packages/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport patches from upstream

Browse Source
This commit is contained in:
fly_fzc 2023-03-23 10:24:09 +08:00
parent b46f20bf82
commit 32fd795eab
6 changed files with 281 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
backport-Correctly-handle-illegal-system-file-in-tz.patch Normal file
View File

@ -0,0 +1,55 @@
From 37ae2320809cb16afa9dacd8e5ea317ae216ee36 Mon Sep 17 00:00:00 2001
From: Samanta Navarro <ferivoz@riseup.net>
Date: Fri, 27 Jan 2023 11:57:51 +0000
Subject: [PATCH] Correctly handle illegal system file in tz
If the file referenced by ENV_TZ has a zero length string, then an out
of boundary write occurs. Also the result can be wrong because it is
assumed that the file will always end with a newline.
Only override a newline character with '\0' to avoid these cases.
This cannot be considered to be security relevant because login.defs
and its contained references to system files should be trusted to begin
with.
Proof of Concept:
1. Compile shadow's su with address sanitizer and --without-libpam
2. Setup your /etc/login.defs to contain ENV_TZ=/etc/tzname
3. Prepare /etc/tzname to contain a '\0' byte at the beginning
`python -c "print('\x00')" > /etc/tzname`
4. Use su
`su -l`
You can see the following output:
`tz.c:45:8: runtime error: index 18446744073709551615 out of bounds for type 'char [8192]'`
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
---
libmisc/tz.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libmisc/tz.c b/libmisc/tz.c
index f3f5733e..9f3a41f2 100644
--- a/libmisc/tz.c
+++ b/libmisc/tz.c
@@ -42,7 +42,8 @@
strcpy (tzbuf, def_tz);
} else {
- tzbuf[strlen (tzbuf) - 1] = '\0';
+ /* Remove optional trailing '\n'. */
+ tzbuf[strcspn (tzbuf, "\n")] = '\0';
}
if (NULL != fp) {
--
2.27.0

55
backport-Explicitly-override-only-newlines.patch Normal file
View File

@ -0,0 +1,55 @@
From ffc480c2e93f05266e4b130229877ad13f71a8c0 Mon Sep 17 00:00:00 2001
From: Samanta Navarro <ferivoz@riseup.net>
Date: Mon, 30 Jan 2023 11:53:47 +0000
Subject: [PATCH] Explicitly override only newlines
Override only newlines with '\0' to avoid undesired truncation of
actual line content.
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
---
lib/port.c | 6 +++---
libmisc/console.c | 3 ++-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/lib/port.c b/lib/port.c
index 0bea2ef4..90eb1498 100644
--- a/lib/port.c
+++ b/lib/port.c
@@ -130,8 +130,8 @@ static struct port *getportent (void)
again:
/*
- * Get the next line and remove the last character, which
- * is a '\n'. Lines which begin with '#' are all ignored.
+ * Get the next line and remove optional trailing '\n'.
+ * Lines which begin with '#' are all ignored.
*/
if (fgets (buf, (int) sizeof buf, ports) == 0) {
@@ -149,7 +149,7 @@ static struct port *getportent (void)
* TTY devices.
*/
- buf[strlen (buf) - 1] = 0;
+ buf[strcspn (buf, "\n")] = 0;
port.pt_names = ttys;
for (cp = buf, j = 0; j < PORT_TTY; j++) {
diff --git a/libmisc/console.c b/libmisc/console.c
index bc024eba..63d3ceb3 100644
--- a/libmisc/console.c
+++ b/libmisc/console.c
@@ -71,7 +71,8 @@ static bool is_listed (const char *cfgin, const char *tty, bool def)
*/
while (fgets (buf, (int) sizeof (buf), fp) != NULL) {
- buf[strlen (buf) - 1] = '\0';
+ /* Remove optional trailing '\n'. */
+ buf[strcspn (buf, "\n")] = '\0';
if (strcmp (buf, tty) == 0) {
(void) fclose (fp);
return true;
--
2.27.0

