* [PATCH 0/1] shadow: fix CVE-2017-12424 @ 2017-08-16 10:28 Chen Qi 2017-08-16 10:28 ` [PATCH 1/1] " Chen Qi 0 siblings, 1 reply; 5+ messages in thread From: Chen Qi @ 2017-08-16 10:28 UTC (permalink / raw) To: openembedded-core The following changes since commit 6016ec177af2406cacfeb3276dfcb8bfc3df8fce: poky.conf: Enable vulkan by default (2017-08-16 00:04:39 +0100) are available in the git repository at: git://git.pokylinux.org/poky-contrib ChenQi/CVE-2017-12424 http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=ChenQi/CVE-2017-12424 Chen Qi (1): shadow: fix CVE-2017-12424 .../shadow/files/0001-shadow-CVE-2017-12424 | 46 ++++++++++++++++++++++ meta/recipes-extended/shadow/shadow.inc | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 -- 1.9.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/1] shadow: fix CVE-2017-12424 2017-08-16 10:28 [PATCH 0/1] shadow: fix CVE-2017-12424 Chen Qi @ 2017-08-16 10:28 ` Chen Qi 2017-08-16 11:34 ` Jussi Kukkonen 0 siblings, 1 reply; 5+ messages in thread From: Chen Qi @ 2017-08-16 10:28 UTC (permalink / raw) To: openembedded-core Backport a patch to fix CVE-2017-12424. In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424 CVE: CVE-2017-12424 Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- .../shadow/files/0001-shadow-CVE-2017-12424 | 46 ++++++++++++++++++++++ meta/recipes-extended/shadow/shadow.inc | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 diff --git a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 new file mode 100644 index 0000000..4d3e1e0 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 @@ -0,0 +1,46 @@ +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz <tmraz@fedoraproject.org> +Date: Fri, 31 Mar 2017 16:25:06 +0200 +Subject: [PATCH] Fix buffer overflow if NULL line is present in db. + +If ptr->line == NULL for an entry, the first cycle will exit, +but the second one will happily write past entries buffer. +We actually do not want to exit the first cycle prematurely +on ptr->line == NULL. +Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org> + +CVE: CVE-2017-12424 +Upstream-Status: Backport +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + lib/commonio.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/commonio.c b/lib/commonio.c +index b10da06..31edbaa 100644 +--- a/lib/commonio.c ++++ b/lib/commonio.c +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *)) + for (ptr = db->head; + (NULL != ptr) + #if KEEP_NIS_AT_END +- && (NULL != ptr->line) +- && ( ('+' != ptr->line[0]) +- && ('-' != ptr->line[0])) ++ && ((NULL == ptr->line) ++ || (('+' != ptr->line[0]) ++ && ('-' != ptr->line[0]))) + #endif + ; + ptr = ptr->next) { + n++; + } + #if KEEP_NIS_AT_END +- if ((NULL != ptr) && (NULL != ptr->line)) { ++ if (NULL != ptr) { + nis = ptr; + } + #endif +-- +2.1.0 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 5e6b0bd..cc18964 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ file://0001-useradd-copy-extended-attributes-of-home.patch \ + file://0001-shadow-CVE-2017-12424 \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ " -- 1.9.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] shadow: fix CVE-2017-12424 2017-08-16 10:28 ` [PATCH 1/1] " Chen Qi @ 2017-08-16 11:34 ` Jussi Kukkonen 2017-08-18 20:20 ` Randy MacLeod 0 siblings, 1 reply; 5+ messages in thread From: Jussi Kukkonen @ 2017-08-16 11:34 UTC (permalink / raw) To: Chen Qi; +Cc: Patches and discussions about the oe-core layer [-- Attachment #1: Type: text/plain, Size: 3861 bytes --] On 16 August 2017 at 13:28, Chen Qi <Qi.Chen@windriver.com> wrote: > Backport a patch to fix CVE-2017-12424. > > In shadow before 4.5, the newusers tool could be made to manipulate > internal data structures in ways unintended by the authors. > > Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424 > > CVE: CVE-2017-12424 > I don't object to the patch but I'm wondering if there is a reason we are taking the shadow sources from debian instead of the upstream github*? shadow 4.5 seems to have been out for months already but Debian hasn't taken it yet... *) https://github.com/shadow-maint/shadow Jussi > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- > .../shadow/files/0001-shadow-CVE-2017-12424 | 46 > ++++++++++++++++++++++ > meta/recipes-extended/shadow/shadow.inc | 1 + > 2 files changed, 47 insertions(+) > create mode 100644 meta/recipes-extended/shadow/ > files/0001-shadow-CVE-2017-12424 > > diff --git a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > new file mode 100644 > index 0000000..4d3e1e0 > --- /dev/null > +++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > @@ -0,0 +1,46 @@ > +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001 > +From: Tomas Mraz <tmraz@fedoraproject.org> > +Date: Fri, 31 Mar 2017 16:25:06 +0200 > +Subject: [PATCH] Fix buffer overflow if NULL line is present in db. > + > +If ptr->line == NULL for an entry, the first cycle will exit, > +but the second one will happily write past entries buffer. > +We actually do not want to exit the first cycle prematurely > +on ptr->line == NULL. > +Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org> > + > +CVE: CVE-2017-12424 > +Upstream-Status: Backport > +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > +--- > + lib/commonio.c | 8 ++++---- > + 1 file changed, 4 insertions(+), 4 deletions(-) > + > +diff --git a/lib/commonio.c b/lib/commonio.c > +index b10da06..31edbaa 100644 > +--- a/lib/commonio.c > ++++ b/lib/commonio.c > +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) > (const void *, const void *)) > + for (ptr = db->head; > + (NULL != ptr) > + #if KEEP_NIS_AT_END > +- && (NULL != ptr->line) > +- && ( ('+' != ptr->line[0]) > +- && ('-' != ptr->line[0])) > ++ && ((NULL == ptr->line) > ++ || (('+' != ptr->line[0]) > ++ && ('-' != ptr->line[0]))) > + #endif > + ; > + ptr = ptr->next) { > + n++; > + } > + #if KEEP_NIS_AT_END > +- if ((NULL != ptr) && (NULL != ptr->line)) { > ++ if (NULL != ptr) { > + nis = ptr; > + } > + #endif > +-- > +2.1.0 > + > diff --git a/meta/recipes-extended/shadow/shadow.inc > b/meta/recipes-extended/shadow/shadow.inc > index 5e6b0bd..cc18964 100644 > --- a/meta/recipes-extended/shadow/shadow.inc > +++ b/meta/recipes-extended/shadow/shadow.inc > @@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth. > debian.org/releases/${BPN}-${PV}.tar.xz \ > file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ > file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch > \ > file://0001-useradd-copy-extended-attributes-of-home.patch \ > + file://0001-shadow-CVE-2017-12424 \ > ${@bb.utils.contains('PACKAGECONFIG', 'pam', > '${PAM_SRC_URI}', '', d)} \ > " > > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core > [-- Attachment #2: Type: text/html, Size: 5730 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] shadow: fix CVE-2017-12424 2017-08-16 11:34 ` Jussi Kukkonen @ 2017-08-18 20:20 ` Randy MacLeod 2017-08-21 13:17 ` Randy MacLeod 0 siblings, 1 reply; 5+ messages in thread From: Randy MacLeod @ 2017-08-18 20:20 UTC (permalink / raw) To: Jussi Kukkonen, Chen Qi; +Cc: Patches and discussions about the oe-core layer On 2017-08-16 07:34 AM, Jussi Kukkonen wrote: > On 16 August 2017 at 13:28, Chen Qi <Qi.Chen@windriver.com > <mailto:Qi.Chen@windriver.com>> wrote: > > Backport a patch to fix CVE-2017-12424. > > In shadow before 4.5, the newusers tool could be made to manipulate > internal data structures in ways unintended by the authors. > > Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424 > <https://nvd.nist.gov/vuln/detail/CVE-2017-12424> > > CVE: CVE-2017-12424 > > > I don't object to the patch but I'm wondering if there is a reason we > are taking the shadow sources from debian instead of the upstream > github*? shadow 4.5 seems to have been out for months already but Debian > hasn't taken it yet... > > *) https://github.com/shadow-maint/shadow > > Jussi Good point. It's late in the release but maybe not too late to update shadow. Qi, If you could give it a try and let us know if there are any 'gotchas' that would prevent or make the upgrade risky, that would be great. There are quite a few functional changes: $ git diff 4.2.1..4.5 etc lib libmisc man src | diffstat| tail -1 83 files changed, 4011 insertions(+), 2020 deletions(-) and a HUGE number of other changes: $ git diff 4.2.1..4.5 | diffstat| tail -1 9818 files changed, 390853 insertions(+), 7556 deletions(-) mainly in tests: $ git diff 4.2.1..4.5 tests/| diffstat| tail -1 9690 files changed, 369156 insertions(+) that could, say just post-M3, be added as ptests. ../Randy > > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com > <mailto:Qi.Chen@windriver.com>> > --- > .../shadow/files/0001-shadow-CVE-2017-12424 | 46 > ++++++++++++++++++++++ > meta/recipes-extended/shadow/shadow.inc | 1 + > 2 files changed, 47 insertions(+) > create mode 100644 > meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > > diff --git > a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > new file mode 100644 > index 0000000..4d3e1e0 > --- /dev/null > +++ b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 > @@ -0,0 +1,46 @@ > +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001 > +From: Tomas Mraz <tmraz@fedoraproject.org > <mailto:tmraz@fedoraproject.org>> > +Date: Fri, 31 Mar 2017 16:25:06 +0200 > +Subject: [PATCH] Fix buffer overflow if NULL line is present in db. > + > +If ptr->line == NULL for an entry, the first cycle will exit, > +but the second one will happily write past entries buffer. > +We actually do not want to exit the first cycle prematurely > +on ptr->line == NULL. > +Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org > <mailto:tmraz@fedoraproject.org>> > + > +CVE: CVE-2017-12424 > +Upstream-Status: Backport > +Signed-off-by: Chen Qi <Qi.Chen@windriver.com > <mailto:Qi.Chen@windriver.com>> > +--- > + lib/commonio.c | 8 ++++---- > + 1 file changed, 4 insertions(+), 4 deletions(-) > + > +diff --git a/lib/commonio.c b/lib/commonio.c > +index b10da06..31edbaa 100644 > +--- a/lib/commonio.c > ++++ b/lib/commonio.c > +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int > (*cmp) (const void *, const void *)) > + for (ptr = db->head; > + (NULL != ptr) > + #if KEEP_NIS_AT_END > +- && (NULL != ptr->line) > +- && ( ('+' != ptr->line[0]) > +- && ('-' != ptr->line[0])) > ++ && ((NULL == ptr->line) > ++ || (('+' != ptr->line[0]) > ++ && ('-' != ptr->line[0]))) > + #endif > + ; > + ptr = ptr->next) { > + n++; > + } > + #if KEEP_NIS_AT_END > +- if ((NULL != ptr) && (NULL != ptr->line)) { > ++ if (NULL != ptr) { > + nis = ptr; > + } > + #endif > +-- > +2.1.0 > + > diff --git a/meta/recipes-extended/shadow/shadow.inc > b/meta/recipes-extended/shadow/shadow.inc > index 5e6b0bd..cc18964 100644 > --- a/meta/recipes-extended/shadow/shadow.inc > +++ b/meta/recipes-extended/shadow/shadow.inc > @@ -16,6 +16,7 @@ SRC_URI = > "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz > <http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz> \ > > file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ > > file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ > > file://0001-useradd-copy-extended-attributes-of-home.patch \ > + file://0001-shadow-CVE-2017-12424 \ > ${@bb.utils.contains('PACKAGECONFIG', 'pam', > '${PAM_SRC_URI}', '', d)} \ > " > > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > <mailto:Openembedded-core@lists.openembedded.org> > http://lists.openembedded.org/mailman/listinfo/openembedded-core > <http://lists.openembedded.org/mailman/listinfo/openembedded-core> > > > > -- # Randy MacLeod. SMTS, Linux, Wind River Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON, Canada, K2K 2W5 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] shadow: fix CVE-2017-12424 2017-08-18 20:20 ` Randy MacLeod @ 2017-08-21 13:17 ` Randy MacLeod 0 siblings, 0 replies; 5+ messages in thread From: Randy MacLeod @ 2017-08-21 13:17 UTC (permalink / raw) To: Jussi Kukkonen, Chen Qi; +Cc: Patches and discussions about the oe-core layer On 2017-08-18 04:20 PM, Randy MacLeod wrote: > On 2017-08-16 07:34 AM, Jussi Kukkonen wrote: >> On 16 August 2017 at 13:28, Chen Qi <Qi.Chen@windriver.com >> <mailto:Qi.Chen@windriver.com>> wrote: >> >> Backport a patch to fix CVE-2017-12424. >> >> In shadow before 4.5, the newusers tool could be made to manipulate >> internal data structures in ways unintended by the authors. >> >> Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424 >> <https://nvd.nist.gov/vuln/detail/CVE-2017-12424> >> >> CVE: CVE-2017-12424 >> >> >> I don't object to the patch but I'm wondering if there is a reason we >> are taking the shadow sources from debian instead of the upstream >> github*? shadow 4.5 seems to have been out for months already but >> Debian hasn't taken it yet... >> >> *) https://github.com/shadow-maint/shadow >> >> Jussi > > > Good point. It's late in the release but maybe > not too late to update shadow. > > Qi, > If you could give it a try and let us know if there are any > 'gotchas' that would prevent or make the upgrade risky, > that would be great. Turns out that Qi will only be able do this at the start of the oe-core-2.5 development cycle. ../Randy -- # Randy MacLeod. SMTS, Linux, Wind River Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON, Canada, K2K 2W5 ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-08-21 13:17 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-08-16 10:28 [PATCH 0/1] shadow: fix CVE-2017-12424 Chen Qi 2017-08-16 10:28 ` [PATCH 1/1] " Chen Qi 2017-08-16 11:34 ` Jussi Kukkonen 2017-08-18 20:20 ` Randy MacLeod 2017-08-21 13:17 ` Randy MacLeod
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox