[OE-core] [PATCH 1/1] shadow: fix CVE-2017-12424
Randy MacLeod
randy.macleod at windriver.com
Mon Aug 21 13:17:19 UTC 2017
On 2017-08-18 04:20 PM, Randy MacLeod wrote:
> On 2017-08-16 07:34 AM, Jussi Kukkonen wrote:
>> On 16 August 2017 at 13:28, Chen Qi <Qi.Chen at windriver.com
>> <mailto:Qi.Chen at windriver.com>> wrote:
>>
>> Backport a patch to fix CVE-2017-12424.
>>
>> In shadow before 4.5, the newusers tool could be made to manipulate
>> internal data structures in ways unintended by the authors.
>>
>> Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424
>> <https://nvd.nist.gov/vuln/detail/CVE-2017-12424>
>>
>> CVE: CVE-2017-12424
>>
>>
>> I don't object to the patch but I'm wondering if there is a reason we
>> are taking the shadow sources from debian instead of the upstream
>> github*? shadow 4.5 seems to have been out for months already but
>> Debian hasn't taken it yet...
>>
>> *) https://github.com/shadow-maint/shadow
>>
>> Jussi
>
>
> Good point. It's late in the release but maybe
> not too late to update shadow.
>
> Qi,
> If you could give it a try and let us know if there are any
> 'gotchas' that would prevent or make the upgrade risky,
> that would be great.
Turns out that Qi will only be able do this at the start of
the oe-core-2.5 development cycle.
../Randy
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON,
Canada, K2K 2W5
More information about the Openembedded-core
mailing list