Openembedded Core Discussions
 help / color / mirror / Atom feed
* [PATCH 0/1] shadow: fix CVE-2017-12424
@ 2017-08-16 10:28 Chen Qi
  2017-08-16 10:28 ` [PATCH 1/1] " Chen Qi
  0 siblings, 1 reply; 5+ messages in thread
From: Chen Qi @ 2017-08-16 10:28 UTC (permalink / raw)
  To: openembedded-core

The following changes since commit 6016ec177af2406cacfeb3276dfcb8bfc3df8fce:

  poky.conf: Enable vulkan by default (2017-08-16 00:04:39 +0100)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib ChenQi/CVE-2017-12424
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=ChenQi/CVE-2017-12424

Chen Qi (1):
  shadow: fix CVE-2017-12424

 .../shadow/files/0001-shadow-CVE-2017-12424        | 46 ++++++++++++++++++++++
 meta/recipes-extended/shadow/shadow.inc            |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424

-- 
1.9.1



^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH 1/1] shadow: fix CVE-2017-12424
  2017-08-16 10:28 [PATCH 0/1] shadow: fix CVE-2017-12424 Chen Qi
@ 2017-08-16 10:28 ` Chen Qi
  2017-08-16 11:34   ` Jussi Kukkonen
  0 siblings, 1 reply; 5+ messages in thread
From: Chen Qi @ 2017-08-16 10:28 UTC (permalink / raw)
  To: openembedded-core

Backport a patch to fix CVE-2017-12424.

In shadow before 4.5, the newusers tool could be made to manipulate
internal data structures in ways unintended by the authors.

Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424

CVE: CVE-2017-12424

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 .../shadow/files/0001-shadow-CVE-2017-12424        | 46 ++++++++++++++++++++++
 meta/recipes-extended/shadow/shadow.inc            |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424

diff --git a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
new file mode 100644
index 0000000..4d3e1e0
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
@@ -0,0 +1,46 @@
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
+
+CVE: CVE-2017-12424
+Upstream-Status: Backport
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ lib/commonio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index b10da06..31edbaa 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
+ 	for (ptr = db->head;
+ 	        (NULL != ptr)
+ #if KEEP_NIS_AT_END
+-	     && (NULL != ptr->line)
+-	     && (   ('+' != ptr->line[0])
+-	         && ('-' != ptr->line[0]))
++	     && ((NULL == ptr->line)
++	         || (('+' != ptr->line[0])
++	             && ('-' != ptr->line[0])))
+ #endif
+ 	     ;
+ 	     ptr = ptr->next) {
+ 		n++;
+ 	}
+ #if KEEP_NIS_AT_END
+-	if ((NULL != ptr) && (NULL != ptr->line)) {
++	if (NULL != ptr) {
+ 		nis = ptr;
+ 	}
+ #endif
+-- 
+2.1.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 5e6b0bd..cc18964 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
            file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
            file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
            file://0001-useradd-copy-extended-attributes-of-home.patch \
+           file://0001-shadow-CVE-2017-12424 \
            ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
            "
 
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] shadow: fix CVE-2017-12424
  2017-08-16 10:28 ` [PATCH 1/1] " Chen Qi
@ 2017-08-16 11:34   ` Jussi Kukkonen
  2017-08-18 20:20     ` Randy MacLeod
  0 siblings, 1 reply; 5+ messages in thread
From: Jussi Kukkonen @ 2017-08-16 11:34 UTC (permalink / raw)
  To: Chen Qi; +Cc: Patches and discussions about the oe-core layer

[-- Attachment #1: Type: text/plain, Size: 3861 bytes --]

On 16 August 2017 at 13:28, Chen Qi <Qi.Chen@windriver.com> wrote:

> Backport a patch to fix CVE-2017-12424.
>
> In shadow before 4.5, the newusers tool could be made to manipulate
> internal data structures in ways unintended by the authors.
>
> Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424
>
> CVE: CVE-2017-12424
>

I don't object to the patch but I'm wondering if there is a reason we are
taking the shadow sources from debian instead of the upstream github*?
shadow 4.5 seems to have been out for months already but Debian hasn't
taken it yet...

