From 676599b36a92f3c201c5682ee7a5caddd9f370a4 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Fri, 2 Oct 2015 11:34:13 +0200
Subject: Harden putpwent, putgrent, putspent, putspent against injection [BZ
 #18724]

This prevents injection of ':' and '\n' into output functions which
use the NSS files database syntax.  Critical fields (user/group names
and file system paths) are checked strictly.  For backwards
compatibility, the GECOS field is rewritten instead.

The getent program is adjusted to use the put*ent functions in libc,
instead of local copies.  This changes the behavior of getent if user
names start with '-' or '+'.
---
 pwd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'pwd/Makefile')

diff --git a/pwd/Makefile b/pwd/Makefile
index 7f6de03..af09734 100644
--- a/pwd/Makefile
+++ b/pwd/Makefile
@@ -28,7 +28,7 @@ routines := fgetpwent getpw putpwent \
 	    getpwent getpwnam getpwuid \
 	    getpwent_r getpwnam_r getpwuid_r fgetpwent_r
 
-tests := tst-getpw
+tests := tst-getpw tst-putpwent
 
 include ../Rules
 
-- 
cgit v1.1