +--
> +2.1.0
> +
> diff --git a/meta/recipes-extended/shadow/shadow.inc
> b/meta/recipes-extended/shadow/shadow.inc
> index 5e6b0bd..cc18964 100644
> --- a/meta/recipes-extended/shadow/shadow.inc
> +++ b/meta/recipes-extended/shadow/shadow.inc
> @@ -16,6 +16,7 @@ SRC_URI =
> "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz
> <http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz> \
>
> file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
>
> file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
>
> file://0001-useradd-copy-extended-attributes-of-home.patch \
> + file://0001-shadow-CVE-2017-12424 \
> ${@bb.utils.contains('PACKAGECONFIG', 'pam',
> '${PAM_SRC_URI}', '', d)} \
> "
>
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> <mailto:Openembedded-core at lists.openembedded.org>
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
>
>
>
>
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON,
Canada, K2K 2W5
More information about the Openembedded-core
mailing list