开源软件构建与测试

_service:tar_scm:shadow.spec Changed

_service:tar_scm:backport-Correctly-handle-illegal-system-file-in-tz.patch Added

@@ -0,0 +1,55 @@
+From 37ae2320809cb16afa9dacd8e5ea317ae216ee36 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Fri, 27 Jan 2023 11:57:51 +0000
+Subject: PATCH Correctly handle illegal system file in tz
+
+If the file referenced by ENV_TZ has a zero length string, then an out
+of boundary write occurs. Also the result can be wrong because it is
+assumed that the file will always end with a newline.
+
+Only override a newline character with '\0' to avoid these cases.
+
+This cannot be considered to be security relevant because login.defs
+and its contained references to system files should be trusted to begin
+with.
+
+Proof of Concept:
+
+1. Compile shadow's su with address sanitizer and --without-libpam
+
+2. Setup your /etc/login.defs to contain ENV_TZ=/etc/tzname
+
+3. Prepare /etc/tzname to contain a '\0' byte at the beginning
+
+`python -c "print('\x00')" > /etc/tzname`
+
+4. Use su
+
+`su -l`
+
+You can see the following output:
+
+`tz.c:45:8: runtime error: index 18446744073709551615 out of bounds for type 'char 8192'`
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+---
+ libmisc/tz.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libmisc/tz.c b/libmisc/tz.c
+index f3f5733e..9f3a41f2 100644
+--- a/libmisc/tz.c
++++ b/libmisc/tz.c
+@@ -42,7 +42,8 @@
+ 
+ 		strcpy (tzbuf, def_tz);
+ 	} else {
+-		tzbufstrlen (tzbuf) - 1 = '\0';
++		/* Remove optional trailing '\n'. */
++		tzbufstrcspn (tzbuf, "\n") = '\0';
+ 	}
+ 
+ 	if (NULL != fp) {
+-- 
+2.27.0
+

_service:tar_scm:backport-Explicitly-override-only-newlines.patch Added

@@ -0,0 +1,55 @@
+From ffc480c2e93f05266e4b130229877ad13f71a8c0 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Mon, 30 Jan 2023 11:53:47 +0000
+Subject: PATCH Explicitly override only newlines
+
+Override only newlines with '\0' to avoid undesired truncation of
+actual line content.
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+---
+ lib/port.c        | 6 +++---
+ libmisc/console.c | 3 ++-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/port.c b/lib/port.c
+index 0bea2ef4..90eb1498 100644
+--- a/lib/port.c
++++ b/lib/port.c
+@@ -130,8 +130,8 @@ static struct port *getportent (void)
+       again:
+ 
+ 	/*
+-	 * Get the next line and remove the last character, which
+-	 * is a '\n'.  Lines which begin with '#' are all ignored.
++	 * Get the next line and remove optional trailing '\n'.
++	 * Lines which begin with '#' are all ignored.
+ 	 */
+ 
+ 	if (fgets (buf, (int) sizeof buf, ports) == 0) {
+@@ -149,7 +149,7 @@ static struct port *getportent (void)
+ 	 * TTY devices.
+ 	 */
+ 
+-	bufstrlen (buf) - 1 = 0;
++	bufstrcspn (buf, "\n") = 0;
+ 
+ 	port.pt_names = ttys;
+ 	for (cp = buf, j = 0; j < PORT_TTY; j++) {
+diff --git a/libmisc/console.c b/libmisc/console.c
+index bc024eba..63d3ceb3 100644
+--- a/libmisc/console.c
++++ b/libmisc/console.c
+@@ -71,7 +71,8 @@ static bool is_listed (const char *cfgin, const char *tty, bool def)
+ 	 */
+ 
+ 	while (fgets (buf, (int) sizeof (buf), fp) != NULL) {
+-		bufstrlen (buf) - 1 = '\0';
++		/* Remove optional trailing '\n'. */
++		bufstrcspn (buf, "\n") = '\0';
+ 		if (strcmp (buf, tty) == 0) {
+ 			(void) fclose (fp);
+ 			return true;
+-- 
+2.27.0
+

