From 5725327f6f31b02c7507deda8d4aeae2fb18d60c Mon Sep 17 00:00:00 2001
From: Chris Hofstaedtler <zeha@debian.org>
Date: Thu, 8 Jan 2026 00:00:58 +0100
Subject: [PATCH] Import upstream patches to fix hash check

Closes: #1124835
---
 .../chpasswd-Disable-broken-hash-check.patch  | 34 ----------------
 ...h.c-is_valid_hash-Accept-as-the-hash.patch | 39 +++++++++++++++++++
 debian/patches/series                         |  3 +-
 ...ash.c-is_valid_hash-Accept-a-leading.patch | 39 +++++++++++++++++++
 4 files changed, 80 insertions(+), 35 deletions(-)
 delete mode 100644 debian/patches/debian/chpasswd-Disable-broken-hash-check.patch
 create mode 100644 debian/patches/debian/lib-chkhash.c-is_valid_hash-Accept-as-the-hash.patch
 create mode 100644 debian/patches/upstream/lib-chkhash.c-is_valid_hash-Accept-a-leading.patch

diff --git a/debian/patches/debian/chpasswd-Disable-broken-hash-check.patch b/debian/patches/debian/chpasswd-Disable-broken-hash-check.patch
deleted file mode 100644
index d4b4625d..00000000
--- a/debian/patches/debian/chpasswd-Disable-broken-hash-check.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Chris Hofstaedtler <zeha@debian.org>
-Date: Wed, 7 Jan 2026 11:07:34 +0100
-Subject: chpasswd: Disable broken hash check
-
-See Debian bug #1124835.
----
- src/chpasswd.c | 14 --------------
- 1 file changed, 14 deletions(-)
-
-diff --git a/src/chpasswd.c b/src/chpasswd.c
-index ea96dc7..8d24ae6 100644
---- a/src/chpasswd.c
-+++ b/src/chpasswd.c
-@@ -574,20 +574,6 @@ int main (int argc, char **argv)
- #endif				/* USE_PAM */
- 		{
- 
--		/*
--		 * Prevent adding a non valid hash to /etc/shadow and
--		 * potentialy lock account
--		 */
--
--		if (eflg) {
--			if (!is_valid_hash(newpwd)) {
--				fprintf (stderr,
--					_("%s: (line %jd, user %s) invalid password hash\n"),
--					Prog, line, name);
--				errors = true;
--				continue;
--			}
--		}
- 		const struct spwd *sp;
- 		struct spwd newsp;
- 		const struct passwd *pw;
diff --git a/debian/patches/debian/lib-chkhash.c-is_valid_hash-Accept-as-the-hash.patch b/debian/patches/debian/lib-chkhash.c-is_valid_hash-Accept-as-the-hash.patch
new file mode 100644
index 00000000..461368fb
--- /dev/null
+++ b/debian/patches/debian/lib-chkhash.c-is_valid_hash-Accept-as-the-hash.patch
@@ -0,0 +1,39 @@
+From: Alejandro Colomar <alx@kernel.org>
+Date: Wed, 7 Jan 2026 23:44:26 +0100
+Subject: lib/chkhash.c: is_valid_hash(): Accept '*' as the hash
+
+This is widely accepted as an invalid hash, to remove password access
+for an account (that is, no passwords will match the "hash").
+
+Fixes: c44f1e096a19 (2025-07-20; "chpasswd: Check hash before write when using -e")
+Closes: <https://github.com/shadow-maint/shadow/issues/1483>
+Closes: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835>
+Reported-by: Chris Hofstaedtler <zeha@debian.org>
+Cc: vinz <mmpx09@protonmail.com>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ lib/chkhash.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/chkhash.c b/lib/chkhash.c
+index 4bf98f8..46b3863 100644
+--- a/lib/chkhash.c
++++ b/lib/chkhash.c
+@@ -8,6 +8,7 @@
+ #include <string.h>
+ 
+ #include "string/strcmp/strprefix.h"
++#include "string/strcmp/streq.h"
+ 
+ /*
+  * match_regex - return true if match, false if not
+@@ -42,6 +43,9 @@ is_valid_hash(const char *hash)
+ 
+ 	hash = strprefix(hash, "!") ?: hash;
+ 
++	if (streq(hash, "*"))
++		return true;
++
+ 	// Minimum hash length
+ 	if (strlen(hash) < 13)
+ 		return false;
diff --git a/debian/patches/series b/debian/patches/series
index b0e00872..e18febf1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,4 +8,5 @@ debian/Adapt-login.defs-for-Debian.patch
 debian/Stop-building-programs-we-do-not-install.patch
 debian/Warn-when-badname-and-variants-are-given.patch
 debian/configure.ac-align-exec_prefix-with-prefix.patch
-debian/chpasswd-Disable-broken-hash-check.patch
+upstream/lib-chkhash.c-is_valid_hash-Accept-a-leading.patch
+debian/lib-chkhash.c-is_valid_hash-Accept-as-the-hash.patch
diff --git a/debian/patches/upstream/lib-chkhash.c-is_valid_hash-Accept-a-leading.patch b/debian/patches/upstream/lib-chkhash.c-is_valid_hash-Accept-a-leading.patch
new file mode 100644
index 00000000..325331ed
--- /dev/null
+++ b/debian/patches/upstream/lib-chkhash.c-is_valid_hash-Accept-a-leading.patch
@@ -0,0 +1,39 @@
+From: Alejandro Colomar <alx@kernel.org>
+Date: Wed, 7 Jan 2026 23:39:53 +0100
+Subject: lib/chkhash.c: is_valid_hash(): Accept a leading '!'
+
+A leading '!' means that the account is locked.
+
+Fixes: c44f1e096a19 (2025-07-20; "chpasswd: Check hash before write when using -e")
+Link: <https://github.com/shadow-maint/shadow/issues/1483>
+Link: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835>
+Reported-by: Chris Hofstaedtler <zeha@debian.org>
+Cc: vinz <mmpx09@protonmail.com>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ lib/chkhash.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/chkhash.c b/lib/chkhash.c
+index 6687050..4bf98f8 100644
+--- a/lib/chkhash.c
++++ b/lib/chkhash.c
+@@ -7,6 +7,7 @@
+ #include <stddef.h>
+ #include <string.h>
+ 
++#include "string/strcmp/strprefix.h"
+ 
+ /*
+  * match_regex - return true if match, false if not
+@@ -37,6 +38,10 @@ match_regex(const char *pattern, const char *string)
+ bool 
+ is_valid_hash(const char *hash) 
+ {
++	const char  *p;
++
++	hash = strprefix(hash, "!") ?: hash;
++
+ 	// Minimum hash length
+ 	if (strlen(hash) < 13)
+ 		return false;