[Pkg-shadow-commits] r2440 - in debian/branches/lenny/debian: . patches

nekral-guest at alioth.debian.org nekral-guest at alioth.debian.org
Sat Nov 22 15:48:40 UTC 2008 

Author: nekral-guest
Date: 2008-11-22 15:48:40 +0000 (Sat, 22 Nov 2008)
New Revision: 2440

Added:
   debian/branches/lenny/debian/patches/303_login_symlink_attack
   debian/branches/lenny/debian/patches/304_su.1_synopsis
   debian/branches/lenny/debian/patches/305_login.1_japanese
Modified:
   debian/branches/lenny/debian/changelog
   debian/branches/lenny/debian/patches/series
Log:
Prepare the 1:4.1.1-6 release.


Modified: debian/branches/lenny/debian/changelog
===================================================================
--- debian/branches/lenny/debian/changelog	2008-11-14 20:22:53 UTC (rev 2439)
+++ debian/branches/lenny/debian/changelog	2008-11-22 15:48:40 UTC (rev 2440)
@@ -1,3 +1,16 @@
+shadow (1:4.1.1-6) unstable; urgency=medium
+
+  * The "Rollot" release.
+  * debian/patches/303_login_symlink_attack: Fix a race condition that could
+    lead to gaining ownership or changing mode of arbitrary files.
+    Closes: #505271 
+  * debian/patches/304_su.1_synopsis: Fix the su synopsis. username is
+    referenced in the manpage, not LOGIN. Closes: #501353
+  * debian/patches/305_login.1_japanese: Fix the path of the utmp and wtmp
+    files. Closes: #501353
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Fri, 14 Nov 2008 21:52:42 +0100
+
 shadow (1:4.1.1-5) unstable; urgency=low
 
   * The "Bergues" release.

Added: debian/branches/lenny/debian/patches/303_login_symlink_attack
===================================================================
--- debian/branches/lenny/debian/patches/303_login_symlink_attack	                        (rev 0)
+++ debian/branches/lenny/debian/patches/303_login_symlink_attack	2008-11-22 15:48:40 UTC (rev 2440)
@@ -0,0 +1,23 @@
+Goal: Fix a symlink attack
+
+Fixes: 505271
+
+Status wrt upstream: Fixed upstream
+
+--- a/libmisc/chowntty.c
++++ b/libmisc/chowntty.c
+@@ -119,8 +119,12 @@
+ 		exit (1);
+ 	}
+ 
+-	if (chown (tty, info->pw_uid, gid) ||
+-	    chmod (tty, getdef_num ("TTYPERM", 0600))) {
++	/* is_my_tty above ensure that tty is the same device as stdin.
++	 * there could be a race condition between the above check, and
++	 * changing the ownership/mode.
++	 */
++	if (fchown (STDIN_FILENO, info->pw_uid, gid) ||
++	    fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600))) {
+ 		int err = errno;
+ 
+ 		snprintf (buf, sizeof buf, _("Unable to change tty %s"), tty);

Added: debian/branches/lenny/debian/patches/304_su.1_synopsis
===================================================================
--- debian/branches/lenny/debian/patches/304_su.1_synopsis	                        (rev 0)
+++ debian/branches/lenny/debian/patches/304_su.1_synopsis	2008-11-22 15:48:40 UTC (rev 2440)
@@ -0,0 +1,18 @@
+Goal: Fix the su synopsis. username is referenced in the manpage, not
+      LOGIN
+
+Fixes: 501353
+
+Status wrt upstream: Will be fixed in 4.1.3
+
+--- a/man/su.1.xml
++++ b/man/su.1.xml
+@@ -38,7 +38,7 @@
+       </arg>
+       <arg choice='opt'>
+ 	<arg choice='plain'>
+-	  <replaceable>LOGIN</replaceable>
++	  <replaceable>username</replaceable>
+ 	</arg>
+       </arg>
+     </cmdsynopsis>

Added: debian/branches/lenny/debian/patches/305_login.1_japanese
===================================================================
--- debian/branches/lenny/debian/patches/305_login.1_japanese	                        (rev 0)
+++ debian/branches/lenny/debian/patches/305_login.1_japanese	2008-11-22 15:48:40 UTC (rev 2440)
@@ -0,0 +1,20 @@
+Goal: fix the path of the utmp and wtmp files
+
+Fixes: 501353
+
+Status wrt upstream: Will be fixed in 4.1.3
+
+--- a/man/ja/login.1
++++ b/man/ja/login.1
+@@ -112,9 +112,9 @@
+ .PP
+ システム設定の違いによって上記ファイルの置き場所は変わる。
+ .SH ファイル
+-\fI/var/log/utmp\fR		\- 現在のログインセッションのリスト
++\fI/var/run/utmp\fR		\- 現在のログインセッションのリスト
+ .br
+-\fI/var/run/wtmp\fR		\- 過去のログインセッションのリスト
++\fI/var/log/wtmp\fR		\- 過去のログインセッションのリスト
+ .br
+ \fI/etc/passwd\fR		\- ユーザアカウント情報
+ .br

Modified: debian/branches/lenny/debian/patches/series
===================================================================
--- debian/branches/lenny/debian/patches/series	2008-11-14 20:22:53 UTC (rev 2439)
+++ debian/branches/lenny/debian/patches/series	2008-11-22 15:48:40 UTC (rev 2440)
@@ -34,3 +34,6 @@
 200_Czech_binary_translation
 494_passwd_lock-no_account_lock
 302_remove_non_translated_polish_manpages
+303_login_symlink_attack
+304_su.1_synopsis
+305_login.1_japanese

More information about the Pkg-shadow-commits mailing list