[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#877374: marked as done (stretch-pu: shadow 1:4.4-4.1+deb9u1)

Your message dated Sun, 26 Apr 2020 17:23:20 +0200
with message-id <20200426152320.GA10474@chou>
and subject line Re: Bug#877374: stretch-pu: shadow 1:4.4-4.1+deb9u1
has caused the Debian Bug report #877374,
regarding stretch-pu: shadow 1:4.4-4.1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
877374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877374
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Release Team,

I have prepared an update for the shadow package which may be released
as a stable update:

Changes:
 shadow (1:4.4-4.1+deb9u1) stretch; urgency=medium
 .
   * Revert adding pts/0 and pts/1 to securetty.
     Adding pts/* defeats the purpose of securetty. Let containers add it if
     needed as described in #830255.
   * Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
     (Closes: #756630)

The Security Team suggested fixing those minor security-related issues via
proposed-updates rather than via stretch-security.

Thanks,
Balint


diff -Nru shadow-4.4/debian/changelog shadow-4.4/debian/changelog
--- shadow-4.4/debian/changelog	2017-05-17 13:59:59.000000000 +0200
+++ shadow-4.4/debian/changelog	2017-09-30 03:30:30.000000000 +0200
@@ -1,3 +1,13 @@
+shadow (1:4.4-4.1+deb9u1) stretch; urgency=medium
+
+  * Revert adding pts/0 and pts/1 to securetty.
+    Adding pts/* defeats the purpose of securetty. Let containers add it if
+    needed as described in #830255.
+  * Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
+    (Closes: #756630)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Fri, 29 Sep 2017 21:30:30 -0400
+
 shadow (1:4.4-4.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch
--- shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch	1970-01-01 01:00:00.000000000 +0100
+++ shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch	2017-09-30 03:30:30.000000000 +0200
@@ -0,0 +1,42 @@
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
+---
+ lib/commonio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index b10da06a..31edbaaf 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
+ 	for (ptr = db->head;
+ 	        (NULL != ptr)
+ #if KEEP_NIS_AT_END
+-	     && (NULL != ptr->line)
+-	     && (   ('+' != ptr->line[0])
+-	         && ('-' != ptr->line[0]))
++	     && ((NULL == ptr->line)
++	         || (('+' != ptr->line[0])
++	             && ('-' != ptr->line[0])))
+ #endif
+ 	     ;
+ 	     ptr = ptr->next) {
+ 		n++;
+ 	}
+ #if KEEP_NIS_AT_END
+-	if ((NULL != ptr) && (NULL != ptr->line)) {
++	if (NULL != ptr) {
+ 		nis = ptr;
+ 	}
+ #endif
+-- 
+2.11.0
+
diff -Nru shadow-4.4/debian/patches/series shadow-4.4/debian/patches/series
--- shadow-4.4/debian/patches/series	2017-05-17 13:59:59.000000000 +0200
+++ shadow-4.4/debian/patches/series	2017-09-30 03:30:30.000000000 +0200
@@ -6,6 +6,7 @@
 0006-French-manpage-translation.patch
 0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
 0008-su-properly-clear-child-PID.patch
+0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch
 301-Reset-pid_child-only-if-waitpid-was-successful.patch
 
 # These patches are only for the testsuite:
diff -Nru shadow-4.4/debian/securetty.linux shadow-4.4/debian/securetty.linux
--- shadow-4.4/debian/securetty.linux	2017-05-17 13:59:59.000000000 +0200
+++ shadow-4.4/debian/securetty.linux	2017-09-30 03:30:30.000000000 +0200
@@ -164,11 +164,6 @@
 ttyM1
 #...
 
-# Unix98 PTY slaves
-pts/0
-pts/1
-#...
-
 # Technology Concepts serial card
 ttyT0
 ttyT1

--- End Message ---
--- Begin Message --- 
On Sun, Oct 01, 2017 at 08:04:48AM +0200, Balint Reczey wrote:
> I have prepared an update for the shadow package which may be released
> as a stable update:
> 
> Changes:
>  shadow (1:4.4-4.1+deb9u1) stretch; urgency=medium
>  .
>    * Revert adding pts/0 and pts/1 to securetty.
>      Adding pts/* defeats the purpose of securetty. Let containers add it if
>      needed as described in #830255.
>    * Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
>      (Closes: #756630)
> 
> The Security Team suggested fixing those minor security-related issues via
> proposed-updates rather than via stretch-security.
> 
Apologies for the lack of decision here.  I think for stretch it's not
worth it anymore :(

Cheers,
Julien

--- End Message ---
Reply to: