Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

shadow: CVE-2016-6252: Incorrect integer handling

Related Vulnerabilities: CVE-2016-6252  

Source

Debian Bug report logs - #832170
shadow: CVE-2016-6252: Incorrect integer handling

version graph

Package: src:shadow; Maintainer for src:shadow is Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 23 Jul 2016 08:51:02 UTC

Severity: important

Tags: fixed-upstream, pending, security, upstream

Found in version shadow/1:4.2-3

Fixed in version shadow/1:4.4-1

Done: Balint Reczey <balint@balintreczey.hu>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/shadow-maint/shadow/issues/27

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#832170; Package src:shadow. (Sat, 23 Jul 2016 08:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sat, 23 Jul 2016 08:51:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: shadow: CVE-2016-6252: Incorrect integer handling
Date: Sat, 23 Jul 2016 10:46:42 +0200
Source: shadow
Version: 1:4.1.5.1-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for shadow.

CVE-2016-6252[0]:
incorrect integer handling

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6252

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Set Bug forwarded-to-address to 'https://github.com/shadow-maint/shadow/issues/27'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 25 Jul 2016 13:00:03 GMT) (full text, mbox, link).

No longer marked as found in versions shadow/1:4.1.5.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 26 Aug 2016 19:51:11 GMT) (full text, mbox, link).

Marked as found in versions shadow/1:4.2-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 26 Aug 2016 19:51:12 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 08 Dec 2016 17:33:29 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#832170; Package src:shadow. (Tue, 27 Dec 2016 15:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Tue, 27 Dec 2016 15:33:05 GMT) (full text, mbox, link).

Message #18 received at 832170@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 832170@bugs.debian.org
Subject: Re: Bug#832170: shadow: CVE-2016-6252: Incorrect integer handling
Date: Tue, 27 Dec 2016 16:29:49 +0100
Control: tags -1 + pending

On Sat, Jul 23, 2016 at 10:46:42AM +0200, Salvatore Bonaccorso wrote:
> CVE-2016-6252[0]:
> incorrect integer handling
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

The fix for the incorrect integer handling seem to be included in
shadow 4.3.1 upstream, and in the packaginging since
https://anonscm.debian.org/git/pkg-shadow/shadow.git/commit/?id=68cd195044deb448c865d267499e1e4fd9322057

Could you please include the bug closer and CVE id once the new
version get uploaded for unstable?

Thanks in advance and regards,
Salvatore

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 832170-submit@bugs.debian.org. (Tue, 27 Dec 2016 15:33:05 GMT) (full text, mbox, link).

Reply sent to Balint Reczey <balint@balintreczey.hu>:
You have taken responsibility. (Fri, 06 Jan 2017 17:09:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 06 Jan 2017 17:09:07 GMT) (full text, mbox, link).

Message #25 received at 832170-close@bugs.debian.org (full text, mbox, reply):

