Compare commits

...

2 Commits

Author SHA1 Message Date
Adrian Bunk abc4a04e95 Import 1:4.4-4.1+deb9u1 2024-10-27 03:25:11 +02:00
Salvatore Bonaccorso d7f24f954e Import Debian changes 1:4.4-4.1
shadow (1:4.4-4.1) unstable; urgency=high

  * Non-maintainer upload.
  * Reset pid_child only if waitpid was successful.
    This is a regression fix for CVE-2017-2616. If su receives a signal like
    SIGTERM, it is not propagated to the child. (Closes: #862806)
2017-08-10 18:25:45 -04:00
6 changed files with 105 additions and 5 deletions
+1
View File
@@ -7,6 +7,7 @@ lib*.a
.deps
.libs
*.patch
*.rej
*.orig
+28
View File
@@ -1,3 +1,31 @@
shadow (1:4.4-4.1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
* CVE-2017-20002: revert adding pts/0 and pts/1 to securetty.
Adding pts/* defeats the purpose of securetty. Let containers add it
if needed as described in #830255.
(cherry-picked from 1:4.5-1)
See also #877374 (previous proposed update) and #914957
(/etc/securetty will be dropped in bullseye).
* CVE-2017-12424: the newusers tool could be made to manipulate internal
data structures in ways unintended by the authors. Malformed input may
lead to crashes (with a buffer overflow or other memory corruption) or
other unspecified behaviors. This crosses a privilege boundary in, for
example, certain web-hosting environments in which a Control Panel
allows an unprivileged user account to create subaccounts.
(Closes: #756630)
-- Sylvain Beucler <beuc@debian.org> Wed, 17 Mar 2021 10:27:01 +0100
shadow (1:4.4-4.1) unstable; urgency=high
* Non-maintainer upload.
* Reset pid_child only if waitpid was successful.
This is a regression fix for CVE-2017-2616. If su receives a signal like
SIGTERM, it is not propagated to the child. (Closes: #862806)
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 17 May 2017 13:59:59 +0200
shadow (1:4.4-4) unstable; urgency=high
* su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
@@ -0,0 +1,29 @@
From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 14 May 2017 17:58:10 +0200
Subject: [PATCH] Reset pid_child only if waitpid was successful.
Do not reset the pid_child to 0 if the child process is still
running. This else-condition can be reached with pid being -1,
therefore explicitly test this condition.
This is a regression fix for CVE-2017-2616. If su receives a
signal like SIGTERM, it is not propagated to the child.
Reported-by: Radu Duta <raduduta@gmail.com>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
src/su.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/su.c
+++ b/src/su.c
@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
/* wake child when resumed */
kill (pid, SIGCONT);
stop = false;
- } else {
+ } else if ( (pid_t)-1 != pid) {
pid_child = 0;
}
} while (!stop);
+43
View File
@@ -0,0 +1,43 @@
Origin: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-16
From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 31 Mar 2017 16:25:06 +0200
Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
If ptr->line == NULL for an entry, the first cycle will exit,
but the second one will happily write past entries buffer.
We actually do not want to exit the first cycle prematurely
on ptr->line == NULL.
Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
---
lib/commonio.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
Index: shadow-4.4/lib/commonio.c
===================================================================
--- shadow-4.4.orig/lib/commonio.c
+++ shadow-4.4/lib/commonio.c
@@ -755,16 +755,16 @@ commonio_sort (struct commonio_db *db, i
for (ptr = db->head;
(NULL != ptr)
#if KEEP_NIS_AT_END
- && (NULL != ptr->line)
- && ( ('+' != ptr->line[0])
- && ('-' != ptr->line[0]))
+ && ((NULL == ptr->line)
+ || (('+' != ptr->line[0])
+ && ('-' != ptr->line[0])))
#endif
;
ptr = ptr->next) {
n++;
}
#if KEEP_NIS_AT_END
- if ((NULL != ptr) && (NULL != ptr->line)) {
+ if (NULL != ptr) {
nis = ptr;
}
#endif
+4
View File
@@ -6,6 +6,8 @@
0006-French-manpage-translation.patch
0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
0008-su-properly-clear-child-PID.patch
301-Reset-pid_child-only-if-waitpid-was-successful.patch
# These patches are only for the testsuite:
#900_testsuite_groupmems
#901_testsuite_gcov
@@ -26,3 +28,5 @@
501_commonio_group_shadow
# does not apply cleanly, please merge at upstream
1010_vietnamese_translation
CVE-2017-12424.patch
-5
View File
@@ -164,11 +164,6 @@ ttyM0
ttyM1
#...
# Unix98 PTY slaves
pts/0
pts/1
#...
# Technology Concepts serial card
ttyT0
ttyT1