Apply backported patch that fixes CVE-2016-6252 Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.
Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- Changes in v2: - Add SOB to patch file. .../shadow/files/0001-Simplify-getulong.patch | 54 ++++++++++++++++++++++ meta/recipes-extended/shadow/shadow.inc | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch diff --git a/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch new file mode 100644 index 0000000000..8a41fb1dd6 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch @@ -0,0 +1,54 @@ +From 70723e568159f3130b6076463f0bf978763e3369 Mon Sep 17 00:00:00 2001 +From: Sebastian Krahmer <krah...@suse.com> +Date: Wed, 3 Aug 2016 11:51:07 -0500 +Subject: [PATCH] Simplify getulong + +Use strtoul to read an unsigned long, rather than reading +a signed long long and casting it. + +https://bugzilla.suse.com/show_bug.cgi?id=979282 + +Upstream-Status: Backport +https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch?h=jessie +https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1 + +CVE: CVE-2016-6252 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + lib/getulong.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/lib/getulong.c b/lib/getulong.c +index 61579ca..08d2c1a 100644 +--- a/lib/getulong.c ++++ b/lib/getulong.c +@@ -44,22 +44,19 @@ + */ + int getulong (const char *numstr, /*@out@*/unsigned long int *result) + { +- long long int val; ++ unsigned long int val; + char *endptr; + + errno = 0; +- val = strtoll (numstr, &endptr, 0); ++ val = strtoul (numstr, &endptr, 0); + if ( ('\0' == *numstr) + || ('\0' != *endptr) + || (ERANGE == errno) +- /*@+ignoresigns@*/ +- || (val != (unsigned long int)val) +- /*@=ignoresigns@*/ + ) { + return 0; + } + +- *result = (unsigned long int)val; ++ *result = val; + return 1; + } + +-- +2.15.0 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 031e880630..9fb1cd3d17 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -18,6 +18,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ file://0001-useradd-copy-extended-attributes-of-home.patch \ file://0001-shadow-CVE-2017-12424 \ file://0001-su-properly-clear-child-PID.patch \ + file://0001-Simplify-getulong.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ " -- 2.15.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