74
backport-Fix-off-by-one-mistakes.patch Normal file
View File

@ -0,0 +1,74 @@
From 587ce83e3ff4bea64ac028149ac9b66df37f688c Mon Sep 17 00:00:00 2001
From: Alejandro Colomar <alx@kernel.org>
Date: Fri, 16 Dec 2022 00:52:27 +0100
Subject: [PATCH] Fix off-by-one mistakes
The buffers have a size of 512 (see xmalloc() above), which is what
snprintf(3) expects.
Link: <https://github.com/shadow-maint/shadow/pull/607>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
src/groupmod.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/groupmod.c b/src/groupmod.c
index 006eca1c..828c7c0b 100644
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -554,13 +554,13 @@ static void prepare_failure_reports (void)
#endif
info_passwd.audit_msg = xmalloc (512);
- (void) snprintf (info_group.audit_msg, 511,
+ (void) snprintf (info_group.audit_msg, 512,
"changing %s; ", gr_dbname ());
#ifdef SHADOWGRP
- (void) snprintf (info_gshadow.audit_msg, 511,
+ (void) snprintf (info_gshadow.audit_msg, 512,
"changing %s; ", sgr_dbname ());
#endif
- (void) snprintf (info_passwd.audit_msg, 511,
+ (void) snprintf (info_passwd.audit_msg, 512,
"changing %s; ", pw_dbname ());
info_group.action = info_group.audit_msg
@@ -573,16 +573,16 @@ static void prepare_failure_reports (void)
+ strlen (info_passwd.audit_msg);
(void) snprintf (info_group.action,
- 511 - strlen (info_group.audit_msg),
+ 512 - strlen (info_group.audit_msg),
"group %s/%lu",
group_name, (unsigned long int) group_id);
#ifdef SHADOWGRP
(void) snprintf (info_gshadow.action,
- 511 - strlen (info_group.audit_msg),
+ 512 - strlen (info_group.audit_msg),
"group %s", group_name);
#endif
(void) snprintf (info_passwd.action,
- 511 - strlen (info_group.audit_msg),
+ 512 - strlen (info_group.audit_msg),
"group %s/%lu",
group_name, (unsigned long int) group_id);
@@ -617,13 +617,13 @@ static void prepare_failure_reports (void)
strncat (info_group.action, ", new gid: ",
511 - strlen (info_group.audit_msg));
(void) snprintf (info_group.action+strlen (info_group.action),
- 511 - strlen (info_group.audit_msg),
+ 512 - strlen (info_group.audit_msg),
"%lu", (unsigned long int) group_newid);
strncat (info_passwd.action, ", new gid: ",
511 - strlen (info_passwd.audit_msg));
(void) snprintf (info_passwd.action+strlen (info_passwd.action),
- 511 - strlen (info_passwd.audit_msg),
+ 512 - strlen (info_passwd.audit_msg),
"%lu", (unsigned long int) group_newid);
}
info_group.audit_msg[511] = '\0';
--
2.27.0

32
backport-Fix-typos-in-length-calculations.patch Normal file
View File

@ -0,0 +1,32 @@
From ed69feaaff3c86745390c9839ecfc4b8f9706075 Mon Sep 17 00:00:00 2001
From: Alejandro Colomar <alx@kernel.org>
Date: Fri, 16 Dec 2022 01:08:12 +0100
Subject: [PATCH] Fix typos in length calculations
Link: <https://github.com/shadow-maint/shadow/pull/607>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
src/groupmod.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/groupmod.c b/src/groupmod.c
index 7802e5b1..8c219194 100644
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -578,11 +578,11 @@ static void prepare_failure_reports (void)
group_name, (unsigned long int) group_id);
#ifdef SHADOWGRP
(void) snprintf (info_gshadow.action,
- 512 - strlen (info_group.audit_msg),
+ 512 - strlen (info_gshadow.audit_msg),
"group %s", group_name);
#endif
(void) snprintf (info_passwd.action,
- 512 - strlen (info_group.audit_msg),
+ 512 - strlen (info_passwd.audit_msg),
"group %s/%lu",
group_name, (unsigned long int) group_id);
--
2.27.0

