[Pkg-shadow-devel] [shadow] 01/02: Imported Debian patch 1:4.2-3+deb8u2

Sun Feb 26 10:39:47 UTC 2017

This is an automated email from the git hooks/post-receive script.

rbalint pushed a commit to branch jessie
in repository shadow.

commit ba9a0dec9da2c5939070aa99c93b0f84b93725ee
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Feb 23 17:21:08 2017 +0100

    Imported Debian patch 1:4.2-3+deb8u2
---
 debian/changelog                                   | 11 ++----
 debian/control                                     |  3 +-
 .../302-CVE-2016-6252-fix-integer-overflow.patch   | 46 ----------------------
 debian/patches/523_su_arguments_are_concatenated   |  8 ++--
 ...u_arguments_are_no_more_concatenated_by_default | 10 +++--
 debian/patches/series                              |  1 -
 6 files changed, 15 insertions(+), 64 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index e902249..0066bf0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,14 +1,9 @@
 shadow (1:4.2-3+deb8u2) jessie-security; urgency=high
 
-  [ Salvatore Bonaccorso ]
-  * su: properly clear child PID (Closes: #855943)(CVE-2017-2616)
+  * Non-maintainer upload by the Security Team.
+  * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
 
-  [ Balint Reczey ]
-  * Fix integer overflow in getulong.c (CVE-2016-6252) (Closes: #832170)
-  * Refresh patches
-  * Add myself to uploaders replacing Nicolas FRANCOIS (Nekral)
-
- -- Balint Reczey <balint at balintreczey.hu>  Fri, 24 Feb 2017 00:57:31 +0100
+ -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 23 Feb 2017 17:21:08 +0100
 
 shadow (1:4.2-3+deb8u1) jessie; urgency=medium
 
diff --git a/debian/control b/debian/control
index 232dc91..6f06f5b 100644
--- a/debian/control
+++ b/debian/control
@@ -3,8 +3,7 @@ Section: admin
 Priority: required
 Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
 Standards-Version: 3.9.5
-Uploaders: Christian Perrier <bubulle at debian.org>,
-           Balint Reczey <balint at balintreczey.hu>
+Uploaders: Christian Perrier <bubulle at debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>
 Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison, libaudit-dev [linux-any]
  ,hardening-wrapper
 Vcs-Git: git://anonscm.debian.org/git/pkg-shadow/shadow.git
diff --git a/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch b/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch
deleted file mode 100644
index 2f2195b..0000000
--- a/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
-From: Sebastian Krahmer <krahmer at suse.com>
-Date: Wed, 3 Aug 2016 11:51:07 -0500
-Subject: [PATCH] Simplify getulong
-
-Use strtoul to read an unsigned long, rather than reading
-a signed long long and casting it.
-
-https://bugzilla.suse.com/show_bug.cgi?id=979282
----
- lib/getulong.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/lib/getulong.c b/lib/getulong.c
-index 61579ca..08d2c1a 100644
---- a/lib/getulong.c
-+++ b/lib/getulong.c
-@@ -44,22 +44,19 @@
-  */
- int getulong (const char *numstr, /*@out@*/unsigned long int *result)
- {
--	long long int val;
-+	unsigned long int val;
- 	char *endptr;
- 
- 	errno = 0;
--	val = strtoll (numstr, &endptr, 0);
-+	val = strtoul (numstr, &endptr, 0);
- 	if (    ('\0' == *numstr)
- 	     || ('\0' != *endptr)
- 	     || (ERANGE == errno)
--	     /*@+ignoresigns@*/
--	     || (val != (unsigned long int)val)
--	     /*@=ignoresigns@*/
- 	   ) {
- 		return 0;
- 	}
- 
--	*result = (unsigned long int)val;
-+	*result = val;
- 	return 1;
- }
- 
--- 
-2.1.4
-
diff --git a/debian/patches/523_su_arguments_are_concatenated b/debian/patches/523_su_arguments_are_concatenated
index 9a22d22..6d994e2 100644
--- a/debian/patches/523_su_arguments_are_concatenated
+++ b/debian/patches/523_su_arguments_are_concatenated
@@ -8,9 +8,11 @@ Status wrt upstream: This is a Debian specific patch.
 Note: the fix of the man page is still missing.
       (to be taken from the trunk)
 
---- a/src/su.c
-+++ b/src/su.c
-@@ -1167,6 +1167,35 @@
+Index: git/src/su.c
+===================================================================
+--- git.orig/src/su.c
++++ git/src/su.c
+@@ -1152,6 +1152,35 @@
  			argv[0] = "-c";
  			argv[1] = command;
  		}
diff --git a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
index 34f0248..e148d8d 100644
--- a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
+++ b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
@@ -8,8 +8,10 @@ Etch.
 
 Status wrt upstream: This patch is Debian specific.
 
---- a/src/su.c
-+++ b/src/su.c
+Index: git/src/su.c
+===================================================================
+--- git.orig/src/su.c
++++ git/src/su.c
 @@ -104,6 +104,19 @@
  /* If nonzero, change some environment vars to indicate the user su'd to. */
  static bool change_environment = true;
@@ -30,7 +32,7 @@ Status wrt upstream: This patch is Debian specific.
  #ifdef USE_PAM
  static pam_handle_t *pamh = NULL;
  static int caught = 0;
-@@ -964,6 +977,8 @@
+@@ -949,6 +962,8 @@
  	int ret;
  #endif				/* USE_PAM */
  
@@ -39,7 +41,7 @@ Status wrt upstream: This patch is Debian specific.
  	(void) setlocale (LC_ALL, "");
  	(void) bindtextdomain (PACKAGE, LOCALEDIR);
  	(void) textdomain (PACKAGE);
-@@ -1171,7 +1186,7 @@
+@@ -1156,7 +1171,7 @@
  		 * resulting string is always given to the shell with its
  		 * -c option.
  		 */
diff --git a/debian/patches/series b/debian/patches/series
index 5679082..ceb25e0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,7 +5,6 @@
 503_shadowconfig.8
 008_login_log_failure_in_FTMP
 301-CVE-2017-2616-su-properly-clear-child-PID.patch
-302-CVE-2016-6252-fix-integer-overflow.patch
 429_login_FAILLOG_ENAB
 401_cppw_src.dpatch
 # 402 should be merged in 401, but should be reviewed by SE Linux experts first

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shadow/shadow.git

