Update changelog for 1:4.13+dfsg1-1+deb12u2 release

Closes: #1122913

debian/NEWS

@@ -1,11 +1,3 @@
-shadow (1:4.13+dfsg1-2) unstable; urgency=medium
-
-  The previous entry falsely states that PREVENT_NO_AUTH in /etc/login.defs
-  affects authentication.  The historical default of letting all users with
-  empty password field in without authentication is still in effect.
-
- -- Balint Reczey <balint@balintreczey.hu>  Mon, 25 Sep 2023 17:04:09 +0200
-
 shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
 
   Login now prevents an empty password field to be interpreted as

debian/changelog

@@ -1,51 +1,22 @@
-shadow (1:4.13+dfsg1-5) unstable; urgency=medium
+shadow (1:4.13+dfsg1-1+deb12u2) bookworm; urgency=medium
 
-  * Add myself to Uploaders, per discussion with Serge Hallyn
-  * Apply wrap-and-sort -kas style
-  * Use debputy to avoid Rules-Requires-Root: binary-targets
-  * libsubid4: tighten package-internal dependencies
+  * Apply upstream patch to fix groupmod -U "" segfault (Closes: #1122913)
 
-  [ Serge Hallyn ]
-  * Drop pam_lastlog.so from config. (Closes: #1068229)
-  * Stop installing lastlog binary.
+ -- Chris Hofstaedtler <zeha@debian.org>  Sun, 14 Dec 2025 15:00:01 +0100
 
- -- Chris Hofstaedtler <zeha@debian.org>  Sun, 02 Jun 2024 20:01:51 +0200
-
-shadow (1:4.13+dfsg1-4) unstable; urgency=medium
-
-  [ Helmut Grohne ]
-  * DEP17: Move login and shadowconfig to /usr. (Closes: #1059915)
-
- -- Serge Hallyn <serge@hallyn.com>  Sun, 04 Feb 2024 20:28:27 +0000
-
-shadow (1:4.13+dfsg1-3) unstable; urgency=medium
-
-  * Team upload
-  * Remove myself from uploaders
-
- -- Balint Reczey <balint@balintreczey.hu>  Sun, 15 Oct 2023 19:10:52 +0200
-
-shadow (1:4.13+dfsg1-2) unstable; urgency=medium
+shadow (1:4.13+dfsg1-1+deb12u1) bookworm; urgency=medium
 
   [ Balint Reczey ]
-  * debian/gitlab-ci.yml: Use sudo to fix reprotest test
-  * debian/login.pam: Drop reference to Debian Etch (Closes: #1040064)
-  * debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication.
-    Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547)
-  * Cherry-pick upstream patch to fix gpasswd passwd leak
-    (CVE-2023-4641) (Closes: #1051062)
-  * Cherry-pick upstream patch to fix chfn vulnerability allowing injection of
-    control characters into some /etc/passwd fields.
-    (CVE-2023-29383) (Closes: #1034482)
+  * Cherry-pick upstream patch to fix gpasswd passwd leak (Closes: #1051062)
+    CVE-2023-4641
+  * Cherry-pick upstream patch to fix chfn vulnerability (Closes: #1034482)
+    CVE-2023-29383
+  * Fix valid_field() that regressed in upstream's chfn fix
 
-  [ Gioele Barabucci ]
-  * Support <nodoc> build profile
-    `xsltproc`, `docbook` and all other XML-related packages are not needed
-    when the `<nodoc>` build profile is active, as long as `./configure` is
-    called with `--disable-man`. (Closes: #1051827)
+  [ Chris Hofstaedtler ]
+  * Update Uploaders: field from unstable
 
