Refresh patches

Dropped patches:
- 0001-Typos-fix-in-german-translation-of-man-pages.patch
- 0002-Last-bits-of-enabling-subuids.patch
- 0003-Dutch-translation-update.patch
- 0004-Updated-Czech-translation.patch
- 0005-Update-for-German-man-pages.patch
- 0006-French-manpage-translation.patch
- 0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
- 0008-su-properly-clear-child-PID.patch
- 1010_vietnamese_translation
- 301-Reset-pid_child-only-if-waitpid-was-successful.patch

debian/patches/0001-Typos-fix-in-german-translation-of-man-pages.patch

@@ -1,44 +0,0 @@
-From bdd68116b7c5f3cbb29ea4fe3bb81e338e9544f7 Mon Sep 17 00:00:00 2001
-From: Simon Kainz <simon@familiekainz.at>
-Date: Wed, 18 Jan 2017 17:24:04 +0100
-Subject: [PATCH 1/2] Typos fix in german translation of man pages
-
-Reported to Debian BTS in #734609
----
- man/po/de.po | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/man/po/de.po b/man/po/de.po
-index b4d7218..340e15d 100644
---- a/man/po/de.po
-+++ b/man/po/de.po
-@@ -3087,7 +3087,7 @@ msgstr "5"
- #: limits.5.xml:61(refmiscinfo) gshadow.5.xml:48(refmiscinfo)
- #: faillog.5.xml:59(refmiscinfo)
- msgid "File Formats and Conversions"
--msgstr "Dateiformate und -konvertierung"
-+msgstr "Dateiformate und konvertierung"
- 
- #: suauth.5.xml:65(refpurpose)
- msgid "detailed su control file"
-@@ -4370,7 +4370,7 @@ msgstr ""
- 
- #: shadow.5.xml:235(para)
- msgid "An empty field means that the account will never expire."
--msgstr "Ein leeren Feld bedeutet, dass das Konto nicht verfallen wird."
-+msgstr "Ein leeres Feld bedeutet, dass das Konto nicht verfallen wird."
- 
- #: shadow.5.xml:238(para)
- msgid ""
-@@ -6961,7 +6961,7 @@ msgid ""
- "contents of this file should be a message indicating why logins are "
- "inhibited."
- msgstr ""
--"Falls angegeben, der Name einer Datei, dessen Existenz Anmeldungen außer von "
-+"Falls angegeben, der Name einer Datei, deren Existenz Anmeldungen außer von "
- "Root verhindert. Der Inhalt der Datei sollte die Gründe enthalten, weshalb "
- "Anmeldungen untersagt sind."
- 
--- 
-2.1.4
-

debian/patches/0002-Last-bits-of-enabling-subuids.patch

@@ -1,29 +0,0 @@
-From 578d495f91af8dc5dd774d4310ca06f7013712e7 Mon Sep 17 00:00:00 2001
-From: Micah Anderson <micah@riseup.net>
-Date: Wed, 18 Jan 2017 18:06:05 +0100
-Subject: [PATCH 2/2] Last bits of enabling subuids
-
-This patch has been carried by Debian, originally
-submitted to BTS in #739981
----
- src/newusers.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/newusers.c b/src/newusers.c
-index 724cbb4..0c0cfe4 100644
---- a/src/newusers.c
-+++ b/src/newusers.c
-@@ -988,8 +988,8 @@ int main (int argc, char **argv)
- 	is_shadow_grp = sgr_file_present ();
- #endif
- #ifdef ENABLE_SUBIDS
--	is_sub_uid = sub_uid_file_present ();
--	is_sub_gid = sub_gid_file_present ();
-+	is_sub_uid = sub_uid_file_present () && !rflg;
-+	is_sub_gid = sub_gid_file_present () && !rflg;
- #endif				/* ENABLE_SUBIDS */
- 
- 	open_files ();
--- 
-2.1.4
-

