[lfs-dev] Bug#832170: shadow: CVE-2016-6252: Incorrect integer handling
bruce.dubbs at gmail.com
Sat Jul 23 21:53:00 PDT 2016
William Harrington wrote:
> On Sat, 23 Jul 2016 11:24:58 -0500
> "Douglas R. Reno" <renodr at linuxfromscratch.org> wrote:
>> Bruce Dubbs wrote:
>>> I can find no description for this vulnerability. The links just say
>>> that the Debian version is vulnerable and unfixed. Looking at Mitre,
>>> they just say the CVE entry is reserved.
>>> Without any detail, there is nothing we can do.
>>> RedHat does say the vulnerabilty is 'local'
>>> I did find this:
>> The CVE will remain reserved as long as a company like Novell (SuSE) or
>> RedHat feels like it. There is no policy on that. There are several that
>> have been released publicly that still say reserved thanks to the
>> actions of those companies. Canonical is probably the same way. See the
>> emails I forwarded privately for patches and such. I don't think Mailman
>> would approve of me forwarding all 7 of them at one time.
> Hello Douglas,
> Thank you for the Shadow resources. I've also been watching the
pkg-shadow-devel list for a long time. There are many updates since the
last Shadow release, and a new maintainer is also in the mix. They are
planning a Shadow 4.3 release which fixes a lot of issues. Be on the
lookout for it in a few weeks/months. The release has been slow moving.
> Please review changes at https://github.com/shadow-maint/shadow
That's interesting William. That site has a 4.3.0 release but not the
4.2.1 release at http://pkg-shadow.alioth.debian.org/releases. The
filename is 4.3.0.tar.gz (no stem, just a number). That was apparently
released March 16 of this year.
It's not a very good 'release'. There is no configure. There are no man
pages -- they need to be generated and that uses xml2po. Evidently that is
in gnome-doc-utils but we definitely won't have that in LFS.
To get it to build, I had to remove the man and po subdirectories in the
Makefile. The --disable-man and --disable-nls did not work. We would
need to create those files separately and include them as a separate
download or create our own proper tarball with everything.
More information about the lfs-dev