-
- -- Balint Reczey <balint@balintreczey.hu>  Tue, 26 Sep 2023 22:01:52 +0200
+ -- Chris Hofstaedtler <zeha@debian.org>  Mon, 07 Apr 2025 12:38:46 +0200
 
 shadow (1:4.13+dfsg1-1) unstable; urgency=medium
 

debian/control

@@ -5,35 +5,33 @@ Uploaders:
  Chris Hofstaedtler <zeha@debian.org>
 Section: admin
 Priority: required
-Build-Depends:
- bison,
- debhelper-compat (= 13),
- dh-sequence-zz-debputy-rrr (>= 0.1.23~),
- docbook-xml <!nodoc>,
- docbook-xsl <!nodoc>,
- gettext,
- itstool <!nodoc>,
- libaudit-dev [linux-any],
- libcrypt-dev,
- libpam0g-dev,
- libselinux1-dev [linux-any],
- libsemanage-dev [linux-any],
- libxml2-utils <!nodoc>,
- quilt,
- xsltproc <!nodoc>
+Build-Depends: debhelper-compat (= 13),
+               gettext,
+               libcrypt-dev,
+               libpam0g-dev,
+               quilt,
+               xsltproc,
+               docbook-xsl,
+               docbook-xml,
+               libxml2-utils,
+               libselinux1-dev [linux-any],
+               libsemanage-dev [linux-any],
+               itstool,
+               bison,
+               libaudit-dev [linux-any]
 Standards-Version: 4.6.1
 Vcs-Git: https://salsa.debian.org/debian/shadow.git -b master
 Vcs-Browser: https://salsa.debian.org/debian/shadow
 Homepage: https://github.com/shadow-maint/shadow
-Rules-Requires-Root: no
+Rules-Requires-Root: binary-targets
 
 Package: passwd
 Architecture: any
 Multi-Arch: foreign
-Depends:
- libpam-modules
-Recommends:
- sensible-utils
+Depends: ${shlibs:Depends},
+         ${misc:Depends},
+         libpam-modules
+Recommends: sensible-utils
 Description: change and administer password and group data
  This package includes passwd, chsh, chfn, and many other programs to
  maintain password and group data.
@@ -44,15 +42,13 @@ Package: login
 Architecture: any
 Multi-Arch: foreign
 Essential: yes
-Pre-Depends:
- libpam-modules,
- libpam-runtime
-Breaks:
- hurd (<< 20140206~) [hurd-any]
-Conflicts:
- python-4suite (<< 0.99cvs20060405-1)
-Replaces:
- hurd (<< 20140206~) [hurd-any]
+Pre-Depends: ${shlibs:Depends},
+             ${misc:Depends},
+             libpam-runtime,
+             libpam-modules
+Breaks: hurd (<< 20140206~) [hurd-any]
+Conflicts: python-4suite (<< 0.99cvs20060405-1)
+Replaces: hurd (<< 20140206~) [hurd-any]
 Description: system login tools
  This package provides some required infrastructure for logins and for
  changing effective user or group IDs, including:
@@ -63,6 +59,8 @@ Package: uidmap
 Architecture: any
 Multi-Arch: foreign
 Priority: optional
+Depends: ${shlibs:Depends},
+         ${misc:Depends}
 Description: programs to help use subuids
  These programs help unprivileged users to create uid and gid mappings in
  user namespaces.
@@ -72,6 +70,8 @@ Section: libs
 Priority: optional
 Architecture: any
 Multi-Arch: same
+Pre-Depends: ${misc:Pre-Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}
 Description: subordinate id handling library -- shared library
  The library provides an interface for querying, granding and ungranting
  subordinate user and group ids.
@@ -81,8 +81,7 @@ Section: libdevel
 Priority: optional
 Architecture: any
 Multi-Arch: same
-Depends:
- libsubid4 (= ${binary:Version})
+Depends: ${misc:Depends}, libsubid4 (= ${binary:Version})
 Description: subordinate id handling library -- shared library
  The library provides an interface for querying, granding and ungranting
  subordinate user and group ids.