debian/patches/0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch

@@ -1,98 +0,0 @@
-From 8a122a90fa2afe39f2b1e56c5d45ea20f486bf0b Mon Sep 17 00:00:00 2001
-From: Lars Bahner <bahner@debian.org>
-Date: Thu, 19 Jan 2017 17:50:24 +0100
-Subject: [PATCH 7/7] Fix some spelling issues in the Norwegian translation
-
----
- po/nb.po | 13 +++++++------
- po/nl.po |  8 ++++----
- 2 files changed, 11 insertions(+), 10 deletions(-)
-
-diff --git a/po/nb.po b/po/nb.po
-index d42a864..7ad1ecb 100644
---- a/po/nb.po
-+++ b/po/nb.po
-@@ -7,12 +7,13 @@
- # Bjørn Steensrud <bjornst@powertech.no>, 2006.
- # Bjørn Steensrud <bjornst@skogkatt.homelinux.org>, 2009, 2012.
- # Hans Fredrik Nordhaug <hans@nordhaug.priv.no>, 2012.
-+# Lars Bahner <bahner@debian.org>, 2015
- msgid ""
- msgstr ""
- "Project-Id-Version: shadow 4.0.17\n"
- "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
- "POT-Creation-Date: 2016-09-18 14:03-0500\n"
--"PO-Revision-Date: 2012-01-18 17:19+0100\n"
-+"PO-Revision-Date: 2015-09-30 18:15+0100\n"
- "Last-Translator: Bjørn Steensrud <bjornst@skogkatt.homelinux.org>\n"
- "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n"
- "Language: nb\n"
-@@ -20,7 +21,7 @@ msgstr ""
- "Content-Type: text/plain; charset=UTF-8\n"
- "Content-Transfer-Encoding: 8bit\n"
- "Plural-Forms: nplurals=2; plural=(n != 1);\n"
--"X-Generator: Lokalize 1.2\n"
-+"X-Generator: Poedit 1.7.5\n"
- 
- #, c-format
- msgid ""
-@@ -48,10 +49,9 @@ msgstr "feil med oppsettet - ukjent element «%s» (kontakt administrator)\n"
- msgid "%s: nscd did not terminate normally (signal %d)\n"
- msgstr "%s: nscd avsluttet ikke normallt (signal %d)\n"
- 
--#, fuzzy, c-format
--#| msgid "%s: nscd exited with status %d"
-+#, c-format
- msgid "%s: nscd exited with status %d\n"
--msgstr "%s: nscd avsluttet med status %d"
-+msgstr "%s: nscd avsluttet med status %d\n"
- 
- msgid "Password: "
- msgstr "Passord: "
-@@ -415,8 +415,9 @@ msgstr "passwd: %s\n"
- msgid "passwd: password unchanged\n"
- msgstr "passwd: passordet er uendret\n"
- 
-+#, fuzzy
- msgid "passwd: password updated successfully\n"
--msgstr "passwd: passorder ble oppdatert\n"
-+msgstr "passwd: passordet ble oppdatert\n"
- 
- #, c-format
- msgid "Incorrect password for %s.\n"
-diff --git a/po/nl.po b/po/nl.po
-index 923c1d1..6cbabdd 100644
---- a/po/nl.po
-+++ b/po/nl.po
-@@ -745,7 +745,7 @@ msgstr "%s: ongeldige naam: '%s'\n"
- 
- #, c-format
- msgid "%s: room number with non-ASCII characters: '%s'\n"
--msgstr "%s: kamernummer bevat niet-ASCII tekens: '%s'"
-+msgstr "%s: kamernummer bevat niet-ASCII tekens: '%s'\n"
- 
- #, c-format
- msgid "%s: invalid room number: '%s'\n"
-@@ -1571,7 +1571,7 @@ msgstr "Ongeldig wachtwoord.\n"
- 
- #, c-format
- msgid "%s: failure forking: %s\n"
--msgstr "%s: nieuw proces beginnen is mislukt: %s"
-+msgstr "%s: nieuw proces beginnen is mislukt: %s\n"
- 
- #, c-format
- msgid "%s: GID '%lu' does not exist\n"
-@@ -2633,8 +2633,8 @@ msgstr "Kon bestand niet vergrendelen"
- msgid "Couldn't make backup"
- msgstr "Kon geen reservekopie maken"
- 
--#| msgid "Unable to open group file\n"
--msgid "failed to open scratch file"
-+#| msgid "Unable to open group file"
-+msgid "failed to open scratch file\n"
- msgstr "initieel bestand openen is mislukt\n"
- 
- #| msgid "%s: fields too long\n"
--- 
-2.1.4
-

