[OE-core] [PATCH 1/1] shadow: fix CVE-2017-12424

Randy MacLeod randy.macleod at windriver.com
Fri Aug 18 20:20:43 UTC 2017 

On 2017-08-16 07:34 AM, Jussi Kukkonen wrote:
> On 16 August 2017 at 13:28, Chen Qi <Qi.Chen at windriver.com 
> <mailto:Qi.Chen at windriver.com>> wrote:
> 
>     Backport a patch to fix CVE-2017-12424.
> 
>     In shadow before 4.5, the newusers tool could be made to manipulate
>     internal data structures in ways unintended by the authors.
> 
>     Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424
>     <https://nvd.nist.gov/vuln/detail/CVE-2017-12424>
> 
>     CVE: CVE-2017-12424
> 
> 
> I don't object to the patch but I'm wondering if there is a reason we 
> are taking the shadow sources from debian instead of the upstream 
> github*? shadow 4.5 seems to have been out for months already but Debian 
> hasn't taken it yet...
> 
> *) https://github.com/shadow-maint/shadow
> 
> Jussi


Good point. It's late in the release but maybe
not too late to update shadow.

Qi,
If you could give it a try and let us know if there are any
'gotchas' that would prevent or make the upgrade risky,
that would be great.


There are quite a few functional changes:
    $ git diff 4.2.1..4.5 etc lib libmisc man src | diffstat| tail -1
     83 files changed, 4011 insertions(+), 2020 deletions(-)

and a HUGE number of other changes:
    $ git diff 4.2.1..4.5 | diffstat| tail -1
     9818 files changed, 390853 insertions(+), 7556 deletions(-)

mainly in tests:
    $ git diff 4.2.1..4.5 tests/| diffstat| tail -1
     9690 files changed, 369156 insertions(+)
that could, say just post-M3, be added as ptests.

../Randy

> 
> 
>     Signed-off-by: Chen Qi <Qi.Chen at windriver.com
>     <mailto:Qi.Chen at windriver.com>>
>     ---
>       .../shadow/files/0001-shadow-CVE-2017-12424        | 46
>     ++++++++++++++++++++++
>       meta/recipes-extended/shadow/shadow.inc            |  1 +
>       2 files changed, 47 insertions(+)
>       create mode 100644
>     meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> 
>     diff --git
>     a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
>     b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
>     new file mode 100644
>     index 0000000..4d3e1e0
>     --- /dev/null
>     +++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
>     @@ -0,0 +1,46 @@
>     +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
>     +From: Tomas Mraz <tmraz at fedoraproject.org
>     <mailto:tmraz at fedoraproject.org>>
>     +Date: Fri, 31 Mar 2017 16:25:06 +0200
>     +Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
>     +
>     +If ptr->line == NULL for an entry, the first cycle will exit,
>     +but the second one will happily write past entries buffer.
>     +We actually do not want to exit the first cycle prematurely
>     +on ptr->line == NULL.
>     +Signed-off-by: Tomas Mraz <tmraz at fedoraproject.org
>     <mailto:tmraz at fedoraproject.org>>
>     +
>     +CVE: CVE-2017-12424
>     +Upstream-Status: Backport
>     +Signed-off-by: Chen Qi <Qi.Chen at windriver.com
>     <mailto:Qi.Chen at windriver.com>>
>     +---
>     + lib/commonio.c | 8 ++++----
>     + 1 file changed, 4 insertions(+), 4 deletions(-)
>     +
>     +diff --git a/lib/commonio.c b/lib/commonio.c
>     +index b10da06..31edbaa 100644
>     +--- a/lib/commonio.c
>     ++++ b/lib/commonio.c
>     +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int
>     (*cmp) (const void *, const void *))
>     +       for (ptr = db->head;
>     +               (NULL != ptr)
>     + #if KEEP_NIS_AT_END
>     +-           && (NULL != ptr->line)
>     +-           && (   ('+' != ptr->line[0])
>     +-               && ('-' != ptr->line[0]))
>     ++           && ((NULL == ptr->line)
>     ++               || (('+' != ptr->line[0])
>     ++                   && ('-' != ptr->line[0])))
>     + #endif
>     +            ;
>     +            ptr = ptr->next) {
>     +               n++;
>     +       }
>     + #if KEEP_NIS_AT_END
>     +-      if ((NULL != ptr) && (NULL != ptr->line)) {
>     ++      if (NULL != ptr) {
>     +               nis = ptr;
>     +       }
>     + #endif
>     +--
>     +2.1.0
>     +
>     diff --git a/meta/recipes-extended/shadow/shadow.inc
>     b/meta/recipes-extended/shadow/shadow.inc
>     index 5e6b0bd..cc18964 100644
>     --- a/meta/recipes-extended/shadow/shadow.inc
>     +++ b/meta/recipes-extended/shadow/shadow.inc
>     @@ -16,6 +16,7 @@ SRC_URI =
>     "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz
>     <http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz> \
>                 
>     file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
>                 
>     file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
>                 
>     file://0001-useradd-copy-extended-attributes-of-home.patch \
>     +           file://0001-shadow-CVE-2017-12424 \
>                  ${@bb.utils.contains('PACKAGECONFIG', 'pam',
>     '${PAM_SRC_URI}', '', d)} \
>                  "
> 
>     --
>     1.9.1
> 
>     --
>     _______________________________________________
>     Openembedded-core mailing list
>     Openembedded-core at lists.openembedded.org
>     <mailto:Openembedded-core at lists.openembedded.org>
>     http://lists.openembedded.org/mailman/listinfo/openembedded-core
>     <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
> 
> 
> 
> 


-- 
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON, 
Canada, K2K 2W5

More information about the Openembedded-core mailing list