debian/debputy.manifest

@@ -1,37 +0,0 @@
-manifest-version: '0.1'
-packages:
-  passwd:
-    transformations:
-    - path-metadata:
-        path: usr/bin/chfn
-        mode: "u=rwxs,go=rx"
-    - path-metadata:
-        path: usr/bin/chsh
-        mode: "u=rwxs,go=rx"
-    - path-metadata:
-        path: usr/bin/gpasswd
-        mode: "u=rwxs,go=rx"
-    - path-metadata:
-        path: usr/bin/passwd
-        mode: "u=rwxs,go=rx"
-    - path-metadata:
-        path: usr/bin/chage
-        group: "shadow"
-        mode: "u=rwx,go=rxs"
-    - path-metadata:
-        path: usr/bin/expiry
-        group: "shadow"
-        mode: "u=rwx,go=rxs"
-  login:
-    transformations:
-    - path-metadata:
-        path: usr/bin/newgrp
-        mode: "u=rwxs,go=rx"
-  uidmap:
-    transformations:
-    - path-metadata:
-        path: usr/bin/newgidmap
-        mode: "u=rwxs,go=rx"
-    - path-metadata:
-        path: usr/bin/newuidmap
-        mode: "u=rwxs,go=rx"

debian/gitlab-ci.yml

@@ -1,7 +1,5 @@
 variables:
-  RELEASE: 'unstable'
-  # workaround for https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/259
-  SALSA_CI_REPROTEST_ARGS: --vary=domain_host.use_sudo=1
+ RELEASE: 'unstable'
 include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml

debian/login.defs

@@ -337,6 +337,14 @@ NONEXISTENT	/nonexistent
 #
 #GRANT_AUX_GROUP_SUBIDS yes
 
+#
+# Prevents an empty password field to be interpreted as "no authentication
+# required".
+# Set to "yes" to prevent for all accounts
+# Set to "superuser" to prevent for UID 0 / root (default)
+# Set to "no" to not prevent for any account (dangerous, historical default)
+PREVENT_NO_AUTH superuser
+
 #
 # Select the HMAC cryptography algorithm.
 # Used in pam_timestamp module to calculate the keyed-hash message

debian/login.install

@@ -1,6 +1,7 @@
-bin/login usr/bin
 debian/login.defs etc
+usr/share/locale/*/LC_MESSAGES/shadow.mo
 sbin/nologin usr/sbin
 usr/bin/faillog
+usr/bin/lastlog
 usr/bin/newgrp
-usr/share/locale/*/LC_MESSAGES/shadow.mo
+bin/login

debian/login.manpages

@@ -4,6 +4,7 @@ usr/share/man/*/man1/sg.1
 usr/share/man/*/man5/faillog.5
 usr/share/man/*/man5/login.defs.5
 usr/share/man/*/man8/faillog.8
+usr/share/man/*/man8/lastlog.8
 usr/share/man/*/man8/nologin.8
 usr/share/man/man1/login.1
 usr/share/man/man1/newgrp.1
@@ -11,4 +12,5 @@ usr/share/man/man1/sg.1
 usr/share/man/man5/faillog.5
 usr/share/man/man5/login.defs.5
 usr/share/man/man8/faillog.8
+usr/share/man/man8/lastlog.8
 usr/share/man/man8/nologin.8

debian/login.pam

@@ -49,7 +49,7 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux
 # 
 # parsing /etc/environment needs "readenv=1"
 session       required   pam_env.so readenv=1
-# locale variables can also be set in /etc/default/locale
+# locale variables are also kept into /etc/default/locale in etch
 # reading this file *in addition to /etc/environment* does not hurt
 session       required   pam_env.so readenv=1 envfile=/etc/default/locale
 
@@ -77,6 +77,10 @@ auth       optional   pam_group.so
 # (Replaces the use of /etc/limits in old login)
 session    required   pam_limits.so
 