56
backport-Prevent-out-of-boundary-access.patch Normal file
View File

@ -0,0 +1,56 @@
From 8e0ad48c21bd7d5506ff44eb4c04f796b80045ce Mon Sep 17 00:00:00 2001
From: Samanta Navarro <ferivoz@riseup.net>
Date: Mon, 30 Jan 2023 11:54:49 +0000
Subject: [PATCH] Prevent out of boundary access
If lines start with '\0' then it is possible to trigger out of
boundary accesses.
Check if indices are valid before accessing them.
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
---
src/login_nopam.c | 4 ++--
src/suauth.c | 3 ++-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/login_nopam.c b/src/login_nopam.c
index b09cffe4..18072a43 100644
--- a/src/login_nopam.c
+++ b/src/login_nopam.c
@@ -100,7 +100,7 @@ int login_access (const char *user, const char *from)
int end;
lineno++;
end = (int) strlen (line) - 1;
- if (line[end] != '\n') {
+ if (line[0] == '\0' || line[end] != '\n') {
SYSLOG ((LOG_ERR,
"%s: line %d: missing newline or line too long",
TABLE, lineno));
@@ -320,7 +320,7 @@ static bool from_match (const char *tok, const char *string)
if (strchr (string, '.') == NULL) {
return true;
}
- } else if ( (tok[(tok_len = strlen (tok)) - 1] == '.') /* network */
+ } else if ( (tok[0] != '\0' && tok[(tok_len = strlen (tok)) - 1] == '.') /* network */
&& (strncmp (tok, resolve_hostname (string), tok_len) == 0)) {
return true;
}
diff --git a/src/suauth.c b/src/suauth.c
index 2641d334..d68a3340 100644
--- a/src/suauth.c
+++ b/src/suauth.c
@@ -68,8 +68,9 @@ int check_su_auth (const char *actual_id,
while (fgets (temp, sizeof (temp), authfile_fd) != NULL) {
lines++;
+ endline = strlen(temp) - 1;
- if (temp[endline = strlen (temp) - 1] != '\n') {
+ if (temp[0] == '\0' || temp[endline] != '\n') {
SYSLOG ((LOG_ERR,
"%s, line %d: line too long or missing newline",
SUAUTHFILE, lines));
--
2.27.0

10
shadow.spec
View File

@ -1,6 +1,6 @@
Name: shadow
Version: 4.13
Release: 2
Release: 3
Epoch: 2
License: BSD and GPLv2+
Summary: Tools for managing accounts and shadow password files
@ -19,6 +19,11 @@ Source7: newusers
Patch0: usermod-unlock.patch
Patch1: backport-useradd-check-if-subid-range-exists-for-user.patch
Patch2: shadow-add-sm3-crypt-support.patch
Patch3: backport-Fix-off-by-one-mistakes.patch
Patch4: backport-Fix-typos-in-length-calculations.patch
Patch5: backport-Correctly-handle-illegal-system-file-in-tz.patch
Patch6: backport-Explicitly-override-only-newlines.patch
Patch7: backport-Prevent-out-of-boundary-access.patch
BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
BuildRequires: libacl-devel, libattr-devel
@ -186,6 +191,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a}
%{_mandir}/*/*
%changelog
* Thu Mar 23 2023 fuanan <fuanan3@h-partners.com> - 2:4.13-3
- backport patches from upstream
* Thu Feb 9 2023 yunjia_w<yunjia.wang@huawei.com> - 2:4.13-2
- SM3 patch is compatible with version 4.13