shadow: CVE-2017-12424: newusers fails with multiple users

Debian Bug report logs - #756630
shadow: CVE-2017-12424: newusers fails with multiple users

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Manfred Richter <manfred@dri.at>

To: submit@bugs.debian.org

Subject: Package:newusers

Date: Thu, 31 Jul 2014 16:28:58 +0200

[Message part 1 (text/plain, inline)]

Package:newusers



1. There are no such programs as *installation-report *and*reportbug

2. My problem:
*What happend to the program "newusers"?

root@srv2:~# newusers new_users
*** Error in `newusers': double free or corruption (!prev): 
0x000000000193e200 ***
Aborted

[Message part 2 (text/html, inline)]

Message #8 received at 756630@bugs.debian.org (full text, mbox, reply):

From: Andrei POPESCU <andreimpopescu@gmail.com>

To: Manfred Richter <manfred@dri.at>, 756630@bugs.debian.org

Cc: passwd@packages.debian.org

Subject: Re: Bug#756630: Package:newusers

Date: Thu, 31 Jul 2014 21:17:06 +0300

[Message part 1 (text/plain, inline)]

Control: reassign -1 passwd

On Jo, 31 iul 14, 16:28:58, Manfred Richter wrote:
> Package:newusers
> 
> 
> 
> 1. There are no such programs as *installation-report *and*reportbug

https://packages.debian.org/reportbug
https://packages.debian.org/installation-report

> 2. My problem:
> *What happend to the program "newusers"?
> 
> root@srv2:~# newusers new_users
> *** Error in `newusers': double free or corruption (!prev):
> 0x000000000193e200 ***
> Aborted
> 

-- 
http://wiki.debian.org/FAQsFromDebianUser
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
http://nuvreauspam.ro/gpg-transition.txt

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 756630@bugs.debian.org (full text, mbox, reply):

From: Mattia Monga <monga@debian.org>

To: 756630@bugs.debian.org

Subject: newusers fails with multiple users

Date: Tue, 2 Sep 2014 09:59:09 +0200

 I can confirm the bug on jessie.

newusers file

works correctly if file contains just one line, but it fails when it
has multiple entries

*** Error in `newusers': free(): invalid next size (fast): 0xf95b5ed8 ***
Aborted



The bug is know also here

https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675


Best,

-- 
Mattia Monga

Message #20 received at 756630@bugs.debian.org (full text, mbox, reply):

From: Mònica Ramírez Arceda <monica@debian.org>

To: 756630@bugs.debian.org

Subject: newusers fails adding multiple users

Date: Tue, 21 Jun 2016 11:42:25 +0200

Hi,

I can confirm this bug. Using a file with 5 new users I get the
following error:

# newusers 5users.csv 
*** Error in `newusers': double free or corruption (!prev): 0x0000000001ae2d10 ***
Aborted

A curious detail: if the first 4 users are already created and I run
newusers, the 5th one is added without problems. If I have 6 users in
the file and the first 5 users are already created the 6th one is added
without problems. And so on.

$ dpkg -s passwd | grep 'Version'
Version: 1:4.2-3.1

Message #25 received at 756630@bugs.debian.org (full text, mbox, reply):

From: "Serge E. Hallyn" <serge@hallyn.com>

To: Mònica Ramírez Arceda <monica@debian.org>, 756630@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#756630: newusers fails adding multiple users

Date: Sat, 25 Jun 2016 17:36:52 -0500

On Tue, Jun 21, 2016 at 11:42:25AM +0200, Mònica Ramírez Arceda wrote:
> Hi,
> 
> I can confirm this bug. Using a file with 5 new users I get the
> following error:
> 
> # newusers 5users.csv 
> *** Error in `newusers': double free or corruption (!prev): 0x0000000001ae2d10 ***
> Aborted

Could you run that in gdb and show the backtrace here?  It smells like
a bad realloc.

