Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shadow for openSUSE:Factory checked in at 2023-04-21 14:15:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shadow (Old) and /work/SRC/openSUSE:Factory/.shadow.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shadow" Fri Apr 21 14:15:33 2023 rev:57 rq:1080172 version:4.13 Changes: -------- --- /work/SRC/openSUSE:Factory/shadow/shadow.changes 2023-04-16 16:06:43.336694868 +0200 +++ /work/SRC/openSUSE:Factory/.shadow.new.1533/shadow.changes 2023-04-21 14:15:35.738104354 +0200 @@ -1,0 +2,7 @@ +Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter <[email protected]> + +- bsc#1210507 (CVE-2023-29383): + Check for control characters +- Add shadow-CVE-2023-29383.patch + +------------------------------------------------------------------- New: ---- shadow-CVE-2023-29383.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shadow.spec ++++++ --- /var/tmp/diff_new_pack.FL5kjU/_old 2023-04-21 14:15:36.646109445 +0200 +++ /var/tmp/diff_new_pack.FL5kjU/_new 2023-04-21 14:15:36.650109468 +0200 @@ -54,6 +54,8 @@ Patch7: shadow-audit-no-id.patch # PATCH-FIX-UPSTREAM shadow-fix-print-login-timeout.patch [email protected] -- Fix print full login timeout message (gh/shadow-maint/shadow#621) Patch8: shadow-fix-print-login-timeout.patch +# PATCH-FIX-UPSTREAM shadow-CVE-2023-29383.patch [email protected] -- Check control chracters in chfn (bsc#1210507) +Patch9: shadow-CVE-2023-29383.patch BuildRequires: audit-devel > 2.3 BuildRequires: autoconf BuildRequires: automake @@ -123,6 +125,7 @@ %endif %patch7 -p1 %patch8 -p1 +%patch9 -p1 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO ++++++ shadow-CVE-2023-29383.patch ++++++ Index: shadow-4.13/lib/fields.c =================================================================== --- shadow-4.13.orig/lib/fields.c +++ shadow-4.13/lib/fields.c @@ -21,9 +21,9 @@ * * The supplied field is scanned for non-printable and other illegal * characters. - * + -1 is returned if an illegal character is present. - * + 1 is returned if no illegal characters are present, but the field - * contains a non-printable character. + * + -1 is returned if an illegal or control character is present. + * + 1 is returned if no illegal or control characters are present, + * but the field contains a non-printable character. * + 0 is returned otherwise. */ int valid_field (const char *field, const char *illegal) @@ -37,23 +37,22 @@ int valid_field (const char *field, cons /* For each character of field, search if it appears in the list * of illegal characters. */ + if (illegal && NULL != strpbrk (field, illegal)) { + return -1; + } + + /* Search if there are non-printable or control characters */ for (cp = field; '\0' != *cp; cp++) { - if (strchr (illegal, *cp) != NULL) { + unsigned char c = *cp; + if (!isprint (c)) { + err = 1; + } + if (iscntrl (c)) { err = -1; break; } } - if (0 == err) { - /* Search if there are some non-printable characters */ - for (cp = field; '\0' != *cp; cp++) { - if (!isprint (*cp)) { - err = 1; - break; - } - } - } - return err; }
