[OE-core] [PATCH v2 2/2] shadow: fix CVE-2016-6252
George McCollister
george.mccollister at gmail.com
Tue Nov 14 15:07:27 UTC 2017
Apply backported patch that fixes CVE-2016-6252
Integer overflow in shadow 4.2.1 allows local users to gain privileges
via crafted input to newuidmap.
Signed-off-by: George McCollister <george.mccollister at gmail.com>
---
Changes in v2:
- Add SOB to patch file.
.../shadow/files/0001-Simplify-getulong.patch | 54 ++++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
2 files changed, 55 insertions(+)
create mode 100644 meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
diff --git a/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
new file mode 100644
index 0000000000..8a41fb1dd6
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
@@ -0,0 +1,54 @@
+From 70723e568159f3130b6076463f0bf978763e3369 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer at suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+
+Upstream-Status: Backport
+https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch?h=jessie
+https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1
+
+CVE: CVE-2016-6252
+
+Signed-off-by: George McCollister <george.mccollister at gmail.com>
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
++++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+ */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+- long long int val;
++ unsigned long int val;
+ char *endptr;
+
+ errno = 0;
+- val = strtoll (numstr, &endptr, 0);
++ val = strtoul (numstr, &endptr, 0);
+ if ( ('\0' == *numstr)
+ || ('\0' != *endptr)
+ || (ERANGE == errno)
+- /*@+ignoresigns@*/
+- || (val != (unsigned long int)val)
+- /*@=ignoresigns@*/
+ ) {
+ return 0;
+ }
+
+- *result = (unsigned long int)val;
++ *result = val;
+ return 1;
+ }
+
+--
+2.15.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 031e880630..9fb1cd3d17 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -18,6 +18,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://0001-useradd-copy-extended-attributes-of-home.patch \
file://0001-shadow-CVE-2017-12424 \
file://0001-su-properly-clear-child-PID.patch \
+ file://0001-Simplify-getulong.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
"
--
2.15.0
More information about the Openembedded-core
mailing list