[lfs-dev] Bug#832170: shadow: CVE-2016-6252: Incorrect integer handling

Bruce Dubbs bruce.dubbs at gmail.com
Sat Jul 23 21:53:00 PDT 2016

William Harrington wrote:
> On Sat, 23 Jul 2016 11:24:58 -0500
> "Douglas R. Reno" <renodr at linuxfromscratch.org> wrote:
>> Bruce Dubbs wrote:
>>> I can find no description for this vulnerability.  The links just say
>>> that the Debian version is vulnerable and unfixed.  Looking at Mitre,
>>> they just say the CVE entry is reserved.
>>> Without any detail, there is nothing we can do.
>>> RedHat does say the vulnerabilty is 'local'
>>> I did find this:
>>> http://seclists.org/oss-sec/2016/q3/115

>> The CVE will remain reserved as long as a company like Novell (SuSE) or
>> RedHat feels like it. There is no policy on that. There are several that
>> have been released publicly that still say reserved thanks to the
>> actions of those companies. Canonical is probably the same way. See the
>> emails I forwarded privately for patches and such. I don't think Mailman
>> would approve of me forwarding all 7 of them at one time.
> Hello Douglas,
> Thank you for the Shadow resources. I've also been watching the
pkg-shadow-devel list for a long time. There are many updates since the
last Shadow release, and a new maintainer is also in the mix. They are
planning a Shadow 4.3 release which fixes a lot of issues. Be on the
lookout for it in a few weeks/months. The release has been slow moving.
> Please review changes at https://github.com/shadow-maint/shadow

That's interesting William.  That site has a 4.3.0 release but not the 
4.2.1 release at http://pkg-shadow.alioth.debian.org/releases. The 
filename is 4.3.0.tar.gz (no stem, just a number). That was apparently 
released March 16 of this year.

It's not a very good 'release'.  There is no configure.  There are no man 
pages -- they need to be generated and that uses xml2po. Evidently that is 
in gnome-doc-utils but we definitely won't have that in LFS.

To get it to build, I had to remove the man and po subdirectories in the 
Makefile.  The --disable-man and --disable-nls did not work.  We would 
need to create those files separately and include them as a separate 
download or create our own proper tarball with everything.

   -- Bruce

More information about the lfs-dev mailing list