From 676599b36a92f3c201c5682ee7a5caddd9f370a4 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Fri, 2 Oct 2015 11:34:13 +0200
Subject: Harden putpwent, putgrent, putspent, putspent against injection [BZ
 #18724]

This prevents injection of ':' and '\n' into output functions which
use the NSS files database syntax.  Critical fields (user/group names
and file system paths) are checked strictly.  For backwards
compatibility, the GECOS field is rewritten instead.

The getent program is adjusted to use the put*ent functions in libc,
instead of local copies.  This changes the behavior of getent if user
names start with '-' or '+'.
---
 gshadow/putsgent.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'gshadow/putsgent.c')

diff --git a/gshadow/putsgent.c b/gshadow/putsgent.c
index 0b2cad6eaa..c1cb921595 100644
--- a/gshadow/putsgent.c
+++ b/gshadow/putsgent.c
@@ -15,9 +15,11 @@
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
+#include <errno.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <gshadow.h>
+#include <nss.h>
 
 #define _S(x)	x ? x : ""
 
@@ -29,6 +31,15 @@ putsgent (const struct sgrp *g, FILE *stream)
 {
   int errors = 0;
 
+  if (g->sg_namp == NULL || !__nss_valid_field (g->sg_namp)
+      || !__nss_valid_field (g->sg_passwd)
+      || !__nss_valid_list_field (g->sg_adm)
+      || !__nss_valid_list_field (g->sg_mem))
+    {
+      __set_errno (EINVAL);
+      return -1;
+    }
+
   _IO_flockfile (stream);
 
   if (fprintf (stream, "%s:%s:", g->sg_namp, _S (g->sg_passwd)) < 0)
-- 
cgit v1.2.3