Harden putpwent, putgrent, putspent, putspent against injection [BZ #18724]

This prevents injection of ':' and '\n' into output functions which
use the NSS files database syntax.  Critical fields (user/group names
and file system paths) are checked strictly.  For backwards
compatibility, the GECOS field is rewritten instead.

The getent program is adjusted to use the put*ent functions in libc,
instead of local copies.  This changes the behavior of getent if user
names start with '-' or '+'.

1 files changed, 5 insertions, 5 deletions

diff --git a/NEWS b/NEWS
index e8b59a4676..4634b74ebf 100644
--- a/NEWS
+++ b/NEWS
@@ -13,11 +13,11 @@ Version 2.23
   15918, 16141, 16296, 16347, 16415, 16517, 16519, 16520, 16521, 16620,
   16734, 16973, 16985, 17118, 17243, 17244, 17250, 17441, 17787, 17886,
   17887, 17905, 18084, 18086, 18240, 18265, 18370, 18421, 18480, 18525,
-  18595, 18610, 18618, 18647, 18661, 18674, 18675, 18681, 18757, 18778,
-  18781, 18787, 18789, 18790, 18795, 18796, 18803, 18820, 18823, 18824,
-  18825, 18857, 18863, 18870, 18872, 18873, 18875, 18887, 18921, 18951,
-  18952, 18956, 18961, 18966, 18967, 18969, 18970, 18977, 18980, 18981,
-  18985, 19003, 19016, 19032, 19046.
+  18595, 18610, 18618, 18647, 18661, 18674, 18675, 18681, 18724, 18757,
+  18778, 18781, 18787, 18789, 18790, 18795, 18796, 18803, 18820, 18823,
+  18824, 18825, 18857, 18863, 18870, 18872, 18873, 18875, 18887, 18921,
+  18951, 18952, 18956, 18961, 18966, 18967, 18969, 18970, 18977, 18980,
+  18981, 18985, 19003, 19016, 19032, 19046.
 
 * The obsolete header <regexp.h> has been removed.  Programs that require
   this header must be updated to use <regex.h> instead.