[Pkg-shadow-commits] r3332 - in debian/tags/debian: . 4.1.4.2+svn3283-3/debian 4.1.4.2+svn3283-3/debian/patches

Nicolas FRANÇOIS nekral-guest at alioth.debian.org
Sat Jun 4 22:27:17 UTC 2011 

Author: nekral-guest
Date: 2011-06-04 22:27:17 +0000 (Sat, 04 Jun 2011)
New Revision: 3332

Added:
   debian/tags/debian/4.1.4.2+svn3283-3/
   debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/300_CVE-2011-0721
Modified:
   debian/tags/debian/4.1.4.2+svn3283-3/debian/changelog
   debian/tags/debian/4.1.4.2+svn3283-3/debian/login.pam
   debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/series
Log:
Add missing tag: 4.1.4.2+svn3283-3


Modified: debian/tags/debian/4.1.4.2+svn3283-3/debian/changelog
===================================================================
--- debian/tags/debian/4.1.4.2+svn3283-2/debian/changelog	2011-06-04 21:59:47 UTC (rev 3331)
+++ debian/tags/debian/4.1.4.2+svn3283-3/debian/changelog	2011-06-04 22:27:17 UTC (rev 3332)
@@ -1,3 +1,13 @@
+shadow (1:4.1.4.2+svn3283-3) unstable; urgency=high
+
+  * The "Trappe d'Echourgnac" release.
+  * Fix typo in /etc/pam.d/login comments. Thanks to Ferenc Wagner.
+    Closes: #598717
+  * debian/patches/300_CVE-2011-0721: Fix insufficient input sanitation
+    leading to possible user or group creation in NIS environments.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Mon, 13 Feb 2011 23:20:05 +0100
+
 shadow (1:4.1.4.2+svn3283-2) unstable; urgency=low
 
   * The "Bleu du Vercors-Sassenage" release.

Modified: debian/tags/debian/4.1.4.2+svn3283-3/debian/login.pam
===================================================================
--- debian/tags/debian/4.1.4.2+svn3283-2/debian/login.pam	2011-06-04 21:59:47 UTC (rev 3331)
+++ debian/tags/debian/4.1.4.2+svn3283-3/debian/login.pam	2011-06-04 22:27:17 UTC (rev 3332)
@@ -17,7 +17,7 @@
 #
 # With the default control of this module:
 #   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
-# root will not be prompted for a pasword on insecure lines.
+# root will not be prompted for a password on insecure lines.
 # if an invalid username is entered, a password is prompted (but login
 # will eventually be rejected)
 #

Added: debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/300_CVE-2011-0721
===================================================================
--- debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/300_CVE-2011-0721	                        (rev 0)
+++ debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/300_CVE-2011-0721	2011-06-04 22:27:17 UTC (rev 3332)
@@ -0,0 +1,57 @@
+Goal: Input sanitization for chfn and chsh
+
+Fixes: CVE-2011-0721
+
+Status wrt upstream: Already applied upstream (4.1.4.3)
+
+--- a/src/chfn.c
++++ b/src/chfn.c
+@@ -551,14 +551,14 @@
+ static void check_fields (void)
+ {
+ 	int err;
+-	err = valid_field (fullnm, ":,=");
++	err = valid_field (fullnm, ":,=\n");
+ 	if (err > 0) {
+ 		fprintf (stderr, _("%s: name with non-ASCII characters: '%s'\n"), Prog, fullnm);
+ 	} else if (err < 0) {
+ 		fprintf (stderr, _("%s: invalid name: '%s'\n"), Prog, fullnm);
+ 		fail_exit (E_NOPERM);
+ 	}
+-	err = valid_field (roomno, ":,=");
++	err = valid_field (roomno, ":,=\n");
+ 	if (err > 0) {
+ 		fprintf (stderr, _("%s: room number with non-ASCII characters: '%s'\n"), Prog, roomno);
+ 	} else if (err < 0) {
+@@ -566,17 +566,17 @@
+ 		         Prog, roomno);
+ 		fail_exit (E_NOPERM);
+ 	}
+-	if (valid_field (workph, ":,=") != 0) {
++	if (valid_field (workph, ":,=\n") != 0) {
+ 		fprintf (stderr, _("%s: invalid work phone: '%s'\n"),
+ 		         Prog, workph);
+ 		fail_exit (E_NOPERM);
+ 	}
+-	if (valid_field (homeph, ":,=") != 0) {
++	if (valid_field (homeph, ":,=\n") != 0) {
+ 		fprintf (stderr, _("%s: invalid home phone: '%s'\n"),
+ 		         Prog, homeph);
+ 		fail_exit (E_NOPERM);
+ 	}
+-	err = valid_field (slop, ":");
++	err = valid_field (slop, ":\n");
+ 	if (err > 0) {
+ 		fprintf (stderr, _("%s: '%s' contains non-ASCII characters\n"), Prog, slop);
+ 	} else if (err < 0) {
+--- a/src/chsh.
++++ b/src/chsh.c
+@@ -528,7 +528,7 @@
+ 	 * users are restricted to using the shells in /etc/shells.
+ 	 * The shell must be executable by the user.
+ 	 */
+-	if (valid_field (loginsh, ":,=") != 0) {
++	if (valid_field (loginsh, ":,=\n") != 0) {
+ 		fprintf (stderr, _("%s: Invalid entry: %s\n"), Prog, loginsh);
+ 		fail_exit (1);
+ 	}

Modified: debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/series
===================================================================
--- debian/tags/debian/4.1.4.2+svn3283-2/debian/patches/series	2011-06-04 21:59:47 UTC (rev 3331)
+++ debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/series	2011-06-04 22:27:17 UTC (rev 3332)
@@ -18,3 +18,4 @@
 523_su_arguments_are_no_more_concatenated_by_default
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
+300_CVE-2011-0721

More information about the Pkg-shadow-commits mailing list