[Slackware-current] glibc 2.17, shadow, and other penumbrae
1 Attachment(s)
Pat (and Michael Semon): good job catching the login issue with glibc 2.17.
I've patched shadow 4.1.5.1 to properly handle NULL crypt() returns under glibc 2.17+ and submitted it to upstream here. However, I also wanted to share it with the Slackware community. So, here it is, hot off the press. Patch applies against latest stable shadow 4.1.5.1. Pat, your patch prevents the nonexistent user log-in issue Michael found but causes undesired behavior in other callers. On a FIPS-140 system I tested with either DES or MD5 ENCRYPT_METHOD, setting a new password will not fail as it should but returns with apparent success having set password: "!!$6$8IIcy/1EPOk/$..." You asked about other user-land potentially affected by the new crypt() behavior. Below is a partial list I've put together that should help you as you work towards the next release:
as I discover them. Cheers. --mancha |
Thanks, mancha. Trying it out here now.
|
2 Attachment(s)
Update 5/19/13
--mancha |
1 Attachment(s)
Update 5/22/13
A small bug slipped into the yp-tools patch. The result is an unnecessary call to crypt(). Please update with corrected patch. Cheers. --mancha |
Quote:
To me, if you couldn't invent a unit test that shows the first patch has a problem fixed by the second patch, then there is no bug. |
Update 6/11/2013
--mancha |
Update 6/29/13
--mancha |
Update 7/2/13
Note: The backport commit with my fixes for KDE/kdm & KDE/kcheckpass missed the tag/release deadline for 4.10.5 by 1 or 2 days. I edited the recommendations in post #7 above. |
Update 7/3/13
Others have expressed interest in the work I have been documenting here but don't always have access to LQ download links. So, I have uploaded all patches referenced so far to a sourceforge project. From here on in, I will provide upstream links to patches (if possible) and mirror on sourceforge rather than upload to LQ directly. Digest file will be signed with the following key: Code:
PGP Key ID: 0xB5ABF4FFF7048E92 |
Update 7/10/13
--mancha |
Update 7/12/2013
For Slackware's 20th, I give it and the community a bit more of my code...
--mancha |
Update 7/15/13
--mancha |
Update 7/24/13
This concludes phase 1 of my audit of userland affected by glibc crypt changes. A considerable amount of code was reviewed and fixes developed. CVE identifiers were requested for the more serious security vulnerabilities. While not exhaustive, I believe I've covered all stock Slackware packages affected so Slackware 14.1 should be good to go on that front. I've also looked into a few SBo offerings. During phase 2 I will not actively search for vulnerable program suites but will continue to use this thread to alert the community about any additional problems and/or fixes I come across or author during my normal usage. --mancha |
Thanks for your efforts mancha.
|
Thanks mancha, your help was greatly appreciated!
|
My sincere thanks for your efforts, mancha.
|
Update 10/4/2013
--mancha |
All times are GMT -5. The time now is 07:08 PM. |