Compare commits

...

4 Commits

Author SHA1 Message Date
Chris Hofstaedtler a6011e69ac Update changelog for 1:4.19.0-4 release 2026-01-08 00:08:53 +01:00
Chris Hofstaedtler 5725327f6f Import upstream patches to fix hash check
Closes: #1124835
2026-01-08 00:08:53 +01:00
Chris Hofstaedtler d283cd7b5c Update changelog for 1:4.19.0-3 release 2026-01-07 11:11:27 +01:00
Chris Hofstaedtler d44d58db86 chpasswd: Disable broken hash check, bug #1124835 2026-01-07 11:08:05 +01:00
4 changed files with 92 additions and 0 deletions
+12
View File
@@ -1,3 +1,15 @@
shadow (1:4.19.0-4) unstable; urgency=medium
* Import upstream patches to fix hash check (Closes: #1124835)
-- Chris Hofstaedtler <zeha@debian.org> Thu, 08 Jan 2026 00:01:00 +0100
shadow (1:4.19.0-3) unstable; urgency=medium
* chpasswd: Disable broken hash check, bug #1124835
-- Chris Hofstaedtler <zeha@debian.org> Wed, 07 Jan 2026 11:11:24 +0100
shadow (1:4.19.0-2) unstable; urgency=medium
* Disable logind integration on !linux
@@ -0,0 +1,39 @@
From: Alejandro Colomar <alx@kernel.org>
Date: Wed, 7 Jan 2026 23:44:26 +0100
Subject: lib/chkhash.c: is_valid_hash(): Accept '*' as the hash
This is widely accepted as an invalid hash, to remove password access
for an account (that is, no passwords will match the "hash").
Fixes: c44f1e096a19 (2025-07-20; "chpasswd: Check hash before write when using -e")
Closes: <https://github.com/shadow-maint/shadow/issues/1483>
Closes: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835>
Reported-by: Chris Hofstaedtler <zeha@debian.org>
Cc: vinz <mmpx09@protonmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
lib/chkhash.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/chkhash.c b/lib/chkhash.c
index 4bf98f8..46b3863 100644
--- a/lib/chkhash.c
+++ b/lib/chkhash.c
@@ -8,6 +8,7 @@
#include <string.h>
#include "string/strcmp/strprefix.h"
+#include "string/strcmp/streq.h"
/*
* match_regex - return true if match, false if not
@@ -42,6 +43,9 @@ is_valid_hash(const char *hash)
hash = strprefix(hash, "!") ?: hash;
+ if (streq(hash, "*"))
+ return true;
+
// Minimum hash length
if (strlen(hash) < 13)
return false;
+2
View File
@@ -8,3 +8,5 @@ debian/Adapt-login.defs-for-Debian.patch
debian/Stop-building-programs-we-do-not-install.patch
debian/Warn-when-badname-and-variants-are-given.patch
debian/configure.ac-align-exec_prefix-with-prefix.patch
upstream/lib-chkhash.c-is_valid_hash-Accept-a-leading.patch
debian/lib-chkhash.c-is_valid_hash-Accept-as-the-hash.patch
@@ -0,0 +1,39 @@
From: Alejandro Colomar <alx@kernel.org>
Date: Wed, 7 Jan 2026 23:39:53 +0100
Subject: lib/chkhash.c: is_valid_hash(): Accept a leading '!'
A leading '!' means that the account is locked.
Fixes: c44f1e096a19 (2025-07-20; "chpasswd: Check hash before write when using -e")
Link: <https://github.com/shadow-maint/shadow/issues/1483>
Link: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835>
Reported-by: Chris Hofstaedtler <zeha@debian.org>
Cc: vinz <mmpx09@protonmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
lib/chkhash.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/chkhash.c b/lib/chkhash.c
index 6687050..4bf98f8 100644
--- a/lib/chkhash.c
+++ b/lib/chkhash.c
@@ -7,6 +7,7 @@
#include <stddef.h>
#include <string.h>
+#include "string/strcmp/strprefix.h"
/*
* match_regex - return true if match, false if not
@@ -37,6 +38,10 @@ match_regex(const char *pattern, const char *string)
bool
is_valid_hash(const char *hash)
{
+ const char *p;
+
+ hash = strprefix(hash, "!") ?: hash;
+
// Minimum hash length
if (strlen(hash) < 13)
return false;