add three security patches

Signed-off-by: Serge Hallyn <serge@hallyn.com>

debian/changelog

@@ -12,11 +12,12 @@ shadow (1:4.3-1) unstable; urgency=medium
   * debian/control:
     - replace nekral with myself in Uploaders (Closes: #832380)
     - Update VCS fields to use https
+  * Add three upstream security patches (which are not in the 4.3 release)
 
   [ Niels Thykier ]
   * debian/rules: explicitly set SHELL to /bin/sh
 
- -- Serge Hallyn <serge.hallyn@ubuntu.com>  Wed, 16 Mar 2016 17:32:22 -0700
+ -- Serge Hallyn <serge.hallyn@ubuntu.com>  Fri, 05 Aug 2016 17:43:39 -0500
 
 shadow (1:4.2-3.1) unstable; urgency=medium
 

debian/patches/0001-get_map_ranges-check-for-overflow.patch

@@ -0,0 +1,37 @@
+From 7f5a14817d304c4f9ac0aff864f27d95a8cc75ca Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sun, 31 Jul 2016 12:55:44 -0500
+Subject: [PATCH 1/3] get_map_ranges: check for overflow
+
+The kernel accepts u32 values, so make sure that userspace
+is not passing large values.
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ libmisc/idmapping.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libmisc/idmapping.c b/libmisc/idmapping.c
+index 0dce634..f105a41 100644
+--- a/libmisc/idmapping.c
++++ b/libmisc/idmapping.c
+@@ -83,6 +83,16 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
+ 			free(mappings);
+ 			return NULL;
+ 		}
++		if (mapping->upper > UINT_MAX ||
++			mapping->lower > UINT_MAX ||
++			mapping->count > UINT_MAX)  {
++			free(mappings);
++			return NULL;
++		}
++		if (mapping->lower + mapping->count < mapping->lower) {
++			free(mapping);
++			return NULL;
++		}
+ 	}
+ 	return mappings;
+ }
+-- 
+2.7.4
+

debian/patches/0002-Simplify-getulong.patch

@@ -0,0 +1,46 @@
+From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer@suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH 2/3] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
++++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+  */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+-	long long int val;
++	unsigned long int val;
+ 	char *endptr;
+ 
+ 	errno = 0;
+-	val = strtoll (numstr, &endptr, 0);
++	val = strtoul (numstr, &endptr, 0);
+ 	if (    ('\0' == *numstr)
+ 	     || ('\0' != *endptr)
+ 	     || (ERANGE == errno)
+-	     /*@+ignoresigns@*/
+-	     || (val != (unsigned long int)val)
+-	     /*@=ignoresigns@*/
+ 	   ) {
+ 		return 0;
+ 	}
+ 
+-	*result = (unsigned long int)val;
++	*result = val;
+ 	return 1;
+ }
+ 
+-- 
+2.7.4
+

debian/patches/0003-also-check-upper-for-wrap.patch

@@ -0,0 +1,23 @@
+From 801935d7e54d0cc169b37fe00cad1ce84e77048b Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Fri, 5 Aug 2016 17:16:48 -0500
+Subject: [PATCH 3/3] also check upper for wrap
+
+---
+ libmisc/idmapping.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: shadow/libmisc/idmapping.c
+===================================================================
+--- shadow.orig/libmisc/idmapping.c
++++ shadow/libmisc/idmapping.c
+@@ -89,7 +89,8 @@ struct map_range *get_map_ranges(int ran
+ 			free(mappings);
+ 			return NULL;
+ 		}
+-		if (mapping->lower + mapping->count < mapping->lower) {
++		if (mapping->lower + mapping->count < mapping->lower ||
++				mapping->upper + mapping->count < mapping->upper) {
+ 			free(mapping);
+ 			return NULL;
+ 		}

debian/patches/series

@@ -16,3 +16,6 @@
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
 #1010_vietnamese_translation
+0001-get_map_ranges-check-for-overflow.patch
+0002-Simplify-getulong.patch
+0003-also-check-upper-for-wrap.patch