> A curious detail: if the first 4 users are already created and I run
> newusers, the 5th one is added without problems. If I have 6 users in
> the file and the first 5 users are already created the 6th one is added
> without problems. And so on.
> 
> $ dpkg -s passwd | grep 'Version'
> Version: 1:4.2-3.1
> 
> _______________________________________________
> Pkg-shadow-devel mailing list
> Pkg-shadow-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel

Message #30 received at 756630@bugs.debian.org (full text, mbox, reply):

From: James Collier <jcollier-debian@matahua.com>

To: 756630@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#756630: newusers fails adding multiple users

Date: Mon, 17 Apr 2017 11:36:47 +1200

As requested:
$  file /usr/sbin/newusers
/usr/sbin/newusers: ELF 64-bit LSB shared object, x86-64, version 1 
(SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for 
GNU/Linux 2.6.32, 
BuildID[sha1]=7dffe9a6fe6e2d86a9181e9928d8baea6b389c78, stripped
...
(gdb) run newusers
Starting program: /usr/sbin/newusers newusers
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
*** Error in `/usr/sbin/newusers': double free or corruption (!prev): 
0x00005555557812e0 ***

Program received signal SIGABRT, Aborted.
0x00007ffff71f6067 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff71f6067 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff71f7448 in __GI_abort () at abort.c:89
#2  0x00007ffff72341b4 in __libc_message (do_abort=do_abort@entry=1, 
fmt=fmt@entry=0x7ffff7329210 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff723998e in malloc_printerr (action=1, str=0x7ffff7329318 
"double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:4996
#4  0x00007ffff723a696 in _int_free (av=<optimized out>, p=<optimized 
out>, have_lock=0) at malloc.c:3840
#5  0x000055555555f027 in ?? ()
#6  0x000055555555cdb5 in ?? ()
#7  0x000055555555cf6e in ?? ()
#8  0x000055555555a359 in ?? ()
#9  0x00005555555581e5 in ?? ()
#10 0x00007ffff71e2b45 in __libc_start_main (main=0x555555557870, 
argc=2, argv=0x7fffffffe978, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffe968) at 
libc-start.c:287
#11 0x00005555555593d7 in ?? ()
(gdb)

Message #35 received at 756630@bugs.debian.org (full text, mbox, reply):

From: Tomas Mraz <tmraz@fedoraproject.org>

To: James Collier <jcollier-debian@matahua.com>, 756630@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#756630: Bug#756630: newusers fails adding multiple users

Date: Tue, 18 Apr 2017 13:19:32 +0200

On Mon, 2017-04-17 at 11:36 +1200, James Collier wrote:
> As requested:
> $  file /usr/sbin/newusers
> /usr/sbin/newusers: ELF 64-bit LSB shared object, x86-64, version 1 
> (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
> for 
> GNU/Linux 2.6.32, 
> BuildID[sha1]=7dffe9a6fe6e2d86a9181e9928d8baea6b389c78, stripped
> ...
> (gdb) run newusers
> Starting program: /usr/sbin/newusers newusers
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-
> gnu/libthread_db.so.1".
> *** Error in `/usr/sbin/newusers': double free or corruption
> (!prev): 
> 0x00005555557812e0 ***

This should be fixed by 
https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952

Tomas Mraz

Message #40 received at 756630@bugs.debian.org (full text, mbox, reply):

From: Seth Arnold <seth.arnold@canonical.com>

To: 756630@bugs.debian.org

Subject: Use CVE-2017-12424.

Date: Fri, 4 Aug 2017 11:08:05 -0700

[Message part 1 (text/plain, inline)]

Hello; even though this doesn't directly allow crossing security
boundaries I thought it best to make this visible in case management
tools may have their boundaries crossed due to this.

Use CVE-2017-12424.

