From 676599b36a92f3c201c5682ee7a5caddd9f370a4 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 2 Oct 2015 11:34:13 +0200 Subject: Harden putpwent, putgrent, putspent, putspent against injection [BZ #18724] This prevents injection of ':' and '\n' into output functions which use the NSS files database syntax. Critical fields (user/group names and file system paths) are checked strictly. For backwards compatibility, the GECOS field is rewritten instead. The getent program is adjusted to use the put*ent functions in libc, instead of local copies. This changes the behavior of getent if user names start with '-' or '+'. --- nss/Makefile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'nss/Makefile') diff --git a/nss/Makefile b/nss/Makefile index 02a5016..bbbad85 100644 --- a/nss/Makefile +++ b/nss/Makefile @@ -26,6 +26,7 @@ headers := nss.h # This is the trivial part which goes into libc itself. routines = nsswitch getnssent getnssent_r digits_dots \ + valid_field valid_list_field rewrite_field \ $(addsuffix -lookup,$(databases)) # These are the databases that go through nss dispatch. @@ -47,8 +48,10 @@ install-bin := getent makedb makedb-modules = xmalloc hash-string extra-objs += $(makedb-modules:=.o) +tests-static = tst-field tests = test-netdb tst-nss-test1 test-digits-dots \ - tst-nss-getpwent bug17079 + tst-nss-getpwent bug17079 \ + $(tests-static) xtests = bug-erange # Specify rules for the nss_* modules. We have some services. @@ -83,8 +86,7 @@ libnss_db-inhibit-o = $(filter-out .os,$(object-suffixes)) ifeq ($(build-static-nss),yes) routines += $(libnss_files-routines) static-only-routines += $(libnss_files-routines) -tests-static = tst-nss-static -tests += $(tests-static) +tests-static += tst-nss-static endif include ../Rules -- cgit v1.1