SHA256
3
0
forked from pool/shadow

- bsc#1210507 (CVE-2023-29383):

Check for control characters
- Add shadow-CVE-2023-29383.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=147
This commit is contained in:
Michael Vetter 2023-04-18 16:15:03 +00:00 committed by Git OBS Bridge
parent c13dad9ccc
commit de2ffbd8a7
3 changed files with 61 additions and 0 deletions

View File

@ -0,0 +1,51 @@
Index: shadow-4.13/lib/fields.c
===================================================================
--- shadow-4.13.orig/lib/fields.c
+++ shadow-4.13/lib/fields.c
@@ -21,9 +21,9 @@
*
* The supplied field is scanned for non-printable and other illegal
* characters.
- * + -1 is returned if an illegal character is present.
- * + 1 is returned if no illegal characters are present, but the field
- * contains a non-printable character.
+ * + -1 is returned if an illegal or control character is present.
+ * + 1 is returned if no illegal or control characters are present,
+ * but the field contains a non-printable character.
* + 0 is returned otherwise.
*/
int valid_field (const char *field, const char *illegal)
@@ -37,23 +37,22 @@ int valid_field (const char *field, cons
/* For each character of field, search if it appears in the list
* of illegal characters. */
+ if (illegal && NULL != strpbrk (field, illegal)) {
+ return -1;
+ }
+
+ /* Search if there are non-printable or control characters */
for (cp = field; '\0' != *cp; cp++) {
- if (strchr (illegal, *cp) != NULL) {
+ unsigned char c = *cp;
+ if (!isprint (c)) {
+ err = 1;
+ }
+ if (iscntrl (c)) {
err = -1;
break;
}
}
- if (0 == err) {
- /* Search if there are some non-printable characters */
- for (cp = field; '\0' != *cp; cp++) {
- if (!isprint (*cp)) {
- err = 1;
- break;
- }
- }
- }
-
return err;
}

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter <mvetter@suse.com>
- bsc#1210507 (CVE-2023-29383):
Check for control characters
- Add shadow-CVE-2023-29383.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 12 12:08:43 UTC 2023 - Thorsten Kukuk <kukuk@suse.com> Wed Apr 12 12:08:43 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>

View File

@ -54,6 +54,8 @@ Patch6: disable_new_audit_function.patch
Patch7: shadow-audit-no-id.patch Patch7: shadow-audit-no-id.patch
# PATCH-FIX-UPSTREAM shadow-fix-print-login-timeout.patch mvetter@suse.com -- Fix print full login timeout message (gh/shadow-maint/shadow#621) # PATCH-FIX-UPSTREAM shadow-fix-print-login-timeout.patch mvetter@suse.com -- Fix print full login timeout message (gh/shadow-maint/shadow#621)
Patch8: shadow-fix-print-login-timeout.patch Patch8: shadow-fix-print-login-timeout.patch
# PATCH-FIX-UPSTREAM shadow-CVE-2023-29383.patch mvetter@suse.com -- Check control chracters in chfn (bsc#1210507)
Patch9: shadow-CVE-2023-29383.patch
BuildRequires: audit-devel > 2.3 BuildRequires: audit-devel > 2.3
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -123,6 +125,7 @@ Development files for libsubid4.
%endif %endif
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
mv -v doc/HOWTO.utf8 doc/HOWTO mv -v doc/HOWTO.utf8 doc/HOWTO