debian/patches/0008-su-properly-clear-child-PID.patch

@@ -1,60 +0,0 @@
-From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Thu, 23 Feb 2017 09:47:29 -0600
-Subject: [PATCH] su: properly clear child PID
-
-If su is compiled with PAM support, it is possible for any local user
-to send SIGKILL to other processes with root privileges. There are
-only two conditions. First, the user must be able to perform su with
-a successful login. This does NOT have to be the root user, even using
-su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
-can only be sent to processes which were executed after the su process.
-It is not possible to send SIGKILL to processes which were already
-running. I consider this as a security vulnerability, because I was
-able to write a proof of concept which unlocked a screen saver of
-another user this way.
----
- src/su.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
---- a/src/su.c
-+++ b/src/su.c
-@@ -363,11 +363,13 @@
- 				/* wake child when resumed */
- 				kill (pid, SIGCONT);
- 				stop = false;
-+			} else {
-+				pid_child = 0;
- 			}
- 		} while (!stop);
- 	}
- 
--	if (0 != caught) {
-+	if (0 != caught && 0 != pid_child) {
- 		(void) fputs ("\n", stderr);
- 		(void) fputs (_("Session terminated, terminating shell..."),
- 		              stderr);
-@@ -377,9 +379,22 @@
- 		snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
- 
- 		(void) signal (SIGALRM, kill_child);
-+		(void) signal (SIGCHLD, catch_signals);
- 		(void) alarm (2);
- 
--		(void) wait (&status);
-+		sigemptyset (&ourset);
-+		if ((sigaddset (&ourset, SIGALRM) != 0)
-+		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
-+			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
-+			kill_child (0);
-+		} else {
-+			while (0 == waitpid (pid_child, &status, WNOHANG)) {
-+				sigsuspend (&ourset);
-+			}
-+			pid_child = 0;
-+			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
-+		}
-+
- 		(void) fputs (_(" ...terminated.\n"), stderr);
- 	}
- 

debian/patches/301-Reset-pid_child-only-if-waitpid-was-successful.patch

@@ -1,29 +0,0 @@
-From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 14 May 2017 17:58:10 +0200
-Subject: [PATCH] Reset pid_child only if waitpid was successful.
-
-Do not reset the pid_child to 0 if the child process is still
-running. This else-condition can be reached with pid being -1,
-therefore explicitly test this condition.
-
-This is a regression fix for CVE-2017-2616. If su receives a
-signal like SIGTERM, it is not propagated to the child.
-
-Reported-by: Radu Duta <raduduta@gmail.com>
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
----
- src/su.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/src/su.c
-+++ b/src/su.c
-@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
- 				/* wake child when resumed */
- 				kill (pid, SIGCONT);
- 				stop = false;
--			} else {
-+			} else if (   (pid_t)-1 != pid) {
- 				pid_child = 0;
- 			}
- 		} while (!stop);

