[Pkg-shadow-commits] r3326 - in debian/trunk/debian: . patches
Nicolas FRANÇOIS
nekral-guest at alioth.debian.org
Sat Jun 4 07:42:27 UTC 2011
Author: nekral-guest
Date: 2011-06-04 07:42:27 +0000 (Sat, 04 Jun 2011)
New Revision: 3326
Added:
debian/trunk/debian/patches/300_CVE-2011-0721
Modified:
debian/trunk/debian/changelog
debian/trunk/debian/patches/series
Log:
Added missing pieces from 1:4.1.4.2+svn3283-3
Modified: debian/trunk/debian/changelog
===================================================================
--- debian/trunk/debian/changelog 2011-06-03 21:09:27 UTC (rev 3325)
+++ debian/trunk/debian/changelog 2011-06-04 07:42:27 UTC (rev 3326)
@@ -1,7 +1,5 @@
-shadow (1:4.1.4.2+svn3283-3) UNRELEASED; urgency=low
+shadow (1:4.1.4.2+svn3283-4) unstable; urgency=low
- * Fix typo in /etc/pam.d/login comments. Thanks to Ferenc Wagner.
- Closes: #598717
* Fix several typos in manpages. Thanks to Simon Brandmair
(Closes: #628776)
* Japanese translation update (Closes: #620978)
@@ -16,8 +14,18 @@
* Catalan translation update (Closes: #627526)
* German manpages translation update (Closes: #628777)
- -- Christian Perrier <bubulle at debian.org> Sat, 02 Oct 2010 13:30:08 +0200
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net> Sat, 04 Jun 2011 09:39:38 +0200
+shadow (1:4.1.4.2+svn3283-3) unstable; urgency=high
+
+ * The "Trappe d'Echourgnac" release.
+ * Fix typo in /etc/pam.d/login comments. Thanks to Ferenc Wagner.
+ Closes: #598717
+ * debian/patches/300_CVE-2011-0721: Fix insufficient input sanitation
+ leading to possible user or group creation in NIS environments.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net> Mon, 13 Feb 2011 23:20:05 +0100
+
shadow (1:4.1.4.2+svn3283-2) unstable; urgency=low
* The "Bleu du Vercors-Sassenage" release.
Added: debian/trunk/debian/patches/300_CVE-2011-0721
===================================================================
--- debian/trunk/debian/patches/300_CVE-2011-0721 (rev 0)
+++ debian/trunk/debian/patches/300_CVE-2011-0721 2011-06-04 07:42:27 UTC (rev 3326)
@@ -0,0 +1,57 @@
+Goal: Input sanitization for chfn and chsh
+
+Fixes: CVE-2011-0721
+
+Status wrt upstream: Already applied upstream (4.1.4.3)
+
+--- a/src/chfn.c
++++ b/src/chfn.c
+@@ -551,14 +551,14 @@
+ static void check_fields (void)
+ {
+ int err;
+- err = valid_field (fullnm, ":,=");
++ err = valid_field (fullnm, ":,=\n");
+ if (err > 0) {
+ fprintf (stderr, _("%s: name with non-ASCII characters: '%s'\n"), Prog, fullnm);
+ } else if (err < 0) {
+ fprintf (stderr, _("%s: invalid name: '%s'\n"), Prog, fullnm);
+ fail_exit (E_NOPERM);
+ }
+- err = valid_field (roomno, ":,=");
++ err = valid_field (roomno, ":,=\n");
+ if (err > 0) {
+ fprintf (stderr, _("%s: room number with non-ASCII characters: '%s'\n"), Prog, roomno);
+ } else if (err < 0) {
+@@ -566,17 +566,17 @@
+ Prog, roomno);
+ fail_exit (E_NOPERM);
+ }
+- if (valid_field (workph, ":,=") != 0) {
++ if (valid_field (workph, ":,=\n") != 0) {
+ fprintf (stderr, _("%s: invalid work phone: '%s'\n"),
+ Prog, workph);
+ fail_exit (E_NOPERM);
+ }
+- if (valid_field (homeph, ":,=") != 0) {
++ if (valid_field (homeph, ":,=\n") != 0) {
+ fprintf (stderr, _("%s: invalid home phone: '%s'\n"),
+ Prog, homeph);
+ fail_exit (E_NOPERM);
+ }
+- err = valid_field (slop, ":");
++ err = valid_field (slop, ":\n");
+ if (err > 0) {
+ fprintf (stderr, _("%s: '%s' contains non-ASCII characters\n"), Prog, slop);
+ } else if (err < 0) {
+--- a/src/chsh.
++++ b/src/chsh.c
+@@ -528,7 +528,7 @@
+ * users are restricted to using the shells in /etc/shells.
+ * The shell must be executable by the user.
+ */
+- if (valid_field (loginsh, ":,=") != 0) {
++ if (valid_field (loginsh, ":,=\n") != 0) {
+ fprintf (stderr, _("%s: Invalid entry: %s\n"), Prog, loginsh);
+ fail_exit (1);
+ }
Modified: debian/trunk/debian/patches/series
===================================================================
--- debian/trunk/debian/patches/series 2011-06-03 21:09:27 UTC (rev 3325)
+++ debian/trunk/debian/patches/series 2011-06-04 07:42:27 UTC (rev 3326)
@@ -18,3 +18,4 @@
523_su_arguments_are_no_more_concatenated_by_default
508_nologin_in_usr_sbin
505_useradd_recommend_adduser
+300_CVE-2011-0721
More information about the Pkg-shadow-commits
mailing list