[Pkg-shadow-devel] Ubuntu shadow 1:4.1.4.2+svn3283-2ubuntu3

Ubuntu Merge-o-Matic mom at ubuntu.com
Wed Mar 9 15:09:31 UTC 2011 

This e-mail has been sent due to an upload to Ubuntu that contains Ubuntu
changes.  It contains the difference between the new version and the
previous version of the same source package in Ubuntu.
-------------- next part --------------
Format: 1.8
Date: Tue, 15 Feb 2011 13:57:01 -0800
Source: shadow
Binary: passwd login
Architecture: source
Version: 1:4.1.4.2+svn3283-2ubuntu3
Distribution: natty
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Kees Cook <kees at ubuntu.com>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Changes: 
 shadow (1:4.1.4.2+svn3283-2ubuntu3) natty; urgency=low
 .
   * SECURITY UPDATE: could inject NIS groups memberships into /etc/passwd.
     - debian/patches/300_CVE-2011-0721: reject newlines in GECOS updates.
     - CVE-2011-0721
Checksums-Sha1: 
 ab4258d1c4243f087f24ac0aba5534e39648ce2c 2362 shadow_4.1.4.2+svn3283-2ubuntu3.dsc
 08344ee80af3611170349133c11ac494bc4d9f36 336868 shadow_4.1.4.2+svn3283-2ubuntu3.diff.gz
Checksums-Sha256: 
 0b791d88e76fa031bd07affdf9e8c75cdf48801605f03dae6c3eb078720d25a9 2362 shadow_4.1.4.2+svn3283-2ubuntu3.dsc
 e10420c57b01869bbffbb6287390d6d3ed121aa9585f6d4ce5361ec47c5d2f65 336868 shadow_4.1.4.2+svn3283-2ubuntu3.diff.gz
Files: 
 fd13ce2ee6016cd992511a2d0be8b89b 2362 admin required shadow_4.1.4.2+svn3283-2ubuntu3.dsc
 832759129b48b65d630e8c753654a7d5 336868 admin required shadow_4.1.4.2+svn3283-2ubuntu3.diff.gz
Original-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
-------------- next part --------------
diff -pruN 1:4.1.4.2+svn3283-2ubuntu2/debian/changelog 1:4.1.4.2+svn3283-2ubuntu3/debian/changelog
--- 1:4.1.4.2+svn3283-2ubuntu2/debian/changelog	2011-03-08 18:23:34.000000000 +0000
+++ 1:4.1.4.2+svn3283-2ubuntu3/debian/changelog	2011-03-08 18:23:32.000000000 +0000
@@ -1,3 +1,11 @@
+shadow (1:4.1.4.2+svn3283-2ubuntu3) natty; urgency=low
+
+  * SECURITY UPDATE: could inject NIS groups memberships into /etc/passwd.
+    - debian/patches/300_CVE-2011-0721: reject newlines in GECOS updates.
+    - CVE-2011-0721
+
+ -- Kees Cook <kees at ubuntu.com>  Tue, 15 Feb 2011 13:57:01 -0800
+
 shadow (1:4.1.4.2+svn3283-2ubuntu2) natty; urgency=low
 
