From 676599b36a92f3c201c5682ee7a5caddd9f370a4 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Fri, 2 Oct 2015 11:34:13 +0200
Subject: Harden putpwent, putgrent, putspent, putspent against injection [BZ
 #18724]

This prevents injection of ':' and '\n' into output functions which
use the NSS files database syntax.  Critical fields (user/group names
and file system paths) are checked strictly.  For backwards
compatibility, the GECOS field is rewritten instead.

The getent program is adjusted to use the put*ent functions in libc,
instead of local copies.  This changes the behavior of getent if user
names start with '-' or '+'.
---
 shadow/putspent.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'shadow/putspent.c')

diff --git a/shadow/putspent.c b/shadow/putspent.c
index 142e697e64..ba8230a482 100644
--- a/shadow/putspent.c
+++ b/shadow/putspent.c
@@ -15,6 +15,8 @@
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
+#include <errno.h>
+#include <nss.h>
 #include <stdio.h>
 #include <shadow.h>
 
@@ -31,6 +33,13 @@ putspent (const struct spwd *p, FILE *stream)
 {
   int errors = 0;
 
+  if (p->sp_namp == NULL || !__nss_valid_field (p->sp_namp)
+      || !__nss_valid_field (p->sp_pwdp))
+    {
+      __set_errno (EINVAL);
+      return -1;
+    }
+
   flockfile (stream);
 
   if (fprintf (stream, "%s:%s:", p->sp_namp, _S (p->sp_pwdp)) < 0)
-- 
cgit v1.2.3