debian/patches/401_cppw_src.dpatch

@@ -5,10 +5,8 @@
 ## DP: Add cppw / cpgr
 
 @DPATCH@
-Index: shadow-4.4/src/cppw.c
-===================================================================
 --- /dev/null
-+++ shadow-4.4/src/cppw.c
++++ b/src/cppw.c
 @@ -0,0 +1,238 @@
 +/*
 +  cppw, cpgr  copy with locking given file over the password or group file
@@ -248,11 +246,9 @@ Index: shadow-4.4/src/cppw.c
 +	return 0;
 +}
 +
-Index: shadow-4.4/src/Makefile.am
-===================================================================
---- shadow-4.4.orig/src/Makefile.am
-+++ shadow-4.4/src/Makefile.am
-@@ -29,6 +29,7 @@ if ENABLE_SUBIDS
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -30,6 +30,7 @@
  ubin_PROGRAMS += newgidmap newuidmap
  endif
  usbin_PROGRAMS = \
@@ -260,7 +256,7 @@ Index: shadow-4.4/src/Makefile.am
  	chgpasswd \
  	chpasswd \
  	groupadd \
-@@ -90,6 +91,7 @@ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LI
+@@ -90,6 +91,7 @@
  chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
  chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
  chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
@@ -268,11 +264,9 @@ Index: shadow-4.4/src/Makefile.am
  gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
  groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
  groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
-Index: shadow-4.4/po/POTFILES.in
-===================================================================
---- shadow-4.4.orig/po/POTFILES.in
-+++ shadow-4.4/po/POTFILES.in
-@@ -85,6 +85,7 @@ src/chfn.c
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -85,6 +85,7 @@
  src/chgpasswd.c
  src/chpasswd.c
  src/chsh.c

debian/patches/501_commonio_group_shadow

@@ -2,10 +2,8 @@ Goal: save the [g]shadow files with the 'shadow' group and mode 0440
 
 Fixes: #166793
 
-Index: shadow-4.4/lib/commonio.c
-===================================================================
---- shadow-4.4.orig/lib/commonio.c
-+++ shadow-4.4/lib/commonio.c
+--- a/lib/commonio.c
++++ b/lib/commonio.c
 @@ -44,6 +44,7 @@
  #include <errno.h>
  #include <stdio.h>
@@ -14,7 +12,7 @@ Index: shadow-4.4/lib/commonio.c
  #include "nscd.h"
  #ifdef WITH_TCB
  #include <tcb.h>
-@@ -966,12 +967,23 @@ int commonio_close (struct commonio_db *
+@@ -963,12 +964,23 @@
  			goto fail;
  		}
  	} else {
@@ -38,11 +36,9 @@ Index: shadow-4.4/lib/commonio.c
  	}
  
  	snprintf (buf, sizeof buf, "%s+", db->filename);
-Index: shadow-4.4/lib/sgroupio.c
-===================================================================
---- shadow-4.4.orig/lib/sgroupio.c
-+++ shadow-4.4/lib/sgroupio.c
-@@ -228,7 +228,7 @@ static struct commonio_db gshadow_db = {
+--- a/lib/sgroupio.c
++++ b/lib/sgroupio.c
+@@ -229,7 +229,7 @@
  #ifdef WITH_SELINUX
  	NULL,			/* scontext */
  #endif
@@ -51,11 +47,9 @@ Index: shadow-4.4/lib/sgroupio.c
  	0,                      /* st_uid */
  	0,                      /* st_gid */
  	NULL,			/* head */
-Index: shadow-4.4/lib/shadowio.c
-===================================================================
---- shadow-4.4.orig/lib/shadowio.c
-+++ shadow-4.4/lib/shadowio.c
-@@ -104,7 +104,7 @@ static struct commonio_db shadow_db = {
+--- a/lib/shadowio.c
++++ b/lib/shadowio.c
+@@ -105,7 +105,7 @@
  #ifdef WITH_SELINUX
  	NULL,			/* scontext */
  #endif				/* WITH_SELINUX */

debian/patches/508_nologin_in_usr_sbin

@@ -1,8 +1,6 @@
-Index: git/src/Makefile.am
-===================================================================
---- git.orig/src/Makefile.am
-+++ git/src/Makefile.am
-@@ -23,7 +23,6 @@
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -24,7 +24,6 @@
  # $prefix/bin and $prefix/sbin, no install-data hacks...)
  
  bin_PROGRAMS   = groups login su
@@ -10,7 +8,7 @@ Index: git/src/Makefile.am
  ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
  if ENABLE_SUBIDS
  ubin_PROGRAMS += newgidmap newuidmap
-@@ -41,6 +40,7 @@
+@@ -42,6 +41,7 @@
  	grpunconv \
  	logoutd \
  	newusers \

debian/patches/523_su_arguments_are_concatenated

@@ -8,11 +8,9 @@ Status wrt upstream: This is a Debian specific patch.
 Note: the fix of the man page is still missing.
       (to be taken from the trunk)
 
