shadow: fix for CVE-2016-6252

Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. References: ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252 Upstream fix: https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-08-29 10:31:19 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-08-29 13:37:48 +0200
commit: e3f32e1fc30aa34b0bfa73fc53231396220beb5b (patch)
tree: f47981461438cd56a09e44f54c39bf8123ac537b /recipes-extended
parent: ad28b1279655db5b0986a8d7ca331358a3e363d1 (diff)
download: meta-nfv-access-common-e3f32e1fc30aa34b0bfa73fc53231396220beb5b.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-extended/shadow/shadow/CVE-2016-6252.patch b/recipes-extended/shadow/shadow/CVE-2016-6252.patch
new file mode 100644
index 0000000..6e05584
--- /dev/null
+++ b/recipes-extended/shadow/shadow/CVE-2016-6252.patch
@@ -0,0 +1,48 @@
+From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer@suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+CVE: CVE-2016-6252
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579cae..08d2c1a8 100644
+--- a/lib/getulong.c
+++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+  */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+-       long long int val;
+       unsigned long int val;
+        char *endptr;
+ 
+        errno = 0;
+-       val = strtoll (numstr, &endptr, 0);
+       val = strtoul (numstr, &endptr, 0);
+        if (    ('\0' == *numstr)
+             || ('\0' != *endptr)
+             || (ERANGE == errno)
+-            /*@+ignoresigns@*/
+-            || (val != (unsigned long int)val)
+-            /*@=ignoresigns@*/
+           ) {
+                return 0;
+        }
+ 
+-       *result = (unsigned long int)val;
+       *result = val;
+        return 1;
+ }
+ 
diff --git a/recipes-extended/shadow/shadow_%.bbappend b/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000..4f04479
--- /dev/null
+++ b/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,5 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://CVE-2016-6252.patch \
+           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-08-29 10:31:19 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-08-29 13:37:48 +0200
commit	e3f32e1fc30aa34b0bfa73fc53231396220beb5b (patch)
tree	f47981461438cd56a09e44f54c39bf8123ac537b /recipes-extended
parent	ad28b1279655db5b0986a8d7ca331358a3e363d1 (diff)
download	meta-nfv-access-common-e3f32e1fc30aa34b0bfa73fc53231396220beb5b.tar.gz

diff --git a/recipes-extended/shadow/shadow/CVE-2016-6252.patch b/recipes-extended/shadow/shadow/CVE-2016-6252.patch new file mode 100644 index 0000000..6e05584 --- /dev/null +++ b/recipes-extended/shadow/shadow/CVE-2016-6252.patch
@@ -0,0 +1,48 @@
	1	From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
	2	From: Sebastian Krahmer <krahmer@suse.com>
	3	Date: Wed, 3 Aug 2016 11:51:07 -0500
	4	Subject: [PATCH] Simplify getulong
	5
	6	Use strtoul to read an unsigned long, rather than reading
	7	a signed long long and casting it.
	8
	9	https://bugzilla.suse.com/show_bug.cgi?id=979282
	10
	11	CVE: CVE-2016-6252
	12	Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1]
	13
	14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	15	---
	16	lib/getulong.c \| 9 +++------
	17	1 file changed, 3 insertions(+), 6 deletions(-)
	18
	19	diff --git a/lib/getulong.c b/lib/getulong.c
	20	index 61579cae..08d2c1a8 100644
	21	--- a/lib/getulong.c
	22	+++ b/lib/getulong.c
	23	@@ -44,22 +44,19 @@
	24	*/
	25	int getulong (const char numstr, /@out@/unsigned long int result)
	26	{
	27	- long long int val;
	28	+ unsigned long int val;
	29	char *endptr;
	30
	31	errno = 0;
	32	- val = strtoll (numstr, &endptr, 0);
	33	+ val = strtoul (numstr, &endptr, 0);
	34	if ( ('\0' == *numstr)
	35	\|\| ('\0' != *endptr)
	36	\|\| (ERANGE == errno)
	37	- /@+ignoresigns@/
	38	- \|\| (val != (unsigned long int)val)
	39	- /@=ignoresigns@/
	40	) {
	41	return 0;
	42	}
	43
	44	- *result = (unsigned long int)val;
	45	+ *result = val;
	46	return 1;
	47	}
	48


diff --git a/recipes-extended/shadow/shadow_%.bbappend b/recipes-extended/shadow/shadow_%.bbappend new file mode 100644 index 0000000..4f04479 --- /dev/null +++ b/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,5 @@
	1	# look for files in the layer first
	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	3
	4	SRC_URI += "file://CVE-2016-6252.patch \
	5	"