From ba9a0dec9da2c5939070aa99c93b0f84b93725ee Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 23 Feb 2017 17:21:08 +0100 Subject: Imported Debian patch 1:4.2-3+deb8u2 --- debian/changelog | 11 ++---- debian/control | 3 +- .../302-CVE-2016-6252-fix-integer-overflow.patch | 46 ---------------------- debian/patches/523_su_arguments_are_concatenated | 8 ++-- ...u_arguments_are_no_more_concatenated_by_default | 10 +++-- debian/patches/series | 1 - 6 files changed, 15 insertions(+), 64 deletions(-) delete mode 100644 debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch diff --git a/debian/changelog b/debian/changelog index e902249d..0066bf0f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,14 +1,9 @@ shadow (1:4.2-3+deb8u2) jessie-security; urgency=high - [ Salvatore Bonaccorso ] - * su: properly clear child PID (Closes: #855943)(CVE-2017-2616) + * Non-maintainer upload by the Security Team. + * su: properly clear child PID (CVE-2017-2616) (Closes: #855943) - [ Balint Reczey ] - * Fix integer overflow in getulong.c (CVE-2016-6252) (Closes: #832170) - * Refresh patches - * Add myself to uploaders replacing Nicolas FRANCOIS (Nekral) - - -- Balint Reczey Fri, 24 Feb 2017 00:57:31 +0100 + -- Salvatore Bonaccorso Thu, 23 Feb 2017 17:21:08 +0100 shadow (1:4.2-3+deb8u1) jessie; urgency=medium diff --git a/debian/control b/debian/control index 232dc912..6f06f5ba 100644 --- a/debian/control +++ b/debian/control @@ -3,8 +3,7 @@ Section: admin Priority: required Maintainer: Shadow package maintainers Standards-Version: 3.9.5 -Uploaders: Christian Perrier , - Balint Reczey +Uploaders: Christian Perrier , Nicolas FRANCOIS (Nekral) Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison, libaudit-dev [linux-any] ,hardening-wrapper Vcs-Git: git://anonscm.debian.org/git/pkg-shadow/shadow.git diff --git a/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch b/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch deleted file mode 100644 index 2f2195b4..00000000 --- a/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001 -From: Sebastian Krahmer -Date: Wed, 3 Aug 2016 11:51:07 -0500 -Subject: [PATCH] Simplify getulong - -Use strtoul to read an unsigned long, rather than reading -a signed long long and casting it. - -https://bugzilla.suse.com/show_bug.cgi?id=979282 ---- - lib/getulong.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/lib/getulong.c b/lib/getulong.c -index 61579ca..08d2c1a 100644 ---- a/lib/getulong.c -+++ b/lib/getulong.c -@@ -44,22 +44,19 @@ - */ - int getulong (const char *numstr, /*@out@*/unsigned long int *result) - { -- long long int val; -+ unsigned long int val; - char *endptr; - - errno = 0; -- val = strtoll (numstr, &endptr, 0); -+ val = strtoul (numstr, &endptr, 0); - if ( ('\0' == *numstr) - || ('\0' != *endptr) - || (ERANGE == errno) -- /*@+ignoresigns@*/ -- || (val != (unsigned long int)val) -- /*@=ignoresigns@*/ - ) { - return 0; - } - -- *result = (unsigned long int)val; -+ *result = val; - return 1; - } - --- -2.1.4 - diff --git a/debian/patches/523_su_arguments_are_concatenated b/debian/patches/523_su_arguments_are_concatenated index 9a22d22d..6d994e23 100644 --- a/debian/patches/523_su_arguments_are_concatenated +++ b/debian/patches/523_su_arguments_are_concatenated @@ -8,9 +8,11 @@ Status wrt upstream: This is a Debian specific patch. Note: the fix of the man page is still missing. (to be taken from the trunk) ---- a/src/su.c -+++ b/src/su.c -@@ -1167,6 +1167,35 @@ +Index: git/src/su.c +=================================================================== +--- git.orig/src/su.c ++++ git/src/su.c +@@ -1152,6 +1152,35 @@ argv[0] = "-c"; argv[1] = command; } diff --git a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default index 34f0248d..e148d8d9 100644 --- a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default +++ b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default @@ -8,8 +8,10 @@ Etch. Status wrt upstream: This patch is Debian specific. ---- a/src/su.c -+++ b/src/su.c +Index: git/src/su.c +=================================================================== +--- git.orig/src/su.c ++++ git/src/su.c @@ -104,6 +104,19 @@ /* If nonzero, change some environment vars to indicate the user su'd to. */ static bool change_environment = true; @@ -30,7 +32,7 @@ Status wrt upstream: This patch is Debian specific. #ifdef USE_PAM static pam_handle_t *pamh = NULL; static int caught = 0; -@@ -964,6 +977,8 @@ +@@ -949,6 +962,8 @@ int ret; #endif /* USE_PAM */ @@ -39,7 +41,7 @@ Status wrt upstream: This patch is Debian specific. (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); -@@ -1171,7 +1186,7 @@ +@@ -1156,7 +1171,7 @@ * resulting string is always given to the shell with its * -c option. */ diff --git a/debian/patches/series b/debian/patches/series index 56790820..ceb25e02 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,7 +5,6 @@ 503_shadowconfig.8 008_login_log_failure_in_FTMP 301-CVE-2017-2616-su-properly-clear-child-PID.patch -302-CVE-2016-6252-fix-integer-overflow.patch 429_login_FAILLOG_ENAB 401_cppw_src.dpatch # 402 should be merged in 401, but should be reviewed by SE Linux experts first -- cgit v1.2.1