ELA 1:4.4-4.1+deb9u2

shadow (1:4.4-4.1) unstable; urgency=high

  * Non-maintainer upload.
  * Reset pid_child only if waitpid was successful.
    This is a regression fix for CVE-2017-2616. If su receives a signal like
    SIGTERM, it is not propagated to the child. (Closes: #862806)

debian/changelog

@@ -1,3 +1,105 @@
+shadow (1:4.4-4.1+deb9u2) stretch-security; urgency=medium
+
+  * Non-maintainer upload by the ELTS Team.
+  * CVE-2018-7169: unprivileged user can drop supplementary groups
+  * CVE-2023-4641: gpasswd password leak
+  * CVE-2023-29383: chfn missing control character check
+
+ -- Adrian Bunk <bunk@debian.org>  Sat, 26 Oct 2024 18:55:08 +0300
+
+shadow (1:4.4-4.1+deb9u1) stretch-security; urgency=high
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2017-20002: revert adding pts/0 and pts/1 to securetty.
+    Adding pts/* defeats the purpose of securetty. Let containers add it
+    if needed as described in #830255.
+    (cherry-picked from 1:4.5-1)
+    See also #877374 (previous proposed update) and #914957
+    (/etc/securetty will be dropped in bullseye).
+  * CVE-2017-12424: the newusers tool could be made to manipulate internal
+    data structures in ways unintended by the authors. Malformed input may
+    lead to crashes (with a buffer overflow or other memory corruption) or
+    other unspecified behaviors. This crosses a privilege boundary in, for
+    example, certain web-hosting environments in which a Control Panel
+    allows an unprivileged user account to create subaccounts.
+    (Closes: #756630)
+
+ -- Sylvain Beucler <beuc@debian.org>  Wed, 17 Mar 2021 10:27:01 +0100
+
+shadow (1:4.4-4.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Reset pid_child only if waitpid was successful.
+    This is a regression fix for CVE-2017-2616. If su receives a signal like
+    SIGTERM, it is not propagated to the child. (Closes: #862806)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 17 May 2017 13:59:59 +0200
+
+shadow (1:4.4-4) unstable; urgency=high
+
+  * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Fri, 24 Feb 2017 01:33:25 +0100
+
+shadow (1:4.4-3) unstable; urgency=medium
+
+  [ Balint Reczey ]
+  * Clean up stale locks on boot (Closes: #478771)
+  * Sync motd handling with sshd.
+    Using patch from Ubuntu (Closes: #757148)
+
+  [ Stéphane Graber ]
+  * Add missing /etc/{subgid|subuid} in postinst
+
+ -- Balint Reczey <balint@balintreczey.hu>  Wed, 25 Jan 2017 16:43:09 +0100
+
+shadow (1:4.4-2) unstable; urgency=medium
+
+  [ Balint Reczey ]
+  * Update homepage to new upstream
+  * Always use /bin/sh shell in the build (Closes: #817971)
+  * Replace user´s -> user's to make login.def file valid ASCII
+    (Closes: #850338)
+  * Update patch naming docmentation
+  * Fix typos in German man pages (Closes: #734609)
+  * Send 1000_configure_userns patch upstream
+  * Add call to pam_keyinit for login pam service.
+    This module is linux-any only, so copy what openssh has already done and
+    remove the call at build time for other architectures.
+    The call to this module is needed to have proper per-session kernel
+    keyring. (Closes: #734671)
+  * Add pts/0 and pts/1 to securetty (Closes: #830255)
+  * Add ttySAC* to securetty (Closes: #824391)
+  * Add ttySC[4-9] to securetty (Closes: #768020)
+
+  [ Laurent Bigonville ]
+  * Move pam_selinux open call higher in the session stack (Closes: #747313)
+
+  [ Christian Perrier ]
+  * Fix typos in login.pam (thanks to Jakub Wilk for reporting)
+    (Closes: #747115)
+  * Include groupmems(8) in the passwd package (Closes: #663117)
+
+  [ Frans Spiesschaert ]
+  * Dutch translation update (Closes: #772470)
+
+  [ Trần Ngọc Quân ]
+  * Update Vietnamese translation (Closes: #777107)
+
+  [ Miroslav Kuře ]
+  * Updated Czech translation. (Closes: #759113)
+
+  [ Holger Wansing ]
+  * Update for German man pages
+
+  [ Thomas Blein ]
+  * French manpage translation (Closes: #805182)
+
+  [ Lars Bahner ]
+  * Fix some spelling issues in the Norwegian translation (Closes: #800553)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Thu, 19 Jan 2017 18:22:49 +0100
+
 shadow (1:4.4-1) unstable; urgency=medium
 
