Opened 7 years ago
Closed 7 years ago
#4037 closed task (fixed)
shadow-4.4
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 8.0 |
| Component: | Book | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
It looks like shadow moved to git:
https://github.com/shadow-maint/shadow/releases
The 4.4 version was released on September 18.
Note that there is a security advisory for 4.2.1: https://lwn.net/Vulnerabilities/713062/
I don't know if that applies to 4.4 or not.
Download URL: https://github.com/shadow-maint/shadow/releases/download/4.4/shadow-4.4.tar.xz
- Changes since 4.2.1:
- Documentation, error report and translations updates
- Replace path_max with 32
- User namespace support fixes/updates including:
- Correct sanity checks in newXidmap
- Fix building without subuid support
- Add /etc/subuid support for UID matching
- Support subuid for nonlocal users
- Default to 65536 subuid allocations
- Respect -r
- Check for range overflows
- Add tests from svn tree
- Use AC_CHECK_SIZEOF for uid_t size checks
- Accomodate missing /etc and login.defs
- Support FORCE_SHADOW
- Be more robust in hostile environment
- Allow removing a primary group
- Clear passwords on pw_dup errors
- Memory leak fix in commonio_update and get_map_ranges
- Fix resource leak in syslog_sg
- Fix user busy error at userdel
- Support set/clear lastlog record via lastlog command
- Add --no-create-home as longopt for -M
- Fix signal races
- Reduce syslog priority of common usage events
Attachments (1)
Change History (9)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
su.c:376:3: error: too few arguments to function ‘snprintf’
Needs: sed '/snprintf/s@_msg,@_msg, 256,@' -i src/su.c
Edit: I had a broken search pattern, it needs the search string and was missing second comma above. Tested, checks OK.
comment:3 by , 7 years ago
I don't understand DJ. The book's current instructions worked fine for me.
OK. Made a script and logged it. Ran in chroot.
The only reference to su.c is:
gcc -DHAVE_CONFIG_H -I. -I.. -I../lib -I../libmisc -DLOCALEDIR=\"/usr/share/locale\" -g -O2 -MT su.o -MD -MP -MF .deps/su.Tpo -c -o su.o su.c
su.c: In function 'main':
su.c:1162:12: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
argv[-1] = cp;
mv -f .deps/su.Tpo .deps/su.Po
The LFS build was SVN-20170122.
comment:4 by , 7 years ago
I'm sorry, that's for shadow with Linux-PAM, not needed for LFS, only BLFS.
See:
https://github.com/shadow-maint/shadow/commit/67d2bb6e0a5ac124ce1f026dd5723217b1493194
Also:
https://github.com/shadow-maint/shadow/commit/924cc346475dea7dc394316cd7c3d5d0414e538e
From src/su.c:
#ifdef USE_PAM static char kill_msg[256]; static char wait_msg[256];
comment:6 by , 7 years ago
Okay, as to the security vulnerability using getlogin, still an issue in 4.4.
Fix for CVE-2016-6251: https://bugzilla.suse.com/attachment.cgi?id=684679 And the Suse bug (links to the patch): https://bugzilla.suse.com/show_bug.cgi?id=979282 This one is clearly not applied.
I was not able to find a patch for CVE-2016-6252 to verify, but reading the bugs suggests that it was fixed in 4.3.1. The bugs were crossed, so ignore comment #1, but read comments 2-4 at https://github.com/shadow-maint/shadow/issues/27 for details.
comment:7 by , 7 years ago
I checked the patch and two of the hunks are already applied. For the other:
sed -i -e '/47/d' -e /60,65/d' libmisc/myname.c
will do it.
In my initial review, it appears that the new tarball is just a drop in. None of the seds or other instructions need ot be changed.