From e3f32e1fc30aa34b0bfa73fc53231396220beb5b Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Tue, 29 Aug 2017 10:31:19 +0200
Subject: shadow: fix for CVE-2016-6252

Integer overflow in shadow 4.2.1 allows local users to gain privileges via
crafted input to newuidmap.

References:
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252
Upstream fix:
https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 recipes-extended/shadow/shadow/CVE-2016-6252.patch | 48 ++++++++++++++++++++++
 recipes-extended/shadow/shadow_%.bbappend          |  5 +++
 2 files changed, 53 insertions(+)
 create mode 100644 recipes-extended/shadow/shadow/CVE-2016-6252.patch
 create mode 100644 recipes-extended/shadow/shadow_%.bbappend

(limited to 'recipes-extended')

diff --git a/recipes-extended/shadow/shadow/CVE-2016-6252.patch b/recipes-extended/shadow/shadow/CVE-2016-6252.patch
new file mode 100644
index 0000000..6e05584
--- /dev/null
+++ b/recipes-extended/shadow/shadow/CVE-2016-6252.patch
@@ -0,0 +1,48 @@
+From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer@suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+
+CVE: CVE-2016-6252
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579cae..08d2c1a8 100644
+--- a/lib/getulong.c
++++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+  */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+-	long long int val;
++	unsigned long int val;
+ 	char *endptr;
+ 
+ 	errno = 0;
+-	val = strtoll (numstr, &endptr, 0);
++	val = strtoul (numstr, &endptr, 0);
+ 	if (    ('\0' == *numstr)
+ 	     || ('\0' != *endptr)
+ 	     || (ERANGE == errno)
+-	     /*@+ignoresigns@*/
+-	     || (val != (unsigned long int)val)
+-	     /*@=ignoresigns@*/
+ 	   ) {
+ 		return 0;
+ 	}
+ 
+-	*result = (unsigned long int)val;
++	*result = val;
+ 	return 1;
+ }
+ 
diff --git a/recipes-extended/shadow/shadow_%.bbappend b/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000..4f04479
--- /dev/null
+++ b/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,5 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://CVE-2016-6252.patch \
+           "
-- 
cgit v1.2.3-54-g00ecf