shadow: backport patch to fix CVE-2023-29383

The fix of CVE-2023-29383.patch contains a bug that it rejects all characters that are not control ones, so backup another patch named "0001-Overhaul-valid_field.patch" from upstream to fix it. (From OE-Core rev: ab48ab23de6f6bb1f05689c97724140d4bef8faa) Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d & https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4] (From OE-Core rev: a53d446c289f07854e286479cd7e4843ddd0ee8c) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-11-23 09:07:05 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-12-01 04:14:18 -1000
commit: 7c678246f658d306f759a17533fbb012492412ae (patch)
tree: f96669bb2bb1e213abea592fb6c36dd60852bc55
parent: d3f1ae99a7e3f758421f5e761910f9281a3fec8e (diff)
download: poky-7c678246f658d306f759a17533fbb012492412ae.tar.gz
3 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
new file mode 100644
index 0000000000..aea07ff361
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,66 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+Use strpbrk(3) for the illegal character test and return early.
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
+++ b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+        /* For each character of field, search if it appears in the list
+         * of illegal characters. */
+       if (illegal && NULL != strpbrk (field, illegal)) {
+               return -1;
+       }
+
+       /* Search if there are non-printable or control characters */
+        for (cp = field; '\0' != *cp; cp++) {
+-               if (strchr (illegal, *cp) != NULL) {
+               unsigned char c = *cp;
+               if (!isprint (c)) {
+                       err = 1;
+               }
+               if (iscntrl (c)) {
+                        err = -1;
+                        break;
+                }
+        }
+ 
+-       if (0 == err) {
+-               /* Search if there are non-printable or control characters */
+-               for (cp = field; '\0' != *cp; cp++) {
+-                       if (!isprint (*cp)) {
+-                               err = 1;
+-                       }
+-                       if (!iscntrl (*cp)) {
+-                               err = -1;
+-                               break;
+-                       }
+-               }
+-       }
+-
+        return err;
+ }
+ 
+-- 
+2.34.1
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
new file mode 100644
index 0000000000..dbf4a508e9
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,54 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+Added control character check, returning -1 (to "err") if control characters are present.
+CVE: CVE-2023-29383
+Upstream-Status: Backport
+Reference to upstream:
+https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
+++ b/lib/fields.c
+@@ -21,9 +21,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
+ *  + -1 is returned if an illegal or control character is present.
+ *  +  1 is returned if no illegal or control characters are present,
+ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+        }
+ 
+        if (0 == err) {
+-               /* Search if there are some non-printable characters */
+               /* Search if there are non-printable or control characters */
+                for (cp = field; '\0' != *cp; cp++) {
+                        if (!isprint (*cp)) {
+                                err = 1;
+                       }
+                       if (!iscntrl (*cp)) {
+                               err = -1;
+                                break;
+                        }
+                }
+-- 
+2.34.1
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index bfe50c18f6..2ecab5073d 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -14,6 +14,8 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
           file://shadow-4.1.3-dots-in-usernames.patch \
           ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
           file://shadow-relaxed-usernames.patch \
+           file://CVE-2023-29383.patch \
+           file://0001-Overhaul-valid_field.patch \
           "
 SRC_URI_append_class-target = " \
author	Vijay Anusuri <vanusuri@mvista.com>	2023-11-23 09:07:05 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-12-01 04:14:18 -1000
commit	7c678246f658d306f759a17533fbb012492412ae (patch)
tree	f96669bb2bb1e213abea592fb6c36dd60852bc55
parent	d3f1ae99a7e3f758421f5e761910f9281a3fec8e (diff)
download	poky-7c678246f658d306f759a17533fbb012492412ae.tar.gz

diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch new file mode 100644 index 0000000000..aea07ff361 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,66 @@
		1	From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
		3	Date: Fri, 31 Mar 2023 14:46:50 +0200
		4	Subject: [PATCH] Overhaul valid_field()
		5
		6	e5905c4b ("Added control character check") introduced checking for
		7	control characters but had the logic inverted, so it rejects all
		8	characters that are not control ones.
		9
		10	Cast the character to `unsigned char` before passing to the character
		11	checking functions to avoid UB.
		12
		13	Use strpbrk(3) for the illegal character test and return early.
		14
		15	Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
		16
		17	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		18	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		19	---
		20	lib/fields.c \| 24 ++++++++++--------------
		21	1 file changed, 10 insertions(+), 14 deletions(-)
		22
		23	diff --git a/lib/fields.c b/lib/fields.c
		24	index fb51b582..53929248 100644
		25	--- a/lib/fields.c
		26	+++ b/lib/fields.c
		27	@@ -37,26 +37,22 @@ int valid_field (const char field, const char illegal)
		28
		29	/* For each character of field, search if it appears in the list
		30	* of illegal characters. */
		31	+ if (illegal && NULL != strpbrk (field, illegal)) {
		32	+ return -1;
		33	+ }
		34	+
		35	+ /* Search if there are non-printable or control characters */
		36	for (cp = field; '\0' != *cp; cp++) {
		37	- if (strchr (illegal, *cp) != NULL) {
		38	+ unsigned char c = *cp;
		39	+ if (!isprint (c)) {
		40	+ err = 1;
		41	+ }
		42	+ if (iscntrl (c)) {
		43	err = -1;
		44	break;
		45	}
		46	}
		47
		48	- if (0 == err) {
		49	- /* Search if there are non-printable or control characters */
		50	- for (cp = field; '\0' != *cp; cp++) {
		51	- if (!isprint (*cp)) {
		52	- err = 1;
		53	- }
		54	- if (!iscntrl (*cp)) {
		55	- err = -1;
		56	- break;
		57	- }
		58	- }
		59	- }
		60	-
		61	return err;
		62	}
		63
		64	--
		65	2.34.1
		66


diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch new file mode 100644 index 0000000000..dbf4a508e9 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,54 @@
		1	From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
		2	From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
		3	Date: Thu, 23 Mar 2023 23:39:38 +0000
		4	Subject: [PATCH] Added control character check
		5
		6	Added control character check, returning -1 (to "err") if control characters are present.
		7
		8	CVE: CVE-2023-29383
		9	Upstream-Status: Backport
		10
		11	Reference to upstream:
		12	https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
		13
		14	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	lib/fields.c \| 11 +++++++----
		18	1 file changed, 7 insertions(+), 4 deletions(-)
		19
		20	diff --git a/lib/fields.c b/lib/fields.c
		21	index 640be931..fb51b582 100644
		22	--- a/lib/fields.c
		23	+++ b/lib/fields.c
		24	@@ -21,9 +21,9 @@
		25	*
		26	* The supplied field is scanned for non-printable and other illegal
		27	* characters.
		28	- * + -1 is returned if an illegal character is present.
		29	- * + 1 is returned if no illegal characters are present, but the field
		30	- * contains a non-printable character.
		31	+ * + -1 is returned if an illegal or control character is present.
		32	+ * + 1 is returned if no illegal or control characters are present,
		33	+ * but the field contains a non-printable character.
		34	* + 0 is returned otherwise.
		35	*/
		36	int valid_field (const char field, const char illegal)
		37	@@ -45,10 +45,13 @@ int valid_field (const char field, const char illegal)
		38	}
		39
		40	if (0 == err) {
		41	- /* Search if there are some non-printable characters */
		42	+ /* Search if there are non-printable or control characters */
		43	for (cp = field; '\0' != *cp; cp++) {
		44	if (!isprint (*cp)) {
		45	err = 1;
		46	+ }
		47	+ if (!iscntrl (*cp)) {
		48	+ err = -1;
		49	break;
		50	}
		51	}
		52	--
		53	2.34.1
		54


diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index bfe50c18f6..2ecab5073d 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc
@@ -14,6 +14,8 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
14	file://shadow-4.1.3-dots-in-usernames.patch \	14	file://shadow-4.1.3-dots-in-usernames.patch \
15	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \	15	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
16	file://shadow-relaxed-usernames.patch \	16	file://shadow-relaxed-usernames.patch \
		17	file://CVE-2023-29383.patch \
		18	file://0001-Overhaul-valid_field.patch \
17	"	19	"
18		20
19	SRC_URI_append_class-target = " \	21	SRC_URI_append_class-target = " \