   * debian/patches/495_stdout-encrypted-password: adjust patch for changes 
diff -pruN 1:4.1.4.2+svn3283-2ubuntu2/debian/control 1:4.1.4.2+svn3283-2ubuntu3/debian/control
--- 1:4.1.4.2+svn3283-2ubuntu2/debian/control	2011-03-08 18:23:34.000000000 +0000
+++ 1:4.1.4.2+svn3283-2ubuntu3/debian/control	2011-03-08 18:23:32.000000000 +0000
@@ -1,7 +1,7 @@
 Source: shadow
 Section: admin
 Priority: required
-Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss at lists.ubuntu.com>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
 XSBC-Original-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
 Uploaders: Christian Perrier <bubulle at debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>
 Standards-Version: 3.8.4
@@ -32,4 +32,3 @@ Description: system login tools
  newgrp program is used to change your effective group ID (useful for
  workgroup type situations). The su program allows changing your effective
  user ID (useful being able to execute commands as another user).
-
diff -pruN 1:4.1.4.2+svn3283-2ubuntu2/debian/patches/300_CVE-2011-0721 1:4.1.4.2+svn3283-2ubuntu3/debian/patches/300_CVE-2011-0721
--- 1:4.1.4.2+svn3283-2ubuntu2/debian/patches/300_CVE-2011-0721	1970-01-01 01:00:00.000000000 +0100
+++ 1:4.1.4.2+svn3283-2ubuntu3/debian/patches/300_CVE-2011-0721	2011-03-08 18:23:32.000000000 +0000
@@ -0,0 +1,58 @@
+Description: explicitly reject all newline characters (CVE-2011-0721).
+Author: Nicolas François <nicolas.francois at centraliens.net>
+
+Index: shadow-4.1.4.2/src/chfn.c
+===================================================================
+--- shadow-4.1.4.2.orig/src/chfn.c	2011-02-14 13:38:07.851307306 -0800
++++ shadow-4.1.4.2/src/chfn.c	2011-02-14 13:39:18.182287882 -0800
+@@ -551,14 +551,14 @@
+ static void check_fields (void)
+ {
+ 	int err;
+-	err = valid_field (fullnm, ":,=");
++	err = valid_field (fullnm, ":,=\n");
+ 	if (err > 0) {
+ 		fprintf (stderr, _("%s: name with non-ASCII characters: '%s'\n"), Prog, fullnm);
+ 	} else if (err < 0) {
+ 		fprintf (stderr, _("%s: invalid name: '%s'\n"), Prog, fullnm);
+ 		fail_exit (E_NOPERM);
+ 	}
+-	err = valid_field (roomno, ":,=");
++	err = valid_field (roomno, ":,=\n");
+ 	if (err > 0) {
+ 		fprintf (stderr, _("%s: room number with non-ASCII characters: '%s'\n"), Prog, roomno);
+ 	} else if (err < 0) {
+@@ -566,17 +566,17 @@
+ 		         Prog, roomno);
+ 		fail_exit (E_NOPERM);
+ 	}
+-	if (valid_field (workph, ":,=") != 0) {
++	if (valid_field (workph, ":,=\n") != 0) {
+ 		fprintf (stderr, _("%s: invalid work phone: '%s'\n"),
+ 		         Prog, workph);
+ 		fail_exit (E_NOPERM);
+ 	}
+-	if (valid_field (homeph, ":,=") != 0) {
++	if (valid_field (homeph, ":,=\n") != 0) {
+ 		fprintf (stderr, _("%s: invalid home phone: '%s'\n"),
+ 		         Prog, homeph);
+ 		fail_exit (E_NOPERM);
+ 	}
+-	err = valid_field (slop, ":");
++	err = valid_field (slop, ":\n");
+ 	if (err > 0) {
+ 		fprintf (stderr, _("%s: '%s' contains non-ASCII characters\n"), Prog, slop);
+ 	} else if (err < 0) {
+Index: shadow-4.1.4.2/src/chsh.c
+===================================================================
+--- shadow-4.1.4.2.orig/src/chsh.c	2011-02-14 13:38:26.831571974 -0800
++++ shadow-4.1.4.2/src/chsh.c	2011-02-14 13:38:52.691932532 -0800
+@@ -528,7 +528,7 @@
+ 	 * users are restricted to using the shells in /etc/shells.
+ 	 * The shell must be executable by the user.
+ 	 */
+-	if (valid_field (loginsh, ":,=") != 0) {
++	if (valid_field (loginsh, ":,=\n") != 0) {
+ 		fprintf (stderr, _("%s: Invalid entry: %s\n"), Prog, loginsh);
+ 		fail_exit (1);
+ 	}
diff -pruN 1:4.1.4.2+svn3283-2ubuntu2/debian/patches/series 1:4.1.4.2+svn3283-2ubuntu3/debian/patches/series
--- 1:4.1.4.2+svn3283-2ubuntu2/debian/patches/series	2011-03-08 18:23:34.000000000 +0000
+++ 1:4.1.4.2+svn3283-2ubuntu3/debian/patches/series	2011-03-08 18:23:32.000000000 +0000
@@ -18,4 +18,5 @@
 523_su_arguments_are_no_more_concatenated_by_default
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
+300_CVE-2011-0721
 495_stdout-encrypted-password

More information about the Pkg-shadow-devel mailing list