Thanks

[signature.asc (application/pgp-signature, inline)]

Message #49 received at 756630-close@bugs.debian.org (full text, mbox, reply):

From: Balint Reczey <rbalint@ubuntu.com>

To: 756630-close@bugs.debian.org

Subject: Bug#756630: fixed in shadow 1:4.5-1

Date: Wed, 27 Sep 2017 17:19:07 +0000

Source: shadow
Source-Version: 1:4.5-1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 756630@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Balint Reczey <rbalint@ubuntu.com> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 27 Sep 2017 12:45:23 -0400
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.5-1
Distribution: unstable
Urgency: medium
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Balint Reczey <rbalint@ubuntu.com>
Description:
 login      - system login tools
 passwd     - change and administer password and group data
 uidmap     - programs to help use subuids
Closes: 756630 857803 865762
Changes:
 shadow (1:4.5-1) unstable; urgency=medium
 .
   * New upstream version 4.5
     - Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
       (Closes: #756630)
     - Make the sp_lstchg shadow field reproducible (Closes: #857803)
     - Fix regression in useradd not loading defaults properly.
       (Closes: #865762)
   * Refresh patches
   * Drop patches manipulating su argument concatenation:
   * Cut redundant information from Debian-specific README files
   * Revert adding pts/0 and pts/1 to securetty.
     Adding pts/* defeats the purpose of securetty. Let containers add it if
     needed as described in #830255.
   * Use my @ubuntu.com email address in Maintainer field
Checksums-Sha1:
 f13fd80b70b35fabdbeeffb86971c2f1fe06f89b 2282 shadow_4.5-1.dsc
 16f366e1b2bb7dbc53af91dbdd2d03e1702cf919 1344524 shadow_4.5.orig.tar.xz
 f694c1310522e5f36f1a5c110152ed04865187c3 462752 shadow_4.5-1.debian.tar.xz
Checksums-Sha256:
 1e93b2e4cb3f0f14a52dd9603bf8153f31a3117c580c0b46fd94822437516ff6 2282 shadow_4.5-1.dsc
 22b0952dc944b163e2370bb911b11ca275fc80ad024267cf21e496b28c23d500 1344524 shadow_4.5.orig.tar.xz
 0aa8980eddef9159ee6532d40bda92237ad2163dcc2bb6601aecc415ab9662ee 462752 shadow_4.5-1.debian.tar.xz
Files:
 85e9f6101d566e975a4dd09bb11f5b3d 2282 admin required shadow_4.5-1.dsc
 dc6263258eab3dbeb66c8687841ae4a9 1344524 admin required shadow_4.5.orig.tar.xz
 34ff6d315dcccec4b2ec5e96f79f48af 462752 admin required shadow_4.5-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIwBAEBCAAaBQJZy9hUExxyYmFsaW50QHVidW50dS5jb20ACgkQ9mTSVrRpGn3B
2A/7BZz3Jc4aV1O0O0EfLSreUqxOeEAH0s6OtlMgzamLfbKMeqoB37PYHt1YEYRO
GV79XLUB1tU0heEvymDunpLSf+DiO3Ae1BcxjejTI3wjPIZHdHDaI4QR1kVV/INz
WvBTutzzUQZ07IDBrkzdlYOCgoet+TCFOPVy5YPxoQxnKm/3dPqVTwHVUO7ZT1px
2cvfJUXUhthlHzvqru7Rb0FXAotgqh75AL6wyvtJghfm/wVQAjLoc5dvbYezwFwV
2C9k/6N2slrg+3D+sUcH520K9WgQLF1K8ftNbTyFn9Np2tWXLcot6UtjM/7GnTYo
ymfYv+1dElUezrHVjlXgf51msbPX/p4tfCg/NRGJRj5XSXAGU2UP1dS2uLs0kqre
1AQA/VhOPGTFyHUSvtS8DzGO0jDCXCecnE7JE7jtozcNihpMXkzRXFAmgowFnxfP
lhyn418vdgRmJaRsm8oo0XTESDEKQjxYs3w5hUfHBby9x3q5Cr7qWw/7ufRiAc7p
jFNVqOpg/af/kD3Pcg96hBCBBCSThV23ql6bMMdCaBEWQZYedpO+zz/QO/6ULnWL
cCgs05RlxLKr849D8mDqJwiKWc7vrmlXI0tJIz6uouMBivocFmLfIE1m5OPrKEkT
ZGfWwVxJf6DPiSAPxhenJi8jBsYM6i1IjC6TPiLhbQOSklQ=
=oGpF
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.