*) https://github.com/shadow-maint/shadow

Jussi



>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>  .../shadow/files/0001-shadow-CVE-2017-12424        | 46
> ++++++++++++++++++++++
>  meta/recipes-extended/shadow/shadow.inc            |  1 +
>  2 files changed, 47 insertions(+)
>  create mode 100644 meta/recipes-extended/shadow/
> files/0001-shadow-CVE-2017-12424
>
> diff --git a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> new file mode 100644
> index 0000000..4d3e1e0
> --- /dev/null
> +++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> @@ -0,0 +1,46 @@
> +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
> +From: Tomas Mraz <tmraz@fedoraproject.org>
> +Date: Fri, 31 Mar 2017 16:25:06 +0200
> +Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
> +
> +If ptr->line == NULL for an entry, the first cycle will exit,
> +but the second one will happily write past entries buffer.
> +We actually do not want to exit the first cycle prematurely
> +on ptr->line == NULL.
> +Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
> +
> +CVE: CVE-2017-12424
> +Upstream-Status: Backport
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + lib/commonio.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/commonio.c b/lib/commonio.c
> +index b10da06..31edbaa 100644
> +--- a/lib/commonio.c
> ++++ b/lib/commonio.c
> +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp)
> (const void *, const void *))
> +       for (ptr = db->head;
> +               (NULL != ptr)
> + #if KEEP_NIS_AT_END
> +-           && (NULL != ptr->line)
> +-           && (   ('+' != ptr->line[0])
> +-               && ('-' != ptr->line[0]))
> ++           && ((NULL == ptr->line)
> ++               || (('+' != ptr->line[0])
> ++                   && ('-' != ptr->line[0])))
> + #endif
> +            ;
> +            ptr = ptr->next) {
> +               n++;
> +       }
> + #if KEEP_NIS_AT_END
> +-      if ((NULL != ptr) && (NULL != ptr->line)) {
> ++      if (NULL != ptr) {
> +               nis = ptr;
> +       }
> + #endif
> +--
> +2.1.0
> +
> diff --git a/meta/recipes-extended/shadow/shadow.inc
> b/meta/recipes-extended/shadow/shadow.inc
> index 5e6b0bd..cc18964 100644
> --- a/meta/recipes-extended/shadow/shadow.inc
> +++ b/meta/recipes-extended/shadow/shadow.inc
> @@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth.
> debian.org/releases/${BPN}-${PV}.tar.xz \
>             file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
>             file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch
> \
>             file://0001-useradd-copy-extended-attributes-of-home.patch \
> +           file://0001-shadow-CVE-2017-12424 \
>             ${@bb.utils.contains('PACKAGECONFIG', 'pam',
> '${PAM_SRC_URI}', '', d)} \
>             "
>
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 5730 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] shadow: fix CVE-2017-12424
  2017-08-16 11:34   ` Jussi Kukkonen
@ 2017-08-18 20:20     ` Randy MacLeod
  2017-08-21 13:17       ` Randy MacLeod
  0 siblings, 1 reply; 5+ messages in thread
From: Randy MacLeod @ 2017-08-18 20:20 UTC (permalink / raw)
  To: Jussi Kukkonen, Chen Qi; +Cc: Patches and discussions about the oe-core layer

On 2017-08-16 07:34 AM, Jussi Kukkonen wrote:
> On 16 August 2017 at 13:28, Chen Qi <Qi.Chen@windriver.com 
> <mailto:Qi.Chen@windriver.com>> wrote:
> 
>     Backport a patch to fix CVE-2017-12424.
> 
>     In shadow before 4.5, the newusers tool could be made to manipulate
>     internal data structures in ways unintended by the authors.
> 
>     Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424
>     <https://nvd.nist.gov/vuln/detail/CVE-2017-12424>
> 
>     CVE: CVE-2017-12424
> 
> 
> I don't object to the patch but I'm wondering if there is a reason we 
> are taking the shadow sources from debian instead of the upstream 
> github*? shadow 4.5 seems to have been out for months already but Debian 
> hasn't taken it yet...
> 
> *) https://github.com/shadow-maint/shadow
> 
> Jussi


Good point. It's late in the release but maybe
not too late to update shadow.

Qi,
If you could give it a try and let us know if there are any
'gotchas' that would prevent or make the upgrade risky,
that would be great.


There are quite a few functional changes:
    $ git diff 4.2.1..4.5 etc lib libmisc man src | diffstat| tail -1
     83 files changed, 4011 insertions(+), 2020 deletions(-)

and a HUGE number of other changes:
    $ git diff 4.2.1..4.5 | diffstat| tail -1
     9818 files changed, 390853 insertions(+), 7556 deletions(-)

mainly in tests:
    $ git diff 4.2.1..4.5 tests/| diffstat| tail -1
     9690 files changed, 369156 insertions(+)
that could, say just post-M3, be added as ptests.