   [ Christian Perrier ]

debian/control

@@ -23,7 +23,7 @@ Build-Depends: dh-autoreconf,
 Standards-Version: 3.9.5
 Vcs-Browser: https://anonscm.debian.org/git/pkg-shadow/shadow.git
 Vcs-Git: https://anonscm.debian.org/git/pkg-shadow/shadow.git
-Homepage: http://pkg-shadow.alioth.debian.org/
+Homepage: https://github.com/shadow-maint/shadow
 
 Package: passwd
 Architecture: any

debian/login.defs

@@ -214,7 +214,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

debian/login.pam

@@ -35,13 +35,23 @@ auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
 # (Replaces the `NOLOGINS_FILE' option from login.defs)
 auth       requisite  pam_nologin.so
 
-# SELinux needs to be the first session rule. This ensures that any 
-# lingering context has been cleared. Without out this it is possible 
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
 # that a module could execute code in the wrong domain.
 # When the module is present, "required" would be sufficient (When SELinux
 # is disabled, this returns success.)
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
 # This module parses environment configuration file(s)
 # and also allows you to use an extended config
 # file /etc/security/pam_env.conf.
@@ -62,7 +72,7 @@ session       required   pam_env.so readenv=1 envfile=/etc/default/locale
 auth       optional   pam_group.so
 
 # Uncomment and edit /etc/security/time.conf if you need to set
-# time restrainst on logins.
+# time restraint on logins.
 # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
 # as well as /etc/porttime)
 # account    requisite  pam_time.so
@@ -76,16 +86,18 @@ auth       optional   pam_group.so
 # (Replaces the use of /etc/limits in old login)
 session    required   pam_limits.so
 
-# Prints the last login info upon succesful login
+# Prints the last login info upon successful login
 # (Replaces the `LASTLOG_ENAB' option from login.defs)
 session    optional   pam_lastlog.so
 
-# Prints the message of the day upon succesful login.
+# Prints the message of the day upon successful login.
 # (Replaces the `MOTD_FILE' option in login.defs)
-session    optional   pam_exec.so type=open_session stdout /bin/uname -snrvm
-session    optional   pam_motd.so
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
 
-# Prints the status of the user's mailbox upon succesful login
+# Prints the status of the user's mailbox upon successful login
 # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
 #
 # This also defines the MAIL environment variable
@@ -95,17 +107,10 @@ session    optional   pam_motd.so
 # See comments in /etc/login.defs
 session    optional   pam_mail.so standard
 
-# Sets the loginuid process attribute
-session    required     pam_loginuid.so
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
 
 # Standard Un*x account and session
 @include common-account
 @include common-session
 @include common-password
-
-# SELinux needs to intervene at login time to ensure that the process
-# starts in the proper default security context. Only sessions which are
-# intended to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-# When the module is present, "required" would be sufficient (When SELinux
-# is disabled, this returns success.)

debian/login.postinst

@@ -16,14 +16,26 @@ then
 fi
 rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
 
-if [ "$1" = "configure" ] && [ "$2" = "" ]
-then
+if [ "$1" = "configure" ]; then
 	# Install faillog during initial installs only
-	if [ ! -f /var/log/faillog ] ; then
+	if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
 		touch /var/log/faillog
 		chown root:root /var/log/faillog
 		chmod 644 /var/log/faillog
 	fi
+
+	# Create subuid/subgid if missing
+	if [ ! -e /etc/subuid ]; then
+		touch /etc/subuid
+		chown root:root /etc/subuid
+		chmod 644 /etc/subuid
+	fi
+
+	if [ ! -e /etc/subgid ]; then
+		touch /etc/subgid
+		chown root:root /etc/subgid
+		chmod 644 /etc/subgid
+	fi
 fi
 