-Index: shadow-4.4/src/su.c
-===================================================================
---- shadow-4.4.orig/src/su.c
-+++ shadow-4.4/src/su.c
-@@ -1155,6 +1155,35 @@ int main (int argc, char **argv)
+--- a/src/su.c
++++ b/src/su.c
+@@ -1201,6 +1201,35 @@
  			argv[0] = "-c";
  			argv[1] = command;
  		}

debian/patches/523_su_arguments_are_no_more_concatenated_by_default

@@ -8,11 +8,9 @@ Etch.
 
 Status wrt upstream: This patch is Debian specific.
 
-Index: shadow-4.4/src/su.c
-===================================================================
---- shadow-4.4.orig/src/su.c
-+++ shadow-4.4/src/su.c
-@@ -104,6 +104,19 @@ static char caller_name[BUFSIZ];
+--- a/src/su.c
++++ b/src/su.c
+@@ -104,6 +104,19 @@
  /* If nonzero, change some environment vars to indicate the user su'd to. */
  static bool change_environment = true;
  
@@ -32,7 +30,7 @@ Index: shadow-4.4/src/su.c
  #ifdef USE_PAM
  static char kill_msg[256];
  static char wait_msg[256];
-@@ -952,6 +965,8 @@ int main (int argc, char **argv)
+@@ -983,6 +996,8 @@
  	int ret;
  #endif				/* USE_PAM */
  
@@ -41,7 +39,7 @@ Index: shadow-4.4/src/su.c
  	(void) setlocale (LC_ALL, "");
  	(void) bindtextdomain (PACKAGE, LOCALEDIR);
  	(void) textdomain (PACKAGE);
-@@ -1159,7 +1174,7 @@ int main (int argc, char **argv)
+@@ -1205,7 +1220,7 @@
  		 * resulting string is always given to the shell with its
  		 * -c option.
  		 */

debian/patches/542_useradd-O_option

@@ -5,10 +5,8 @@ Note: useradd.8 needs to be regenerated.
 Status wrt upstream: not included as this is just specific 
                      backward compatibility for Debian
 
-Index: shadow-4.4/man/useradd.8.xml
-===================================================================
---- shadow-4.4.orig/man/useradd.8.xml
-+++ shadow-4.4/man/useradd.8.xml
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
 @@ -329,6 +329,11 @@
  	    databases are reset to avoid reusing the entry from a previously
  	    deleted user.
@@ -21,11 +19,9 @@ Index: shadow-4.4/man/useradd.8.xml
  	</listitem>
        </varlistentry>
        <varlistentry>
-Index: shadow-4.4/src/useradd.c
-===================================================================
---- shadow-4.4.orig/src/useradd.c
-+++ shadow-4.4/src/useradd.c
-@@ -1056,9 +1056,9 @@ static void process_flags (int argc, cha
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -1059,9 +1059,9 @@
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -37,7 +33,7 @@ Index: shadow-4.4/src/useradd.c
  #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1181,6 +1181,7 @@ static void process_flags (int argc, cha
+@@ -1184,6 +1184,7 @@
  				kflg = true;
  				break;
  			case 'K':

debian/patches/series

@@ -1,13 +1,3 @@
-0001-Typos-fix-in-german-translation-of-man-pages.patch
-0002-Last-bits-of-enabling-subuids.patch
-0003-Dutch-translation-update.patch
-0004-Updated-Czech-translation.patch
-0005-Update-for-German-man-pages.patch
-0006-French-manpage-translation.patch
-0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
-0008-su-properly-clear-child-PID.patch
-301-Reset-pid_child-only-if-waitpid-was-successful.patch
-
 # These patches are only for the testsuite:
 #900_testsuite_groupmems
 #901_testsuite_gcov
@@ -26,5 +16,3 @@
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
 501_commonio_group_shadow
-# does not apply cleanly, please merge at upstream
-1010_vietnamese_translation