Opened 4 years ago

Closed 4 years ago

#4037 closed task (fixed)

shadow-4.4

Reported by: bdubbs@… Owned by: lfs-book@…
Priority: normal Milestone: 8.0
Component: Book Version: SVN
Severity: normal Keywords:
Cc:

Description

It looks like shadow moved to git:

https://github.com/shadow-maint/shadow/releases

The 4.4 version was released on September 18.

Note that there is a security advisory for 4.2.1: https://lwn.net/Vulnerabilities/713062/

I don't know if that applies to 4.4 or not.

Download URL: https://github.com/shadow-maint/shadow/releases/download/4.4/shadow-4.4.tar.xz

  • Changes since 4.2.1:
  • Documentation, error report and translations updates
  • Replace path_max with 32
  • User namespace support fixes/updates including:
    • Correct sanity checks in newXidmap
    • Fix building without subuid support
    • Add /etc/subuid support for UID matching
    • Support subuid for nonlocal users
    • Default to 65536 subuid allocations
    • Respect -r
    • Check for range overflows
  • Add tests from svn tree
  • Use AC_CHECK_SIZEOF for uid_t size checks
  • Accomodate missing /etc and login.defs
  • Support FORCE_SHADOW
  • Be more robust in hostile environment
  • Allow removing a primary group
  • Clear passwords on pw_dup errors
  • Memory leak fix in commonio_update and get_map_ranges
  • Fix resource leak in syslog_sg
  • Fix user busy error at userdel
  • Support set/clear lastlog record via lastlog command
  • Add --no-create-home as longopt for -M
  • Fix signal races
  • Reduce syslog priority of common usage events

Attachments (1)

build-shadow.sh (645 bytes ) - added by bdubbs@… 4 years ago.
shadow script for use inside chroot

Download all attachments as: .zip

Change History (9)

comment:1 by bdubbs@…, 4 years ago

In my initial review, it appears that the new tarball is just a drop in. None of the seds or other instructions need ot be changed.

comment:2 by DJ Lucas, 4 years ago

su.c:376:3: error: too few arguments to function ‘snprintf’

Needs: sed '/snprintf/s@_msg,@_msg, 256,@' -i src/su.c

Edit: I had a broken search pattern, it needs the search string and was missing second comma above. Tested, checks OK.

Last edited 4 years ago by DJ Lucas (previous) (diff)

comment:3 by bdubbs@…, 4 years ago

I don't understand DJ. The book's current instructions worked fine for me.

OK. Made a script and logged it. Ran in chroot.

The only reference to su.c is:

gcc -DHAVE_CONFIG_H -I. -I.. -I../lib -I../libmisc -DLOCALEDIR=\"/usr/share/locale\" -g -O2 -MT su.o -MD -MP -MF .deps/su.Tpo -c -o su.o su.c
su.c: In function 'main':
su.c:1162:12: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

argv[-1] = cp;

mv -f .deps/su.Tpo .deps/su.Po

The LFS build was SVN-20170122.

Last edited 4 years ago by bdubbs@… (previous) (diff)

by bdubbs@…, 4 years ago

Attachment: build-shadow.sh added

shadow script for use inside chroot

comment:4 by DJ Lucas, 4 years ago

I'm sorry, that's for shadow with Linux-PAM, not needed for LFS, only BLFS.

See:

https://github.com/shadow-maint/shadow/commit/67d2bb6e0a5ac124ce1f026dd5723217b1493194

Also:

https://github.com/shadow-maint/shadow/commit/924cc346475dea7dc394316cd7c3d5d0414e538e

From src/su.c:

#ifdef USE_PAM
static char kill_msg[256];
static char wait_msg[256];

comment:5 by bdubbs@…, 4 years ago

Yes, just figured that out.

comment:6 by DJ Lucas, 4 years ago

Okay, as to the security vulnerability using getlogin, still an issue in 4.4.

Fix for CVE-2016-6251: https://bugzilla.suse.com/attachment.cgi?id=684679 And the Suse bug (links to the patch): https://bugzilla.suse.com/show_bug.cgi?id=979282 This one is clearly not applied.

I was not able to find a patch for CVE-2016-6252 to verify, but reading the bugs suggests that it was fixed in 4.3.1. The bugs were crossed, so ignore comment #1, but read comments 2-4 at https://github.com/shadow-maint/shadow/issues/27 for details.

comment:7 by bdubbs@…, 4 years ago

I checked the patch and two of the hunks are already applied. For the other:

sed -i -e '/47/d' -e /60,65/d' libmisc/myname.c

will do it.

comment:8 by bdubbs@…, 4 years ago

Resolution: fixed
Status: newclosed

Fixed at revision 11174.

Note: See TracTickets for help on using tickets.