_service:tar_scm:backport-Fix-off-by-one-mistakes.patch Added

@@ -0,0 +1,74 @@
+From 587ce83e3ff4bea64ac028149ac9b66df37f688c Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Fri, 16 Dec 2022 00:52:27 +0100
+Subject: PATCH Fix off-by-one mistakes
+
+The buffers have a size of 512 (see xmalloc() above), which is what
+snprintf(3) expects.
+
+Link: <https://github.com/shadow-maint/shadow/pull/607>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/groupmod.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/groupmod.c b/src/groupmod.c
+index 006eca1c..828c7c0b 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -554,13 +554,13 @@ static void prepare_failure_reports (void)
+ #endif
+ 	info_passwd.audit_msg  = xmalloc (512);
+ 
+-	(void) snprintf (info_group.audit_msg, 511,
++	(void) snprintf (info_group.audit_msg, 512,
+ 	                 "changing %s; ", gr_dbname ());
+ #ifdef	SHADOWGRP
+-	(void) snprintf (info_gshadow.audit_msg, 511,
++	(void) snprintf (info_gshadow.audit_msg, 512,
+ 	                 "changing %s; ", sgr_dbname ());
+ #endif
+-	(void) snprintf (info_passwd.audit_msg, 511,
++	(void) snprintf (info_passwd.audit_msg, 512,
+ 	                 "changing %s; ", pw_dbname ());
+ 
+ 	info_group.action   =   info_group.audit_msg
+@@ -573,16 +573,16 @@ static void prepare_failure_reports (void)
+ 	                      + strlen (info_passwd.audit_msg);
+ 
+ 	(void) snprintf (info_group.action,
+-	                 511 - strlen (info_group.audit_msg),
++	                 512 - strlen (info_group.audit_msg),
+ 	                 "group %s/%lu",
+ 	                 group_name, (unsigned long int) group_id);
+ #ifdef	SHADOWGRP
+ 	(void) snprintf (info_gshadow.action,
+-	                 511 - strlen (info_group.audit_msg),
++	                 512 - strlen (info_group.audit_msg),
+ 	                 "group %s", group_name);
+ #endif
+ 	(void) snprintf (info_passwd.action,
+-	                 511 - strlen (info_group.audit_msg),
++	                 512 - strlen (info_group.audit_msg),
+ 	                 "group %s/%lu",
+ 	                 group_name, (unsigned long int) group_id);
+ 
+@@ -617,13 +617,13 @@ static void prepare_failure_reports (void)
+ 		strncat (info_group.action, ", new gid: ",
+ 		         511 - strlen (info_group.audit_msg));
+ 		(void) snprintf (info_group.action+strlen (info_group.action),
+-		                 511 - strlen (info_group.audit_msg),
++		                 512 - strlen (info_group.audit_msg),
+ 		                 "%lu", (unsigned long int) group_newid);
+ 
+ 		strncat (info_passwd.action, ", new gid: ",
+ 		         511 - strlen (info_passwd.audit_msg));
+ 		(void) snprintf (info_passwd.action+strlen (info_passwd.action),
+-		                 511 - strlen (info_passwd.audit_msg),
++		                 512 - strlen (info_passwd.audit_msg),
+ 		                 "%lu", (unsigned long int) group_newid);
+ 	}
+ 	info_group.audit_msg511   = '\0';
+-- 
+2.27.0
+

_service:tar_scm:backport-Fix-typos-in-length-calculations.patch Added

@@ -0,0 +1,32 @@
+From ed69feaaff3c86745390c9839ecfc4b8f9706075 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Fri, 16 Dec 2022 01:08:12 +0100
+Subject: PATCH Fix typos in length calculations
+
+Link: <https://github.com/shadow-maint/shadow/pull/607>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/groupmod.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/groupmod.c b/src/groupmod.c
+index 7802e5b1..8c219194 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -578,11 +578,11 @@ static void prepare_failure_reports (void)
+ 	                 group_name, (unsigned long int) group_id);
+ #ifdef	SHADOWGRP
+ 	(void) snprintf (info_gshadow.action,
+-	                 512 - strlen (info_group.audit_msg),
++	                 512 - strlen (info_gshadow.audit_msg),
+ 	                 "group %s", group_name);
+ #endif
+ 	(void) snprintf (info_passwd.action,
+-	                 512 - strlen (info_group.audit_msg),
++	                 512 - strlen (info_passwd.audit_msg),
+ 	                 "group %s/%lu",
+ 	                 group_name, (unsigned long int) group_id);
+ 
+-- 
+2.27.0
+

_service:tar_scm:backport-Prevent-out-of-boundary-access.patch Added

@@ -0,0 +1,56 @@
+From 8e0ad48c21bd7d5506ff44eb4c04f796b80045ce Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Mon, 30 Jan 2023 11:54:49 +0000
+Subject: PATCH Prevent out of boundary access
+
+If lines start with '\0' then it is possible to trigger out of
+boundary accesses.
+
+Check if indices are valid before accessing them.
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+---
+ src/login_nopam.c | 4 ++--
+ src/suauth.c      | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/login_nopam.c b/src/login_nopam.c
+index b09cffe4..18072a43 100644
+--- a/src/login_nopam.c
++++ b/src/login_nopam.c
+@@ -100,7 +100,7 @@ int login_access (const char *user, const char *from)
+ 			int end;
+ 			lineno++;
+ 			end = (int) strlen (line) - 1;
+-			if (lineend != '\n') {
++			if (line0 == '\0' || lineend != '\n') {
+ 				SYSLOG ((LOG_ERR,
+ 					 "%s: line %d: missing newline or line too long",
+ 					 TABLE, lineno));
+@@ -320,7 +320,7 @@ static bool from_match (const char *tok, const char *string)
+ 		if (strchr (string, '.') == NULL) {
+ 			return true;
+ 		}
+-	} else if (   (tok(tok_len = strlen (tok)) - 1 == '.') /* network */
++	} else if (   (tok0 != '\0' && tok(tok_len = strlen (tok)) - 1 == '.') /* network */
+ 		   && (strncmp (tok, resolve_hostname (string), tok_len) == 0)) {
+ 		return true;
+ 	}
+diff --git a/src/suauth.c b/src/suauth.c
+index 2641d334..d68a3340 100644
+--- a/src/suauth.c
++++ b/src/suauth.c
+@@ -68,8 +68,9 @@ int check_su_auth (const char *actual_id,
+ 
+ 	while (fgets (temp, sizeof (temp), authfile_fd) != NULL) {
+ 		lines++;
++		endline = strlen(temp) - 1;
+ 
+-		if (tempendline = strlen (temp) - 1 != '\n') {
++		if (temp0 == '\0' || tempendline != '\n') {
+ 			SYSLOG ((LOG_ERR,
+ 				 "%s, line %d: line too long or missing newline",
+ 				 SUAUTHFILE, lines));
+-- 
+2.27.0
+

Changes of Revision 4