[dpkg] 58/192: s-s-d: Parse usernames and groupnames starting with digits correctly

Tue Oct 17 11:03:58 UTC 2017

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch pu/reproducible_builds
in repository dpkg.

commit 55c291c69bc9ee7c00731f4f5ffafd42673eb7d1
Author: Guillem Jover <guillem at debian.org>
Date:   Tue Jul 4 03:33:25 2017 +0200

    s-s-d: Parse usernames and groupnames starting with digits correctly
    
    We should not consider a username or groupname that starts with digits
    as a valid uid or gid. When parsing integers we should parse the strings
    fully and not consider any partial parsing to be correct.
    
    Reported-by: Bodo Eggert <7eggert at online.de>
---
 debian/changelog          | 2 ++
 utils/start-stop-daemon.c | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 83821bb..5b7788b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ dpkg (1.19.0) UNRELEASED; urgency=medium
 
   * Remove an unused variable in dpkg-shlibdeps.
     Thanks to Niels Thykier <niels at thykier.net>.
+  * Parse start-stop-daemon usernames and groupnames starting with digits in
+    -u and -c correctly. Reported by Bodo Eggert <7eggert at online.de>.
   * Perl modules:
     - Switch from Dpkg::Util to List::Util, now that the module in the
       new required Perl contains the needed functions.
diff --git a/utils/start-stop-daemon.c b/utils/start-stop-daemon.c
index 3931f5c..8135750 100644
--- a/utils/start-stop-daemon.c
+++ b/utils/start-stop-daemon.c
@@ -1205,7 +1205,7 @@ setup_options(void)
 			free(fullexecname);
 	}
 
-	if (userspec && sscanf(userspec, "%d", &user_id) != 1) {
+	if (userspec && parse_unsigned(userspec, 10, &user_id) < 0) {
 		struct passwd *pw;
 
 		pw = getpwnam(userspec);
@@ -1215,7 +1215,7 @@ setup_options(void)
 		user_id = pw->pw_uid;
 	}
 
-	if (changegroup && sscanf(changegroup, "%d", &runas_gid) != 1) {
+	if (changegroup && parse_unsigned(changegroup, 10, &runas_gid) < 0) {
 		struct group *gr;
 
 		gr = getgrnam(changegroup);
@@ -1228,7 +1228,7 @@ setup_options(void)
 		struct passwd *pw;
 		struct stat st;
 
-		if (sscanf(changeuser, "%d", &runas_uid) == 1)
+		if (parse_unsigned(changeuser, 10, &runas_uid) == 0)
 			pw = getpwuid(runas_uid);
 		else
 			pw = getpwnam(changeuser);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