../Randy

> 
> 
>     Signed-off-by: Chen Qi <Qi.Chen@windriver.com
>     <mailto:Qi.Chen@windriver.com>>
>     ---
>       .../shadow/files/0001-shadow-CVE-2017-12424        | 46
>     ++++++++++++++++++++++
>       meta/recipes-extended/shadow/shadow.inc            |  1 +
>       2 files changed, 47 insertions(+)
>       create mode 100644
>     meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
> 
>     diff --git
>     a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
>     b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
>     new file mode 100644
>     index 0000000..4d3e1e0
>     --- /dev/null
>     +++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
>     @@ -0,0 +1,46 @@
>     +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
>     +From: Tomas Mraz <tmraz@fedoraproject.org
>     <mailto:tmraz@fedoraproject.org>>
>     +Date: Fri, 31 Mar 2017 16:25:06 +0200
>     +Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
>     +
>     +If ptr->line == NULL for an entry, the first cycle will exit,
>     +but the second one will happily write past entries buffer.
>     +We actually do not want to exit the first cycle prematurely
>     +on ptr->line == NULL.
>     +Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org
>     <mailto:tmraz@fedoraproject.org>>
>     +
>     +CVE: CVE-2017-12424
>     +Upstream-Status: Backport
>     +Signed-off-by: Chen Qi <Qi.Chen@windriver.com
>     <mailto:Qi.Chen@windriver.com>>
>     +---
>     + lib/commonio.c | 8 ++++----
>     + 1 file changed, 4 insertions(+), 4 deletions(-)
>     +
>     +diff --git a/lib/commonio.c b/lib/commonio.c
>     +index b10da06..31edbaa 100644
>     +--- a/lib/commonio.c
>     ++++ b/lib/commonio.c
>     +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int
>     (*cmp) (const void *, const void *))
>     +       for (ptr = db->head;
>     +               (NULL != ptr)
>     + #if KEEP_NIS_AT_END
>     +-           && (NULL != ptr->line)
>     +-           && (   ('+' != ptr->line[0])
>     +-               && ('-' != ptr->line[0]))
>     ++           && ((NULL == ptr->line)
>     ++               || (('+' != ptr->line[0])
>     ++                   && ('-' != ptr->line[0])))
>     + #endif
>     +            ;
>     +            ptr = ptr->next) {
>     +               n++;
>     +       }
>     + #if KEEP_NIS_AT_END
>     +-      if ((NULL != ptr) && (NULL != ptr->line)) {
>     ++      if (NULL != ptr) {
>     +               nis = ptr;
>     +       }
>     + #endif
>     +--
>     +2.1.0
>     +
>     diff --git a/meta/recipes-extended/shadow/shadow.inc
>     b/meta/recipes-extended/shadow/shadow.inc
>     index 5e6b0bd..cc18964 100644
>     --- a/meta/recipes-extended/shadow/shadow.inc
>     +++ b/meta/recipes-extended/shadow/shadow.inc
>     @@ -16,6 +16,7 @@ SRC_URI =
>     "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz
>     <http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz> \
>                 
>     file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
>                 
>     file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
>                 
>     file://0001-useradd-copy-extended-attributes-of-home.patch \
>     +           file://0001-shadow-CVE-2017-12424 \
>                  ${@bb.utils.contains('PACKAGECONFIG', 'pam',
>     '${PAM_SRC_URI}', '', d)} \
>                  "
> 
>     --
>     1.9.1
> 
>     --
>     _______________________________________________
>     Openembedded-core mailing list
>     Openembedded-core@lists.openembedded.org
>     <mailto:Openembedded-core@lists.openembedded.org>
>     http://lists.openembedded.org/mailman/listinfo/openembedded-core
>     <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
> 
> 
> 
> 


-- 
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON, 
Canada, K2K 2W5


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] shadow: fix CVE-2017-12424
  2017-08-18 20:20     ` Randy MacLeod
@ 2017-08-21 13:17       ` Randy MacLeod
  0 siblings, 0 replies; 5+ messages in thread
From: Randy MacLeod @ 2017-08-21 13:17 UTC (permalink / raw)
  To: Jussi Kukkonen, Chen Qi; +Cc: Patches and discussions about the oe-core layer

On 2017-08-18 04:20 PM, Randy MacLeod wrote:
> On 2017-08-16 07:34 AM, Jussi Kukkonen wrote:
>> On 16 August 2017 at 13:28, Chen Qi <Qi.Chen@windriver.com 
>> <mailto:Qi.Chen@windriver.com>> wrote:
>>
>>     Backport a patch to fix CVE-2017-12424.
>>
>>     In shadow before 4.5, the newusers tool could be made to manipulate
>>     internal data structures in ways unintended by the authors.
>>
>>     Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424
>>     <https://nvd.nist.gov/vuln/detail/CVE-2017-12424>
>>
>>     CVE: CVE-2017-12424
>>
>>
>> I don't object to the patch but I'm wondering if there is a reason we 
>> are taking the shadow sources from debian instead of the upstream 
>> github*? shadow 4.5 seems to have been out for months already but 
>> Debian hasn't taken it yet...
>>
>> *) https://github.com/shadow-maint/shadow
>>
>> Jussi
> 
> 
> Good point. It's late in the release but maybe
> not too late to update shadow.
> 
> Qi,
> If you could give it a try and let us know if there are any
> 'gotchas' that would prevent or make the upgrade risky,
> that would be great.

Turns out that Qi will only be able do this at the start of
the oe-core-2.5 development cycle.

../Randy




-- 
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON, 
Canada, K2K 2W5


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-08-21 13:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-16 10:28 [PATCH 0/1] shadow: fix CVE-2017-12424 Chen Qi
2017-08-16 10:28 ` [PATCH 1/1] " Chen Qi
2017-08-16 11:34   ` Jussi Kukkonen
2017-08-18 20:20     ` Randy MacLeod
2017-08-21 13:17       ` Randy MacLeod

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox