folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "[AUTOPATCHER-CORE] Patched shadow-utils to address CVE-2023-29383 - (#5439)" (#5458) 

This reverts commit dcf65bb327.
This commit is contained in:
Sam Meluch 2023-05-04 19:49:38 -05:00 committed by GitHub
parent 419265a08e
commit 39e584023c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 1 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
SPECS/shadow-utils/CVE-2023-29383.patch
View File

@ -1,42 +0,0 @@
From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
Date: Thu, 23 Mar 2023 23:39:38 +0000
Subject: [PATCH] Added control character check
Added control character check, returning -1 (to "err") if control characters are present.
---
lib/fields.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/lib/fields.c b/lib/fields.c
index 640be931f..fb51b5829 100644
--- a/lib/fields.c
+++ b/lib/fields.c
@@ -21,9 +21,9 @@
*
* The supplied field is scanned for non-printable and other illegal
* characters.
- * + -1 is returned if an illegal character is present.
- * + 1 is returned if no illegal characters are present, but the field
- * contains a non-printable character.
+ * + -1 is returned if an illegal or control character is present.
+ * + 1 is returned if no illegal or control characters are present,
+ * but the field contains a non-printable character.
* + 0 is returned otherwise.
*/
int valid_field (const char *field, const char *illegal)
@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
}
if (0 == err) {
- /* Search if there are some non-printable characters */
+ /* Search if there are non-printable or control characters */
for (cp = field; '\0' != *cp; cp++) {
if (!isprint (*cp)) {
err = 1;
+ }
+ if (!iscntrl (*cp)) {
+ err = -1;
break;
}
}

7
SPECS/shadow-utils/shadow-utils.spec
View File

@ -1,7 +1,7 @@
Summary: Programs for handling passwords in a secure way
Name: shadow-utils
Version: 4.9
Release: 12%{?dist}
Release: 11%{?dist}
License: BSD
Vendor: Microsoft Corporation
Distribution: Mariner
@ -22,7 +22,6 @@ Source12: useradd-default
Source13: login-defs
Patch0: chkname-allowcase.patch
Patch1: libsubid-pam-link.patch
Patch2: CVE-2023-29383.patch
BuildRequires: autoconf
BuildRequires: audit-devel
BuildRequires: automake
@ -71,7 +70,6 @@ Libraries and headers for libsubid
%setup -q -n shadow-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
autoreconf -fiv
@ -178,9 +176,6 @@ chmod 000 %{_sysconfdir}/shadow
%{_libdir}/libsubid.so
%changelog
* Tue May 02 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 4.9-12
- Add patch for CVE-2023-29383
* Mon Jul 18 2022 Minghe Ren <mingheren@microsoft.com> - 4.9-11
- Update login-defs, system-auth, passwd to improve security