[Pkg-shadow-commits] r3332 - in debian/tags/debian: . 4.1.4.2+svn3283-3/debian 4.1.4.2+svn3283-3/debian/patches
Nicolas FRANÇOIS
nekral-guest at alioth.debian.org
Sat Jun 4 22:27:17 UTC 2011
Author: nekral-guest
Date: 2011-06-04 22:27:17 +0000 (Sat, 04 Jun 2011)
New Revision: 3332
Added:
debian/tags/debian/4.1.4.2+svn3283-3/
debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/300_CVE-2011-0721
Modified:
debian/tags/debian/4.1.4.2+svn3283-3/debian/changelog
debian/tags/debian/4.1.4.2+svn3283-3/debian/login.pam
debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/series
Log:
Add missing tag: 4.1.4.2+svn3283-3
Modified: debian/tags/debian/4.1.4.2+svn3283-3/debian/changelog
===================================================================
--- debian/tags/debian/4.1.4.2+svn3283-2/debian/changelog 2011-06-04 21:59:47 UTC (rev 3331)
+++ debian/tags/debian/4.1.4.2+svn3283-3/debian/changelog 2011-06-04 22:27:17 UTC (rev 3332)
@@ -1,3 +1,13 @@
+shadow (1:4.1.4.2+svn3283-3) unstable; urgency=high
+
+ * The "Trappe d'Echourgnac" release.
+ * Fix typo in /etc/pam.d/login comments. Thanks to Ferenc Wagner.
+ Closes: #598717
+ * debian/patches/300_CVE-2011-0721: Fix insufficient input sanitation
+ leading to possible user or group creation in NIS environments.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net> Mon, 13 Feb 2011 23:20:05 +0100
+
shadow (1:4.1.4.2+svn3283-2) unstable; urgency=low
* The "Bleu du Vercors-Sassenage" release.
Modified: debian/tags/debian/4.1.4.2+svn3283-3/debian/login.pam
===================================================================
--- debian/tags/debian/4.1.4.2+svn3283-2/debian/login.pam 2011-06-04 21:59:47 UTC (rev 3331)
+++ debian/tags/debian/4.1.4.2+svn3283-3/debian/login.pam 2011-06-04 22:27:17 UTC (rev 3332)
@@ -17,7 +17,7 @@
#
# With the default control of this module:
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
-# root will not be prompted for a pasword on insecure lines.
+# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
Added: debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/300_CVE-2011-0721
===================================================================
--- debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/300_CVE-2011-0721 (rev 0)
+++ debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/300_CVE-2011-0721 2011-06-04 22:27:17 UTC (rev 3332)
@@ -0,0 +1,57 @@
+Goal: Input sanitization for chfn and chsh
+
+Fixes: CVE-2011-0721
+
+Status wrt upstream: Already applied upstream (4.1.4.3)
+
+--- a/src/chfn.c
++++ b/src/chfn.c
+@@ -551,14 +551,14 @@
+ static void check_fields (void)
+ {
+ int err;
+- err = valid_field (fullnm, ":,=");
++ err = valid_field (fullnm, ":,=\n");
+ if (err > 0) {
+ fprintf (stderr, _("%s: name with non-ASCII characters: '%s'\n"), Prog, fullnm);
+ } else if (err < 0) {
+ fprintf (stderr, _("%s: invalid name: '%s'\n"), Prog, fullnm);
+ fail_exit (E_NOPERM);
+ }
+- err = valid_field (roomno, ":,=");
++ err = valid_field (roomno, ":,=\n");
+ if (err > 0) {
+ fprintf (stderr, _("%s: room number with non-ASCII characters: '%s'\n"), Prog, roomno);
+ } else if (err < 0) {
+@@ -566,17 +566,17 @@
+ Prog, roomno);
+ fail_exit (E_NOPERM);
+ }
+- if (valid_field (workph, ":,=") != 0) {
++ if (valid_field (workph, ":,=\n") != 0) {
+ fprintf (stderr, _("%s: invalid work phone: '%s'\n"),
+ Prog, workph);
+ fail_exit (E_NOPERM);
+ }
+- if (valid_field (homeph, ":,=") != 0) {
++ if (valid_field (homeph, ":,=\n") != 0) {
+ fprintf (stderr, _("%s: invalid home phone: '%s'\n"),
+ Prog, homeph);
+ fail_exit (E_NOPERM);
+ }
+- err = valid_field (slop, ":");
++ err = valid_field (slop, ":\n");
+ if (err > 0) {
+ fprintf (stderr, _("%s: '%s' contains non-ASCII characters\n"), Prog, slop);
+ } else if (err < 0) {
+--- a/src/chsh.
++++ b/src/chsh.c
+@@ -528,7 +528,7 @@
+ * users are restricted to using the shells in /etc/shells.
+ * The shell must be executable by the user.
+ */
+- if (valid_field (loginsh, ":,=") != 0) {
++ if (valid_field (loginsh, ":,=\n") != 0) {
+ fprintf (stderr, _("%s: Invalid entry: %s\n"), Prog, loginsh);
+ fail_exit (1);
+ }
Modified: debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/series
===================================================================
--- debian/tags/debian/4.1.4.2+svn3283-2/debian/patches/series 2011-06-04 21:59:47 UTC (rev 3331)
+++ debian/tags/debian/4.1.4.2+svn3283-3/debian/patches/series 2011-06-04 22:27:17 UTC (rev 3332)
@@ -18,3 +18,4 @@
523_su_arguments_are_no_more_concatenated_by_default
508_nologin_in_usr_sbin
505_useradd_recommend_adduser
+300_CVE-2011-0721
More information about the Pkg-shadow-commits
mailing list