Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shadow for openSUSE:Factory checked in at 2022-10-26 12:31:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shadow (Old) and /work/SRC/openSUSE:Factory/.shadow.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shadow" Wed Oct 26 12:31:12 2022 rev:49 rq:1030965 version:4.12.3 Changes: -------- --- /work/SRC/openSUSE:Factory/shadow/shadow.changes 2022-08-26 09:08:04.957371783 +0200 +++ /work/SRC/openSUSE:Factory/.shadow.new.2275/shadow.changes 2022-10-26 12:31:13.396239518 +0200 @@ -1,0 +2,7 @@ +Mon Oct 24 22:04:41 UTC 2022 - Michael Vetter <mvetter@suse.com> + +- Add shadow-prefix-overflow.patch: + Fix buffer overflow when calling useradd with --prefix + See https://github.com/shadow-maint/shadow/pull/588 + +------------------------------------------------------------------- New: ---- shadow-prefix-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shadow.spec ++++++ --- /var/tmp/diff_new_pack.Pg5PYZ/_old 2022-10-26 12:31:14.972242887 +0200 +++ /var/tmp/diff_new_pack.Pg5PYZ/_new 2022-10-26 12:31:14.976242896 +0200 @@ -59,6 +59,8 @@ Patch8: useradd-userkeleton.patch # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions. Patch9: disable_new_audit_function.patch +# PATCH-FIX-UPSTREAM shadow-prefix-overflow.patch mvetter@suse.com -- Fix buffer overflow when using --prefix in useradd +Patch10: https://github.com/shadow-maint/shadow/commit/eaebea55a495a56317ed85e959b359... BuildRequires: audit-devel > 2.3 BuildRequires: autoconf BuildRequires: automake @@ -129,6 +131,7 @@ %if 0%{?suse_version} < 1330 %patch9 -p1 %endif +%patch10 -p1 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO ++++++ shadow-prefix-overflow.patch ++++++ From eaebea55a495a56317ed85e959b3599f73c6bdf2 Mon Sep 17 00:00:00 2001 From: David Michael <fedora.dm0@gmail.com> Date: Sun, 23 Oct 2022 18:51:33 -0400 Subject: [PATCH] useradd: Fix buffer overflow when using a prefix The buffer length did not count the string's trailing null byte. Signed-off-by: David Michael <fedora.dm0@gmail.com> --- src/useradd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/useradd.c b/src/useradd.c index 39a744ee0..7ea0a9c4d 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -2372,7 +2372,7 @@ static void create_mail (void) if (NULL == spool) { return; } - file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 2); + file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 3); if (prefix[0]) sprintf (file, "%s/%s/%s", prefix, spool, user_name); else