Sylvain Beucler
4069b87008
shadow (1:4.2-3+deb8u6) jessie-security; urgency=high
.
* Non-maintainer upload by the ELTS Security Team.
* CVE-2023-4641: When asking for a new password, shadow-utils asks the
password twice. If the password fails on the second attempt,
shadow-utils fails in cleaning the buffer used to store the first
entry. This may allow an attacker with enough access to retrieve the
password from the memory. (Closes: #1051062)
* CVE-2023-29383: It is possible to inject control characters into
fields provided to the SUID program chfn (change finger). Although it
is not possible to exploit this directly (e.g., adding a new user
fails because \n is in the block list), it is possible to misrepresent
the /etc/passwd file when viewed. (Closes: #1034482)
This package uses quilt to patch the upstream source. You can find some info on how to generate the patched source, add a new modification, and remove an existing modification on: /usr/share/doc/quilt/README.source ================================================================================ To package a new upstream release, you can use the Makefile: svn://svn.debian.org/svn/pkg-shadow/debian/trunk/Makefile ================================================================================ A testsuite is also available. Instruction on how to run this testsuite are available on: svn://svn.debian.org/svn/pkg-shadow/debian/trunk/tests/README