83aa88466d
This is merely a stability fix, not a security fix. As the root user, it is possible to set time values which later on result in signed integer overflows. For this to work, an sgetspent implementation must be used which supports long values (glibc on amd64 only parses 32 bit, not 64). Either use musl or simply call configure with following environment variable: $ ac_cv_func_sgetspent=no ./configure Also it is recommended to compile with -fsanitize=undefined or -ftrapv to see these issues easily. Examples to trigger issues when calling "chage -l user": $ chage -d 9223372036854775807 user $ chage -d 106751991167300 user $ chage -M 9999 user $ chage -d 90000000000000 user $ chage -I 90000000000000 user $ chage -M 9999 user $ chage -E 9223372036854775807 user While at it, I fixed casting issues which could lead to signed integer overflows on systems which still have a 32 bit time_t. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Shadow SITES ============ Homepage http://github.com/shadow-maint/shadow Issue tracker http://github.com/shadow-maint/shadow/issues Releases https://github.com/shadow-maint/shadow/releases Mailing lists for general discuss: pkg-shadow-devel@alioth-lists.debian.net commit list: pkg-shadow-commits@alioth-lists.debian.net Mailing lists subscription http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-commits Mailing lists archives: http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/ http://alioth-lists.debian.net/pipermail/pkg-shadow-commits/ S/Key support: Shadow can be built with S/Key support using the S/Key package from: http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/ or http://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2 Authors and contributors ======================== Thanks to at least the following people for sending patches, bug reports and various comments. This list may be incomplete, I received a lot of mail... Adam Rudnicki <adam@v-lo.krakow.pl> Alan Curry <pacman@tardis.mars.net> Aleksa Sarai <cyphar@cyphar.com> Alexander O. Yuriev <alex@bach.cis.temple.edu> Algis Rudys <arudys@rice.edu> Andreas Jaeger <aj@arthur.rhein-neckar.de> Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it> Anton Gluck <gluc@midway.uchicago.edu> Arkadiusz Miskiewicz <misiek@pld.org.pl> Ben Collins <bcollins@debian.org> Brian R. Gaeke <brg@dgate.org> Calle Karlsson <ckn@kash.se> Chip Rosenthal <chip@unicom.com> Chris Evans <lady0110@sable.ox.ac.uk> Chris Lamb <chris@chris-lamb.co.uk> Cristian Gafton <gafton@sorosis.ro> Dan Walsh <dwalsh@redhat.com> Darcy Boese <possum@chardonnay.niagara.com> Dave Hagewood <admin@arrowweb.com> David A. Holland <dholland@hcs.harvard.edu> David Frey <David.Frey@lugs.ch> Ed Carp <ecarp@netcom.com> Ed Neville <ed@s5h.net> Eric W. Biederman" <ebiederm@xmission.com> Floody <flood@evcom.net> Frank Denis <j@4u.net> George Kraft IV <gk4@us.ibm.com> Greg Mortensen <loki@world.std.com> Guido van Rooij Guy Maor <maor@debian.org> Hrvoje Dogan <hdogan@bjesomar.srce.hr> Jakub Hrozek <jhrozek@redhat.com> Janos Farkas <chexum@bankinf.banki.hu> Jason Franklin <jason.franklin@quoininc.com> Jay Soffian <jay@lw.net> Jesse Thilo <Jesse.Thilo@pobox.com> Joey Hess <joey@kite.ml.org> John Adelsberger <jja@umr.edu> Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us> Jon Lewis <jlewis@lewis.org> Joshua Cowan <jcowan@hermit.reslife.okstate.edu> Judd Bourgeois <shagboy@bluesky.net> Juergen Heinzl <unicorn@noris.net> Juha Virtanen <jiivee@iki.fi> Julian Pidancet <julian.pidancet@gmail.com> Julianne Frances Haugh <jockgrrl@ix.netcom.com> Leonard N. Zubkoff <lnz@dandelion.com> Luca Berra <bluca@www.polimi.it> Lukáš Kuklínek <lkukline@redhat.com> Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de> Marc Ewing <marc@redhat.com> Martin Bene <mb@sime.com> Martin Mares <mj@gts.cz> Michael Meskes <meskes@topsystem.de> Michael Talbot-Wilson <mike@calypso.bns.com.au> Michael Vetter <jubalh@iodoru.org> Mike Frysinger <vapier@gentoo.org> Mike Pakovic <mpakovic@users.southeast.net> Nicolas François <nicolas.francois@centraliens.net> Nikos Mavroyanopoulos <nmav@i-net.paiko.gr> Pavel Machek <pavel@bug.ucw.cz> Peter Vrabec <pvrabec@redhat.com> Phillip Street Rafał Maszkowski <rzm@icm.edu.pl> Rani Chouha <ranibey@smartec.com> Sami Kerola <kerolasa@rocketmail.com> Scott Garman <scott.a.garman@intel.com> Sebastian Rick Rijkers <srrijkers@gmail.com> Seraphim Mellos <mellos@ceid.upatras.gr> Shane Watts <shane@nexus.mlckew.edu.au> Steve M. Robbins <steve@nyongwa.montreal.qc.ca> Thorsten Kukuk <kukuk@suse.de> Tim Hockin <thockin@eagle.ais.net> Timo Karjalainen <timok@iki.fi> Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es> Werner Fink <werner@suse.de> Maintainers =========== Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007) Nicolas François <nicolas.francois@centraliens.net> (2007-2014) Serge E. Hallyn <serge@hallyn.com> (2014-now) Christian Brauner <christian@brauner.io> (2019-now)