emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

Re-inject the changes from 4.1.2.1.

Browse Source
This commit is contained in:
nekral-guest 2008-07-11 22:20:43 +00:00
parent 5b194e290c
commit 21c692d23f
3 changed files with 54 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ChangeLog
View File

@ -1,3 +1,7 @@
2008-07-12 Nicolas François <nicolas.francois@centraliens.net>
* ChangeLog, NEWS, src/login.c: Re-inject the changes from 4.1.2.1.
2008-07-11 Nicolas François <nicolas.francois@centraliens.net> 2008-07-11 Nicolas François <nicolas.francois@centraliens.net>
* src/usermod.c: Do not call usr_update() if it will have no * src/usermod.c: Do not call usr_update() if it will have no
@ -1236,6 +1240,22 @@
* configure.in: Allow --disable-man and --enable-man=no. * configure.in: Allow --disable-man and --enable-man=no.
2008-06-26 Nicolas François <nicolas.francois@centraliens.net>
Prepare the 4.1.2.1 release
* NEWS: set the release date.
* man/po/*.po, po/*.po: Updated PO files.
* configure.in: Set the version to 4.1.2.1.
2008-06-26 Nicolas François <nicolas.francois@centraliens.net>
* NEWS, src/login.c: Fix an "audit log injection" vulnerability in
login. This is similar to CVE-2008-1926 (util-linux-ng's login).
This vulnerability makes it easier for attackers to hide
activities by modifying portions of log events, e.g. by appending
an addr= statement to the login name.
* lib/prototypes.h: Added definition of AUDIT_NO_ID.
2008-05-25 Nicolas François <nicolas.francois@centraliens.net> 2008-05-25 Nicolas François <nicolas.francois@centraliens.net>
Prepare the 4.1.2 release Prepare the 4.1.2 release

10
NEWS
View File

@ -1,6 +1,6 @@
$Id$ $Id$
shadow-4.1.2 -> shadow-4.1.3 UNRELEASED shadow-4.1.2.1 -> shadow-4.1.3 UNRELEASED
*** general: *** general:
- newusers - newusers
@ -9,6 +9,14 @@ shadow-4.1.2 -> shadow-4.1.3 UNRELEASED
* Allow adding LDAP users (or any user not present in the local passwd * Allow adding LDAP users (or any user not present in the local passwd
file) to local groups file) to local groups
shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008
*** security
- Fix an "audit log injection" vulnerability in login.
This vulnerability makes it easier for attackers to hide activities by
modifying portions of log events, e.g. by appending an addr= statement
to the login name.
shadow-4.1.1 -> shadow-4.1.2 25-05-2008 shadow-4.1.1 -> shadow-4.1.2 25-05-2008
*** security: *** security:

60
src/login.c
View File

@ -745,31 +745,19 @@ int main (int argc, char **argv)
} }
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
{ audit_fd = audit_open ();
struct passwd *pw; audit_log_acct_message (audit_fd,
char buf[64]; AUDIT_USER_LOGIN,
NULL, /* Prog. name */
audit_fd = audit_open (); "login",
/* local, no need for xgetpwnam */ (NULL!=username)?username
pw = getpwnam (username); :"(unknown)",
if (NULL != pw) { AUDIT_NO_ID,
snprintf (buf, sizeof (buf), hostname,
"uid=%lu", NULL, /* addr */
(unsigned long) pw->pw_uid); tty,
audit_log_user_message 0); /* result */
(audit_fd, AUDIT_USER_LOGIN, close (audit_fd);
buf, hostname, NULL,
tty, 0);
} else {
snprintf (buf, sizeof (buf),
"acct=%s", username);
audit_log_user_message
(audit_fd, AUDIT_USER_LOGIN,
buf, hostname, NULL,
tty, 0);
}
close (audit_fd);
}
#endif /* WITH_AUDIT */ #endif /* WITH_AUDIT */
fprintf (stderr, "\nLogin incorrect\n"); fprintf (stderr, "\nLogin incorrect\n");
@ -1050,16 +1038,18 @@ int main (int argc, char **argv)
} }
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
{ audit_fd = audit_open ();
char buf[32]; audit_log_acct_message (audit_fd,
AUDIT_USER_LOGIN,
audit_fd = audit_open (); NULL, /* Prog. name */
snprintf (buf, sizeof (buf), "uid=%lu", "login",
(unsigned long) pwd->pw_uid); NULL, /* user's name => use uid */
audit_log_user_message (audit_fd, AUDIT_USER_LOGIN, (unsigned int) pwd->pw_uid,
buf, hostname, NULL, tty, 1); hostname,
close (audit_fd); NULL, /* addr */
} tty,
1); /* result */
close (audit_fd);
#endif /* WITH_AUDIT */ #endif /* WITH_AUDIT */
#ifndef USE_PAM /* pam_lastlog handles this */ #ifndef USE_PAM /* pam_lastlog handles this */