From: Balint Reczey <balint@balintreczey.hu>
To: 832170-close@bugs.debian.org
Subject: Bug#832170: fixed in shadow 1:4.4-1
Date: Fri, 06 Jan 2017 17:04:28 +0000
Source: shadow
Source-Version: 1:4.4-1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832170@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Balint Reczey <balint@balintreczey.hu> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 06 Jan 2017 16:19:18 +0100
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.4-1
Distribution: unstable
Urgency: medium
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Balint Reczey <balint@balintreczey.hu>
Description:
 login      - system login tools
 passwd     - change and administer password and group data
 uidmap     - programs to help use subuids
Closes: 725793 801707 832170
Changes:
 shadow (1:4.4-1) unstable; urgency=medium
 .
   [ Christian Perrier ]
   * Imported Upstream version 4.2
   * Debian patch: Fix typo in su.1.xml
   * Configure userns
   * Vietnamese translation update
   * French translation update (Closes: #725793)
   * German translation update
   * Update NEWS file
   * Issue a warning if no manpages have been generated
   * Regenerate PO files
   * Regenerate manpages PO files
   * Imported Upstream version 4.2.1
 .
   [ Serge Hallyn ]
   * Import new upstream
   * Patch changes:
     - Update 501_commonio_group_shadow to work with upstream changes
     - Update 1010_vietnamese_translation
     - Drop userns patches which are now all upstream
 .
   [ Balint Reczey ]
   * Update debian/watch to use GitHub releases
   * Imported Upstream version 4.4
     - Fix incorrect integer handling (CVE-2016-6252) (Closes: #832170)
   * Disable Vietnamese translation patch because it does not apply cleanly
   * Bump debhelper compat level to 10
   * ACK NMU by Samuel Thibault dropping the patch which is integrated
     upstream
   * Stop build-depending on build-essential dpkg-dev
   * Tag login package as essential properly
   * Adopt the package under the Shadow Team's umbrella (Closes: #801707)
Checksums-Sha1:
 88d2cf55bab5d32e691f02d6150f5451a9eed478 2260 shadow_4.4-1.dsc
 78d965cad860744e9e919c5a6168e6820200d5e7 3003036 shadow_4.4.orig.tar.gz
 856bbb4c857b58eb0c2ed96889e499537b9a3bfc 483100 shadow_4.4-1.debian.tar.xz
Checksums-Sha256:
 c75ab9ab13c845517748fd9afa2ca57c3724f6bdf7c02705bc653825e04e2960 2260 shadow_4.4-1.dsc
 1323e7e932836e03dbfa441f7eeb349ede2c92d62b788ade0732411fd516be3d 3003036 shadow_4.4.orig.tar.gz
 9f93e430caf511e611bf8afc138c84816a762a8826f609cf03c3c64f3278b9a6 483100 shadow_4.4-1.debian.tar.xz
Files:
 355a75f544f8c7105b5dac8fe36fda81 2260 admin required shadow_4.4-1.dsc
 8b4123557c71e4c010c2188747be07ef 3003036 admin required shadow_4.4.orig.tar.gz
 99edf76dd5174eea0ac19d70aede7b8c 483100 admin required shadow_4.4-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYb8lTAAoJEPZk0la0aRp90VMQAKwjsBeE3Ou30VkihPbsN99n
mXvEUBOiYUrUtSqYZ+gHH2Z3rNMDB1g1ic5vvfPzqgprREin1WnpdlNLXA/VsIGm
o5JcgWmnBXaIUz3YKmKNxDhJGFhYSM1BySEQrg88qsUfrwjW0H56mW55vtAIYpP2
yRgHHtgvtF3ojqqgPmo+0FP3M5RijnH3JPmmq98xlPjrjR3sbMVjghbD82uz6koo
gV8jIoXlJHfyYyF3cMORCJfoLdQZBNsc9vEmBTKZMTAVY9FqHshsivH9fNFebipn
e8T0ZLyZciwWx3r2XCyfW/wdaoxYUlCGjrh4298mDkDAZI+a7pzrgwKfs3yWhBze
q6rIEEa6WbS/RNUy+IhiDzMoRPH8xq5oAYPMZovxo2dd7ImwZrnJ0T2G9kMo1q9e
0jeFjxkw3F3syHfbN8esZEpdSkM1JdvdZQYYTxKQRDbcx3JbHn8UyH6GIVVzo3e7
44MH9b43FKy0VcgWWgdJiBkhzDnkz00M7M5a1joJcOGD+sJhrf5EaJV6RrmlGlID
7KE81yambh6xGqFOSDkZYd/iyxAu9BKKlikKl53UD/0X5SSO0g8wc45owp+3T0b1
gtmyztPMCQUgUrS6Y9xO7DjCPDhT9/sDsOirEdMTQ0rjNInxTG841iwEma/R6KtW
WxjNKnepz09QLUzAdWJ1
=3ohp
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#832170; Package src:shadow. (Thu, 23 Feb 2017 23:54:03 GMT) (full text, mbox, link).

Message #28 received at 832170@bugs.debian.org (full text, mbox, reply):

From: pkg-shadow-devel@lists.alioth.debian.org
To: 832170@bugs.debian.org, 832170-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the shadow package
Date: Thu, 23 Feb 2017 23:51:32 +0000
tag 832170 + pending
thanks

Some bugs in the shadow package are closed in revision
dd729b3572a957a12d83d3f1549ea05e1d269839 in branch '  jessie' by
Balint Reczey

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/commit/?id=dd729b3

Commit message:

    Fix integer overflow in getulong.c (CVE-2016-6252)
    
    Closes: #832170

Added tag(s) pending. Request was from pkg-shadow-devel@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 23 Feb 2017 23:54:08 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#832170. (Thu, 23 Feb 2017 23:54:36 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Mar 2017 07:28:56 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:21:20 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started