[Pkg-shadow-devel] [shadow] 02/02: Imported Debian patch 1:4.2-3+deb8u3
Balint Reczey
rbalint at moszumanska.debian.org
Sun Feb 26 10:39:47 UTC 2017
This is an automated email from the git hooks/post-receive script.
rbalint pushed a commit to branch jessie
in repository shadow.
commit 096c5f276b00c51f89a531e2fd61ec1bd6b7ef2f
Author: Balint Reczey <balint at balintreczey.hu>
Date: Fri Feb 24 00:57:31 2017 +0100
Imported Debian patch 1:4.2-3+deb8u3
---
debian/changelog | 8 ++++
debian/control | 3 +-
.../302-CVE-2016-6252-fix-integer-overflow.patch | 46 ++++++++++++++++++++++
debian/patches/523_su_arguments_are_concatenated | 8 ++--
...u_arguments_are_no_more_concatenated_by_default | 10 ++---
debian/patches/series | 1 +
6 files changed, 64 insertions(+), 12 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 0066bf0..ef5a7e1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+shadow (1:4.2-3+deb8u3) jessie-security; urgency=high
+
+ * Fix integer overflow in getulong.c (CVE-2016-6252) (Closes: #832170)
+ * Refresh patches
+ * Add myself to uploaders replacing Nicolas FRANCOIS (Nekral)
+
+ -- Balint Reczey <balint at balintreczey.hu> Fri, 24 Feb 2017 00:57:31 +0100
+
shadow (1:4.2-3+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff --git a/debian/control b/debian/control
index 6f06f5b..232dc91 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,8 @@ Section: admin
Priority: required
Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
Standards-Version: 3.9.5
-Uploaders: Christian Perrier <bubulle at debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>
+Uploaders: Christian Perrier <bubulle at debian.org>,
+ Balint Reczey <balint at balintreczey.hu>
Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison, libaudit-dev [linux-any]
,hardening-wrapper
Vcs-Git: git://anonscm.debian.org/git/pkg-shadow/shadow.git
diff --git a/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch b/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch
new file mode 100644
index 0000000..2f2195b
--- /dev/null
+++ b/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch
@@ -0,0 +1,46 @@
+From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer at suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
++++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+ */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+- long long int val;
++ unsigned long int val;
+ char *endptr;
+
+ errno = 0;
+- val = strtoll (numstr, &endptr, 0);
++ val = strtoul (numstr, &endptr, 0);
+ if ( ('\0' == *numstr)
+ || ('\0' != *endptr)
+ || (ERANGE == errno)
+- /*@+ignoresigns@*/
+- || (val != (unsigned long int)val)
+- /*@=ignoresigns@*/
+ ) {
+ return 0;
+ }
+
+- *result = (unsigned long int)val;
++ *result = val;
+ return 1;
+ }
+
+--
+2.1.4
+
diff --git a/debian/patches/523_su_arguments_are_concatenated b/debian/patches/523_su_arguments_are_concatenated
index 6d994e2..9a22d22 100644
--- a/debian/patches/523_su_arguments_are_concatenated
+++ b/debian/patches/523_su_arguments_are_concatenated
@@ -8,11 +8,9 @@ Status wrt upstream: This is a Debian specific patch.
Note: the fix of the man page is still missing.
(to be taken from the trunk)
-Index: git/src/su.c
-===================================================================
---- git.orig/src/su.c
-+++ git/src/su.c
-@@ -1152,6 +1152,35 @@
+--- a/src/su.c
++++ b/src/su.c
+@@ -1167,6 +1167,35 @@
argv[0] = "-c";
argv[1] = command;
}
diff --git a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
index e148d8d..34f0248 100644
--- a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
+++ b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
@@ -8,10 +8,8 @@ Etch.
Status wrt upstream: This patch is Debian specific.
-Index: git/src/su.c
-===================================================================
---- git.orig/src/su.c
-+++ git/src/su.c
+--- a/src/su.c
++++ b/src/su.c
@@ -104,6 +104,19 @@
/* If nonzero, change some environment vars to indicate the user su'd to. */
static bool change_environment = true;
@@ -32,7 +30,7 @@ Index: git/src/su.c
#ifdef USE_PAM
static pam_handle_t *pamh = NULL;
static int caught = 0;
-@@ -949,6 +962,8 @@
+@@ -964,6 +977,8 @@
int ret;
#endif /* USE_PAM */
@@ -41,7 +39,7 @@ Index: git/src/su.c
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
-@@ -1156,7 +1171,7 @@
+@@ -1171,7 +1186,7 @@
* resulting string is always given to the shell with its
* -c option.
*/
diff --git a/debian/patches/series b/debian/patches/series
index ceb25e0..5679082 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,6 +5,7 @@
503_shadowconfig.8
008_login_log_failure_in_FTMP
301-CVE-2017-2616-su-properly-clear-child-PID.patch
+302-CVE-2016-6252-fix-integer-overflow.patch
429_login_FAILLOG_ENAB
401_cppw_src.dpatch
# 402 should be merged in 401, but should be reviewed by SE Linux experts first
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shadow/shadow.git
More information about the Pkg-shadow-devel
mailing list