[Pkg-shadow-commits] r1072 - in branches/sarge: debian src

Nicolas FRANCOIS nekral-guest at costa.debian.org
Sat Aug 5 01:57:23 UTC 2006 

Author: nekral-guest
Date: 2006-08-05 01:57:17 +0000 (Sat, 05 Aug 2006)
New Revision: 1072

Modified:
   branches/sarge/debian/changelog
   branches/sarge/debian/control
   branches/sarge/src/passwd.c
Log:
1:4.0.3-31sarge8 candidate for proposed-updates.


Modified: branches/sarge/debian/changelog
===================================================================
--- branches/sarge/debian/changelog	2006-08-05 00:49:14 UTC (rev 1071)
+++ branches/sarge/debian/changelog	2006-08-05 01:57:17 UTC (rev 1072)
@@ -1,3 +1,16 @@
+shadow (1:4.0.3-31sarge8) proposed-updates; urgency=low
+
+  * Add Nicolas FRANCOIS to the Uploaders.
+
+  * SECURITY UPDATE: CVE-2006-3378: Root privilege escalation.
+  * src/passwd.c:
+    - Check for failing setuid() (which can happen if user hits PAM
+      limits). Before, passwd continued to run as root and executed
+      chfn/chsh/gpasswd as root instead of as the user.
+    - Thanks to Sune Kloppenborg Jeppesen for pointing this out.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sat,  5 Aug 2006 02:53:20 +0200
+
 shadow (1:4.0.3-31sarge7) proposed-updates; urgency=high
 
   * Bump version to circumvent a 4.0.3-31sarge6 version full of autotools

Modified: branches/sarge/debian/control
===================================================================
--- branches/sarge/debian/control	2006-08-05 00:49:14 UTC (rev 1071)
+++ branches/sarge/debian/control	2006-08-05 01:57:17 UTC (rev 1072)
@@ -3,7 +3,7 @@
 Priority: required
 Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
 Standards-Version: 3.6.1.1
-Uploaders: Christian Perrier <bubulle at debian.org>, Sam Hartman <hartmans at debian.org>
+Uploaders: Christian Perrier <bubulle at debian.org>, Sam Hartman <hartmans at debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>
 Build-Depends: autoconf, automake1.7, libtool, bzip2, gettext, libpam0g-dev [!hurd-i386], texinfo, file, debhelper (>= 4.1.16), po-debconf, libpam-runtime (>= 0.76-14)
 
 Package: passwd

Modified: branches/sarge/src/passwd.c
===================================================================
--- branches/sarge/src/passwd.c	2006-08-05 00:49:14 UTC (rev 1071)
+++ branches/sarge/src/passwd.c	2006-08-05 01:57:17 UTC (rev 1072)
@@ -30,7 +30,7 @@
 #include <config.h>
 
 #include "rcsid.h"
-RCSID (PKG_VER "$Id$")
+RCSID (PKG_VER "$Id: passwd.c 6 2005-03-20 15:34:28Z bubulle $")
 #include "prototypes.h"
 #include "defines.h"
 #include <sys/types.h>
@@ -958,7 +958,13 @@
 	if (argc > 1 && argv[1][0] == '-' && strchr ("gfs", argv[1][1])) {
 		char buf[200];
 
-		setuid (getuid ());
+		uid_t uid = getuid();
+		setuid (uid);
+		if (getuid() != uid) {
+		    perror("cannot set user id");
+		    SYSLOG ((LOG_ERR, "setuid to %i failed", uid));
+		    exit(E_FAILURE);
+		}
 		switch (argv[1][1]) {
 		case 'g':
 			argv[1] = GPASSWD_PROGRAM;	/* XXX warning: const */


Property changes on: branches/sarge/src/passwd.c
___________________________________________________________________
Name: svn:keywords
   - Author Date Id Revision

More information about the Pkg-shadow-commits mailing list