Add patch for shadow CVE-2017-12424

Change-Id: Id804c814afefd7f5bc9ab4e370ef6616a566e309 Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3542 Tested-by: gerrit-photon <[email protected]> Reviewed-by: Sharath George
stuclem · Aug 17, 2017 · 9a91484 · 9a91484
1 parent 9ed41fd
commit 9a91484
Show file tree

Hide file tree

Showing 3 changed files with 120 additions and 1 deletion.
diff --git a/SPECS/shadow/shadow-4.2.1-CVE-2016-6252-fix.patch b/SPECS/shadow/shadow-4.2.1-CVE-2016-6252-fix.patch
@@ -0,0 +1,74 @@
+diff -ruN shadow-4.2.1/libmisc/idmapping.c shadow-4.2.1.new/libmisc/idmapping.c
+--- shadow-4.2.1/libmisc/idmapping.c	2014-03-01 19:59:51.000000000 +0100
++++ shadow-4.2.1.new/libmisc/idmapping.c	2016-07-19 10:55:49.339097323 +0200
+@@ -77,6 +77,11 @@
+ 			return NULL;
+ 		if (!getulong(argv[argidx + 2], &mapping->count))
+ 			return NULL;
++
++		if (ULONG_MAX - mapping->upper <= mapping->count || ULONG_MAX - mapping->lower <= mapping->count) {
++			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
++			exit(EXIT_FAILURE);
++		}
+ 	}
+ 	return mappings;
+ }
+diff -ruN shadow-4.2.1/libmisc/myname.c shadow-4.2.1.new/libmisc/myname.c
+--- shadow-4.2.1/libmisc/myname.c	2014-03-01 19:59:51.000000000 +0100
++++ shadow-4.2.1.new/libmisc/myname.c	2016-07-19 10:14:49.298852058 +0200
+@@ -44,25 +44,13 @@
+ /*@null@*/ /*@only@*/struct passwd *get_my_pwent (void)
+ {
+ 	struct passwd *pw;
+-	const char *cp = getlogin ();
+ 	uid_t ruid = getuid ();
+
+-	/*
+-	 * Try getlogin() first - if it fails or returns a non-existent
+-	 * username, or a username which doesn't match the real UID, fall
+-	 * back to getpwuid(getuid()).  This should work reasonably with
+-	 * usernames longer than the utmp limit (8 characters), as well as
+-	 * shared UIDs - but not both at the same time...
++	/* Do not use getlogin(). Its not suitable for suid binaries.
+ 	 *
+ 	 * XXX - when running from su, will return the current user (not
+ 	 * the original user, like getlogin() does).  Does this matter?
+ 	 */
+-	if ((NULL != cp) && ('\0' != *cp)) {
+-		pw = xgetpwnam (cp);
+-		if ((NULL != pw) && (pw->pw_uid == ruid)) {
+-			return pw;
+-		}
+-	}
+
+ 	return xgetpwuid (ruid);
+ }
+
+diff -ruN shadow-4.2.1/lib/getulong.c shadow-4.2.1.new/lib/getulong.c
+--- shadow-4.2.1/lib/getulong.c	2014-03-01 18:50:05.000000000 +0100
++++ shadow-4.2.1.new/lib/getulong.c	2016-07-19 10:36:14.476785123 +0200
+@@ -44,22 +44,19 @@
+  */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+-	long long int val;
++	unsigned long int val;
+ 	char *endptr;
+
+ 	errno = 0;
+-	val = strtoll (numstr, &endptr, 0);
++	val = strtoul (numstr, &endptr, 0);
+ 	if (    ('\0' == *numstr)
+ 	     || ('\0' != *endptr)
+ 	     || (ERANGE == errno)
+-	     /*@+ignoresigns@*/
+-	     || (val != (unsigned long int)val)
+-	     /*@=ignoresigns@*/
+ 	   ) {
+ 		return 0;
+ 	}
+
+-	*result = (unsigned long int)val;
++	*result = val;
+ 	return 1;
+ }
diff --git a/SPECS/shadow/shadow-4.2.1-CVE-2017-12424.patch b/SPECS/shadow/shadow-4.2.1-CVE-2017-12424.patch
@@ -0,0 +1,39 @@
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <[email protected]>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <[email protected]>
+---
+ lib/commonio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index b10da06a..31edbaaf 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
+ 	for (ptr = db->head;
+ 	        (NULL != ptr)
+ #if KEEP_NIS_AT_END
+-	     && (NULL != ptr->line)
+-	     && (   ('+' != ptr->line[0])
+-	         && ('-' != ptr->line[0]))
++	     && ((NULL == ptr->line)
++	         || (('+' != ptr->line[0])
++	             && ('-' != ptr->line[0])))
+ #endif
+ 	     ;
+ 	     ptr = ptr->next) {
+ 		n++;
+ 	}
+ #if KEEP_NIS_AT_END
+-	if ((NULL != ptr) && (NULL != ptr->line)) {
++	if (NULL != ptr) {
+ 		nis = ptr;
+ 	}
+ #endif
diff --git a/SPECS/shadow/shadow.spec b/SPECS/shadow/shadow.spec
@@ -1,7 +1,7 @@
 Summary:        Programs for handling passwords in a secure way
 Name:           shadow
 Version:        4.2.1
-Release:        12%{?dist}
+Release:        13%{?dist}
 URL:            http://pkg-shadow.alioth.debian.org/
 License:        BSD
 Group:          Applications/System
@@ -12,6 +12,8 @@ Source0:        http://pkg-shadow.alioth.debian.org/releases/%{name}-%{version}.
 Source1:        PAM-Configuration-Files-1.5.tar.gz
 %define sha1    PAM=08052511f985e3b3072c194ac1287e036d9299fb
 Patch0:         chkname-allowcase.patch
+Patch1:         shadow-4.2.1-CVE-2016-6252-fix.patch
+Patch2:         shadow-4.2.1-CVE-2017-12424.patch
 BuildRequires:  cracklib
 BuildRequires:  cracklib-devel
 Requires:       cracklib
@@ -33,6 +35,8 @@ These are the additional language files of shadow.
 %setup -q -n %{name}-%{version}
 %setup -q -T -D -a 1
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 sed -i 's/groups$(EXEEXT) //' src/Makefile.in
 find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;
 sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
@@ -137,6 +141,8 @@ make %{?_smp_mflags} check
 %defattr(-,root,root)
 
 %changelog
+*   Tue Aug 15 2017 Anish Swaminathan <[email protected]> 4.2.1-13
+-   Added fix for CVE-2017-12424, CVE-2016-6252
 *   Thu Apr 27 2017 Divya Thaluru <[email protected]> 4.2.1-12
 -   Allow '.' in username
 *   Wed Dec 07 2016 Xiaolin Li <[email protected]> 4.2.1-11