[Pkg-shadow-devel] [shadow] 02/02: Imported Debian patch 1:4.2-3+deb8u3

Sun Feb 26 10:39:47 UTC 2017

This is an automated email from the git hooks/post-receive script.

rbalint pushed a commit to branch jessie
in repository shadow.

commit 096c5f276b00c51f89a531e2fd61ec1bd6b7ef2f
Author: Balint Reczey <balint at balintreczey.hu>
Date:   Fri Feb 24 00:57:31 2017 +0100

    Imported Debian patch 1:4.2-3+deb8u3
---
 debian/changelog                                   |  8 ++++
 debian/control                                     |  3 +-
 .../302-CVE-2016-6252-fix-integer-overflow.patch   | 46 ++++++++++++++++++++++
 debian/patches/523_su_arguments_are_concatenated   |  8 ++--
 ...u_arguments_are_no_more_concatenated_by_default | 10 ++---
 debian/patches/series                              |  1 +
 6 files changed, 64 insertions(+), 12 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 0066bf0..ef5a7e1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+shadow (1:4.2-3+deb8u3) jessie-security; urgency=high
+
+  * Fix integer overflow in getulong.c (CVE-2016-6252) (Closes: #832170)
+  * Refresh patches
+  * Add myself to uploaders replacing Nicolas FRANCOIS (Nekral)
+
+ -- Balint Reczey <balint at balintreczey.hu>  Fri, 24 Feb 2017 00:57:31 +0100
+
 shadow (1:4.2-3+deb8u2) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/control b/debian/control
index 6f06f5b..232dc91 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,8 @@ Section: admin
 Priority: required
 Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
 Standards-Version: 3.9.5
-Uploaders: Christian Perrier <bubulle at debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>
+Uploaders: Christian Perrier <bubulle at debian.org>,
+           Balint Reczey <balint at balintreczey.hu>
 Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison, libaudit-dev [linux-any]
  ,hardening-wrapper
 Vcs-Git: git://anonscm.debian.org/git/pkg-shadow/shadow.git
diff --git a/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch b/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch
new file mode 100644
index 0000000..2f2195b
--- /dev/null
+++ b/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch
@@ -0,0 +1,46 @@
+From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer at suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
++++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+  */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+-	long long int val;
++	unsigned long int val;
+ 	char *endptr;
+ 
+ 	errno = 0;
+-	val = strtoll (numstr, &endptr, 0);
++	val = strtoul (numstr, &endptr, 0);
+ 	if (    ('\0' == *numstr)
+ 	     || ('\0' != *endptr)
+ 	     || (ERANGE == errno)
+-	     /*@+ignoresigns@*/
+-	     || (val != (unsigned long int)val)
+-	     /*@=ignoresigns@*/
+ 	   ) {
+ 		return 0;
+ 	}
+ 
+-	*result = (unsigned long int)val;
++	*result = val;
+ 	return 1;
+ }
+ 
+-- 
+2.1.4
+
diff --git a/debian/patches/523_su_arguments_are_concatenated b/debian/patches/523_su_arguments_are_concatenated
index 6d994e2..9a22d22 100644
--- a/debian/patches/523_su_arguments_are_concatenated
+++ b/debian/patches/523_su_arguments_are_concatenated
@@ -8,11 +8,9 @@ Status wrt upstream: This is a Debian specific patch.
 Note: the fix of the man page is still missing.
       (to be taken from the trunk)
 
-Index: git/src/su.c
-===================================================================
---- git.orig/src/su.c
-+++ git/src/su.c
-@@ -1152,6 +1152,35 @@
+--- a/src/su.c
++++ b/src/su.c
+@@ -1167,6 +1167,35 @@
  			argv[0] = "-c";
  			argv[1] = command;
  		}
diff --git a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
index e148d8d..34f0248 100644
--- a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
+++ b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
@@ -8,10 +8,8 @@ Etch.
 
 Status wrt upstream: This patch is Debian specific.
 
-Index: git/src/su.c
-===================================================================
---- git.orig/src/su.c
-+++ git/src/su.c
+--- a/src/su.c
++++ b/src/su.c
 @@ -104,6 +104,19 @@
  /* If nonzero, change some environment vars to indicate the user su'd to. */
  static bool change_environment = true;
@@ -32,7 +30,7 @@ Index: git/src/su.c
  #ifdef USE_PAM
  static pam_handle_t *pamh = NULL;
  static int caught = 0;
-@@ -949,6 +962,8 @@
+@@ -964,6 +977,8 @@
  	int ret;
  #endif				/* USE_PAM */
  
@@ -41,7 +39,7 @@ Index: git/src/su.c
  	(void) setlocale (LC_ALL, "");
  	(void) bindtextdomain (PACKAGE, LOCALEDIR);
  	(void) textdomain (PACKAGE);
-@@ -1156,7 +1171,7 @@
+@@ -1171,7 +1186,7 @@
  		 * resulting string is always given to the shell with its
  		 * -c option.
  		 */
diff --git a/debian/patches/series b/debian/patches/series
index ceb25e0..5679082 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,6 +5,7 @@
 503_shadowconfig.8
 008_login_log_failure_in_FTMP
 301-CVE-2017-2616-su-properly-clear-child-PID.patch
+302-CVE-2016-6252-fix-integer-overflow.patch
 429_login_FAILLOG_ENAB
 401_cppw_src.dpatch
 # 402 should be merged in 401, but should be reviewed by SE Linux experts first

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shadow/shadow.git

