[Pkg-shadow-commits] r2204 - in upstream/trunk: . src
nekral-guest at alioth.debian.org
nekral-guest at alioth.debian.org
Fri Jul 11 22:20:44 UTC 2008
Author: nekral-guest
Date: 2008-07-11 22:20:43 +0000 (Fri, 11 Jul 2008)
New Revision: 2204
Modified:
upstream/trunk/ChangeLog
upstream/trunk/NEWS
upstream/trunk/src/login.c
Log:
Re-inject the changes from 4.1.2.1.
Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog 2008-07-11 22:04:02 UTC (rev 2203)
+++ upstream/trunk/ChangeLog 2008-07-11 22:20:43 UTC (rev 2204)
@@ -1,3 +1,7 @@
+2008-07-12 Nicolas François <nicolas.francois at centraliens.net>
+
+ * ChangeLog, NEWS, src/login.c: Re-inject the changes from 4.1.2.1.
+
2008-07-11 Nicolas François <nicolas.francois at centraliens.net>
* src/usermod.c: Do not call usr_update() if it will have no
@@ -1236,6 +1240,22 @@
* configure.in: Allow --disable-man and --enable-man=no.
+2008-06-26 Nicolas François <nicolas.francois at centraliens.net>
+
+ Prepare the 4.1.2.1 release
+ * NEWS: set the release date.
+ * man/po/*.po, po/*.po: Updated PO files.
+ * configure.in: Set the version to 4.1.2.1.
+
+2008-06-26 Nicolas François <nicolas.francois at centraliens.net>
+
+ * NEWS, src/login.c: Fix an "audit log injection" vulnerability in
+ login. This is similar to CVE-2008-1926 (util-linux-ng's login).
+ This vulnerability makes it easier for attackers to hide
+ activities by modifying portions of log events, e.g. by appending
+ an addr= statement to the login name.
+ * lib/prototypes.h: Added definition of AUDIT_NO_ID.
+
2008-05-25 Nicolas François <nicolas.francois at centraliens.net>
Prepare the 4.1.2 release
Modified: upstream/trunk/NEWS
===================================================================
--- upstream/trunk/NEWS 2008-07-11 22:04:02 UTC (rev 2203)
+++ upstream/trunk/NEWS 2008-07-11 22:20:43 UTC (rev 2204)
@@ -1,6 +1,6 @@
$Id$
-shadow-4.1.2 -> shadow-4.1.3 UNRELEASED
+shadow-4.1.2.1 -> shadow-4.1.3 UNRELEASED
*** general:
- newusers
@@ -9,6 +9,14 @@
* Allow adding LDAP users (or any user not present in the local passwd
file) to local groups
+shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008
+
+*** security
+- Fix an "audit log injection" vulnerability in login.
+ This vulnerability makes it easier for attackers to hide activities by
+ modifying portions of log events, e.g. by appending an addr= statement
+ to the login name.
+
shadow-4.1.1 -> shadow-4.1.2 25-05-2008
*** security:
Modified: upstream/trunk/src/login.c
===================================================================
--- upstream/trunk/src/login.c 2008-07-11 22:04:02 UTC (rev 2203)
+++ upstream/trunk/src/login.c 2008-07-11 22:20:43 UTC (rev 2204)
@@ -745,31 +745,19 @@
}
#ifdef WITH_AUDIT
- {
- struct passwd *pw;
- char buf[64];
-
- audit_fd = audit_open ();
- /* local, no need for xgetpwnam */
- pw = getpwnam (username);
- if (NULL != pw) {
- snprintf (buf, sizeof (buf),
- "uid=%lu",
- (unsigned long) pw->pw_uid);
- audit_log_user_message
- (audit_fd, AUDIT_USER_LOGIN,
- buf, hostname, NULL,
- tty, 0);
- } else {
- snprintf (buf, sizeof (buf),
- "acct=%s", username);
- audit_log_user_message
- (audit_fd, AUDIT_USER_LOGIN,
- buf, hostname, NULL,
- tty, 0);
- }
- close (audit_fd);
- }
+ audit_fd = audit_open ();
+ audit_log_acct_message (audit_fd,
+ AUDIT_USER_LOGIN,
+ NULL, /* Prog. name */
+ "login",
+ (NULL!=username)?username
+ :"(unknown)",
+ AUDIT_NO_ID,
+ hostname,
+ NULL, /* addr */
+ tty,
+ 0); /* result */
+ close (audit_fd);
#endif /* WITH_AUDIT */
fprintf (stderr, "\nLogin incorrect\n");
@@ -1050,16 +1038,18 @@
}
#ifdef WITH_AUDIT
- {
- char buf[32];
-
- audit_fd = audit_open ();
- snprintf (buf, sizeof (buf), "uid=%lu",
- (unsigned long) pwd->pw_uid);
- audit_log_user_message (audit_fd, AUDIT_USER_LOGIN,
- buf, hostname, NULL, tty, 1);
- close (audit_fd);
- }
+ audit_fd = audit_open ();
+ audit_log_acct_message (audit_fd,
+ AUDIT_USER_LOGIN,
+ NULL, /* Prog. name */
+ "login",
+ NULL, /* user's name => use uid */
+ (unsigned int) pwd->pw_uid,
+ hostname,
+ NULL, /* addr */
+ tty,
+ 1); /* result */
+ close (audit_fd);
#endif /* WITH_AUDIT */
#ifndef USE_PAM /* pam_lastlog handles this */
More information about the Pkg-shadow-commits
mailing list