r22660 - in /desktop/lenny/system-tools-backends/debian: changelog patches/08_use_md5.patch patches/series

Mon Dec 21 19:40:34 UTC 2009

Author: joss
Date: Mon Dec 21 19:40:33 2009
New Revision: 22660

URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=22660
Log:
* NMU.
* Fix CVE-2008-6792 "limiting effective password length to 8 characters"
   and another related bug in do_get_use_md5(). Closes: #527952.

Added:
    desktop/lenny/system-tools-backends/debian/patches/08_use_md5.patch
Modified:
    desktop/lenny/system-tools-backends/debian/changelog
    desktop/lenny/system-tools-backends/debian/patches/series

Modified: desktop/lenny/system-tools-backends/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/lenny/system-tools-backends/debian/changelog?rev=22660&op=diff
==============================================================================

--- desktop/lenny/system-tools-backends/debian/changelog [utf-8] (original)
+++ desktop/lenny/system-tools-backends/debian/changelog [utf-8] Mon Dec 21 19:40:33 2009
@@ -1,3 +1,11 @@
+system-tools-backends (2.6.0-2lenny3) stable; urgency=high
+
+  * NMU.
+  * Fix CVE-2008-6792 "limiting effective password length to 8 characters"
+     and another related bug in do_get_use_md5(). Closes: #527952.
+
+ -- Jan Christoph Nordholz <hesso at pool.math.tu-berlin.de>  Mon, 18 May 2009 21:29:21 +0200
+
 system-tools-backends (2.6.0-2lenny2) stable; urgency=low
 
   * 01_debian_4.0.patch: completely remove all the brain-dead version

Added: desktop/lenny/system-tools-backends/debian/patches/08_use_md5.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/lenny/system-tools-backends/debian/patches/08_use_md5.patch?rev=22660&op=file
==============================================================================
--- desktop/lenny/system-tools-backends/debian/patches/08_use_md5.patch (added)
+++ desktop/lenny/system-tools-backends/debian/patches/08_use_md5.patch [utf-8] Mon Dec 21 19:40:33 2009
@@ -1,0 +1,23 @@
+Add fix for CVE 2008-6792 and another related bug in do_get_use_md5().
+
+ -- James Westby <james.westby at canonical.com>
+ -- Jan Christoph Nordholz <hesso at pool.math.tu-berlin.de>
+
+--- system-tools-backends-2.6.0.orig/Users/Users.pm	2008-03-09 13:21:45.000000000 +0000
++++ system-tools-backends-2.6.0/Users/Users.pm	2009-05-18 15:41:15.246049271 +0000
+@@ -286,13 +286,14 @@
+ 
+     if ($line[0] eq "\@include")
+     {
+-      $use_md5 = &do_get_use_md5 ($line[1]);
++      $use_md5 |= &do_get_use_md5 ($line[1]);
+     }
+     elsif ($line[0] eq "password")
+     {
+       foreach $i (@line)
+       {
+         $use_md5 = 1 if ($i eq "md5");
++        $use_md5 = 1 if ($i =~ /^sha\d+/);
+       }
+     }
+   }

Modified: desktop/lenny/system-tools-backends/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/lenny/system-tools-backends/debian/patches/series?rev=22660&op=diff
==============================================================================
--- desktop/lenny/system-tools-backends/debian/patches/series [utf-8] (original)
+++ desktop/lenny/system-tools-backends/debian/patches/series [utf-8] Mon Dec 21 19:40:33 2009
@@ -4,4 +4,5 @@
 04_correct_perl_command.patch
 05_cve_2008_4311.patch
 07_dont_symlink_localtime.patch
+08_use_md5.patch
 60_fix-permissions-of-pid-file.patch