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
 # Prints the status of the user's mailbox upon successful login
 # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
 #

debian/not-installed

@@ -15,7 +15,6 @@ etc/pam.d/passwd
 etc/pam.d/useradd
 etc/pam.d/userdel
 etc/pam.d/usermod
-usr/bin/lastlog
 usr/bin/sg
 usr/lib/*/libsubid.la
 usr/sbin/logoutd
@@ -26,7 +25,6 @@ usr/share/man/*/man1/su.1
 usr/share/man/*/man3/getspnam.3
 usr/share/man/*/man3/shadow.3
 usr/share/man/*/man5/suauth.5
-usr/share/man/*/man8/lastlog.8
 usr/share/man/*/man8/logoutd.8
 usr/share/man/man1/groups.1
 usr/share/man/man1/logoutd.1
@@ -34,6 +32,5 @@ usr/share/man/man1/su.1
 usr/share/man/man3/getspnam.3
 usr/share/man/man3/shadow.3
 usr/share/man/man5/suauth.5
-usr/share/man/man8/lastlog.8
 usr/share/man/man8/logoutd.8
 

debian/passwd.dirs

@@ -1,2 +1,2 @@
-etc/default
 usr/share/lintian/overrides
+etc/default

debian/passwd.install

@@ -1,18 +1,18 @@
 debian/default/useradd etc/default
-debian/shadowconfig usr/sbin
+debian/shadowconfig sbin
 usr/bin/chage
 usr/bin/chfn
 usr/bin/chsh
 usr/bin/expiry
 usr/bin/gpasswd
 usr/bin/passwd
-usr/sbin/chgpasswd
 usr/sbin/chpasswd
+usr/sbin/chgpasswd
 usr/sbin/cppw
 usr/sbin/groupadd
 usr/sbin/groupdel
-usr/sbin/groupmems
 usr/sbin/groupmod
+usr/sbin/groupmems
 usr/sbin/grpck
 usr/sbin/grpconv
 usr/sbin/grpunconv

debian/passwd.links

@@ -1,2 +1,2 @@
-usr/sbin/cppw usr/sbin/cpgr
 usr/sbin/vipw usr/sbin/vigr
+usr/sbin/cppw usr/sbin/cpgr

debian/passwd.manpages

@@ -6,17 +6,17 @@ usr/share/man/*/man1/chsh.1
 usr/share/man/*/man1/expiry.1
 usr/share/man/*/man1/gpasswd.1
 usr/share/man/*/man1/passwd.1
-usr/share/man/*/man5/gshadow.5
 usr/share/man/*/man5/passwd.5
-usr/share/man/*/man5/shadow.5
 usr/share/man/*/man5/subgid.5
 usr/share/man/*/man5/subuid.5
-usr/share/man/*/man8/chgpasswd.8
+usr/share/man/*/man5/shadow.5
+usr/share/man/*/man5/gshadow.5
 usr/share/man/*/man8/chpasswd.8
+usr/share/man/*/man8/chgpasswd.8
 usr/share/man/*/man8/groupadd.8
 usr/share/man/*/man8/groupdel.8
-usr/share/man/*/man8/groupmems.8
 usr/share/man/*/man8/groupmod.8
+usr/share/man/*/man8/groupmems.8
 usr/share/man/*/man8/grpck.8
 usr/share/man/*/man8/grpconv.8
 usr/share/man/*/man8/grpunconv.8
@@ -35,11 +35,11 @@ usr/share/man/man1/chsh.1
 usr/share/man/man1/expiry.1
 usr/share/man/man1/gpasswd.1
 usr/share/man/man1/passwd.1
-usr/share/man/man5/gshadow.5
 usr/share/man/man5/passwd.5
 usr/share/man/man5/shadow.5
-usr/share/man/man5/subgid.5
+usr/share/man/man5/gshadow.5
 usr/share/man/man5/subuid.5
+usr/share/man/man5/subgid.5
 usr/share/man/man8/chgpasswd.8
 usr/share/man/man8/chpasswd.8
 usr/share/man/man8/groupadd.8

debian/patches/series

@@ -1,3 +1,6 @@
+# Debian #1122913
+upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
+
 # CVE-2023-4641
 0001-gpasswd-1-Fix-password-leak.patch
 

debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch

@@ -0,0 +1,54 @@
+From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001
+From: lixinyun <li.xinyun@h3c.com>
+Date: Wed, 29 May 2024 06:53:02 +0800
+Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double
+ free
+
+Groupmod -U may cause crashes because of double free. If without -a, the first free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update without -n or gr_remove with -n.
+Considering the minimal impact of modifications on existing code, delete gr_free_members(&grp) to avoid double free.Although this may seem reckless, the second free in two different positions will definitely be triggered, and the following two test cases can be used to illustrate the situation :
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -n g2 -U u1,u2 g1
+Segmentation fault
+
+This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)), which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again.
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -U u1,u2 g1
+Segmentation fault
+
+The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to free (*ogrp).gr_mem again.
+
+So the first free is unnecessary, maybe we can drop it.
+
+Fixes: 342c934a3590 ("add -U option to groupadd and groupmod")
+Closes: <https://github.com/shadow-maint/shadow/issues/1013>
+Link: <https://github.com/shadow-maint/shadow/pull/1007>
+Link: <https://github.com/shadow-maint/shadow/pull/271>
+Link: <https://github.com/shadow-maint/shadow/issues/265>
+Cc: "Serge E. Hallyn" <serge@hallyn.com>
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: lixinyun <li.xinyun@h3c.com>
+---
+ src/groupmod.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git i/src/groupmod.c w/src/groupmod.c
+index 006eca1c..7eae4c6f 100644
+--- i/src/groupmod.c
++++ w/src/groupmod.c
+@@ -244,8 +244,6 @@ static void grp_update (void)
+ 
+ 		if (!aflg) {
+ 			// requested to replace the existing groups
+-			if (NULL != grp.gr_mem[0])
+-				gr_free_members(&grp);
+ 			grp.gr_mem = (char **)xmalloc(sizeof(char *));
+ 			grp.gr_mem[0] = (char *)0;
+ 		} else {

debian/rules

@@ -21,10 +21,6 @@ DEB_CONFIGURE_EXTRA_FLAGS := --without-libcrack \
 	--without-tcb \
 	 SHELL=/bin/sh
 
-ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
-DEB_CONFIGURE_EXTRA_FLAGS += --disable-man
-endif
-
 # Set the default editor for vipw/vigr
 CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
 
@@ -42,7 +38,7 @@ endif
 	dh_install -a
 ifeq ($(DEB_HOST_ARCH_OS),hurd)
 	# /bin/login is provided by the hurd package.
-	rm -f debian/login/usr/bin/login
+	rm -f debian/login/bin/login
 endif
 
 override_dh_installpam:
@@ -55,6 +51,25 @@ override_dh_installpam:
 	dh_installpam -p passwd --name=chpasswd
 	dh_installpam -p passwd --name=newusers
 
+override_dh_builddeb-arch:
+	# uidmap
+	chmod u+s debian/uidmap/usr/bin/newuidmap
+	chmod u+s debian/uidmap/usr/bin/newgidmap
+	# login
+	# No real need for login to be setuid root
+	# chmod u+s debian/login/bin/login
+	chmod u+s debian/login/usr/bin/newgrp
+	# passwd
+	chmod u+s debian/passwd/usr/bin/chfn
+	chmod u+s debian/passwd/usr/bin/chsh
+	chmod u+s debian/passwd/usr/bin/gpasswd
+	chmod u+s debian/passwd/usr/bin/passwd
+	chgrp shadow debian/passwd/usr/bin/chage
+	chgrp shadow debian/passwd/usr/bin/expiry
+	chmod g+s debian/passwd/usr/bin/chage
+	chmod g+s debian/passwd/usr/bin/expiry
+	dh_builddeb -a
+
 override_dh_auto_clean:
 	sed -i 's/# Linux only # //' debian/login.pam
 	dh_auto_clean

debian/shlibs.local

@@ -1 +0,0 @@
-deb: libsubid 4 libsubid4 (= ${binary:Version})

debian/uidmap.install

@@ -1,3 +1,3 @@
 bin/getsubids usr/bin
-usr/bin/newgidmap
 usr/bin/newuidmap
+usr/bin/newgidmap