Control: tags 780139 + pending
Hi Gerrit,
I've prepared an NMU for checkpw (versioned as 1.02-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -u checkpw-1.02/debian/changelog checkpw-1.02/debian/changelog
--- checkpw-1.02/debian/changelog
+++ checkpw-1.02/debian/changelog
@@ -1,3 +1,10 @@
+checkpw (1.02-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2015-0885: Fix denial of service via -- in usernames (Closes: #780139)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 13 Mar 2015 14:49:55 +0100
+
checkpw (1.02-1) unstable; urgency=low
* new upstream point release.
only in patch2:
unchanged:
--- checkpw-1.02.orig/checkapoppw.c
+++ checkpw-1.02/checkapoppw.c
@@ -85,7 +85,7 @@
pw = getpwnam(login);
if (pw) break;
if (errno == error_txtbsy) die(111);
- for (; ext != login && *ext != '-'; --ext);
+ do {--ext;} while (ext != login && *ext != '-');
if (ext == login) die(1);
if (i) login[i] = '-';
i = ext - login;
only in patch2:
unchanged:
--- checkpw-1.02.orig/checkpw.c
+++ checkpw-1.02/checkpw.c
@@ -71,7 +71,7 @@
pw = getpwnam(login);
if (pw) break;
if (errno == error_txtbsy) die(111);
- for (; ext != login && *ext != '-'; --ext);
+ do {--ext;} while (ext != login && *ext != '-');
if (ext == login) die(1);
if (i) login[i] = '-';
i = ext - login;