         # Create subuid/subgid if missing

debian/passwd.install

@@ -10,6 +10,7 @@ usr/sbin/cppw
 usr/sbin/groupadd
 usr/sbin/groupdel
 usr/sbin/groupmod
+usr/sbin/groupmems
 usr/sbin/grpck
 usr/sbin/grpconv
 usr/sbin/grpunconv
@@ -34,6 +35,7 @@ usr/share/man/*/man8/chpasswd.8
 usr/share/man/*/man8/groupadd.8
 usr/share/man/*/man8/groupdel.8
 usr/share/man/*/man8/groupmod.8
+usr/share/man/*/man8/groupmems.8
 usr/share/man/*/man8/grpck.8
 usr/share/man/*/man8/grpconv.8
 usr/share/man/*/man8/grpunconv.8

debian/passwd.tmpfile

@@ -0,0 +1,8 @@
+# If a password operation is in progress and we lose power, stale lockfiles
+# can be left behind.  Clear them on boot.
+r! /etc/gshadow.lock
+r! /etc/shadow.lock
+r! /etc/passwd.lock
+r! /etc/group.lock
+r! /etc/subuid.lock
+r! /etc/subgid.lock

debian/patches/0001-Typos-fix-in-german-translation-of-man-pages.patch

@@ -0,0 +1,44 @@
+From bdd68116b7c5f3cbb29ea4fe3bb81e338e9544f7 Mon Sep 17 00:00:00 2001
+From: Simon Kainz <simon@familiekainz.at>
+Date: Wed, 18 Jan 2017 17:24:04 +0100
+Subject: [PATCH 1/2] Typos fix in german translation of man pages
+
+Reported to Debian BTS in #734609
+---
+ man/po/de.po | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/po/de.po b/man/po/de.po
+index b4d7218..340e15d 100644
+--- a/man/po/de.po
++++ b/man/po/de.po
+@@ -3087,7 +3087,7 @@ msgstr "5"
+ #: limits.5.xml:61(refmiscinfo) gshadow.5.xml:48(refmiscinfo)
+ #: faillog.5.xml:59(refmiscinfo)
+ msgid "File Formats and Conversions"
+-msgstr "Dateiformate und -konvertierung"
++msgstr "Dateiformate und konvertierung"
+ 
+ #: suauth.5.xml:65(refpurpose)
+ msgid "detailed su control file"
+@@ -4370,7 +4370,7 @@ msgstr ""
+ 
+ #: shadow.5.xml:235(para)
+ msgid "An empty field means that the account will never expire."
+-msgstr "Ein leeren Feld bedeutet, dass das Konto nicht verfallen wird."
++msgstr "Ein leeres Feld bedeutet, dass das Konto nicht verfallen wird."
+ 
+ #: shadow.5.xml:238(para)
+ msgid ""
+@@ -6961,7 +6961,7 @@ msgid ""
+ "contents of this file should be a message indicating why logins are "
+ "inhibited."
+ msgstr ""
+-"Falls angegeben, der Name einer Datei, dessen Existenz Anmeldungen außer von "
++"Falls angegeben, der Name einer Datei, deren Existenz Anmeldungen außer von "
+ "Root verhindert. Der Inhalt der Datei sollte die Gründe enthalten, weshalb "
+ "Anmeldungen untersagt sind."
+ 
+-- 
+2.1.4
+

debian/patches/0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch

@@ -0,0 +1,183 @@
+From f46921b828f06435f8ec1f4ce51f8f622c97f326 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+Reported-by: Craig Furman <craig.furman89@gmail.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ src/newgidmap.c | 89 ++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 80 insertions(+), 9 deletions(-)
+
+diff --git a/src/newgidmap.c b/src/newgidmap.c
+index b1e33513..59a2e75c 100644
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+  */
+ const char *Prog;
+ 
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
+ {
+ 	/* An empty range is invalid */
+ 	if (range->count == 0)
+ 		return false;
+ 
+-	/* Test /etc/subgid */
+-	if (have_sub_gids(pw->pw_name, range->lower, range->count))
++	/* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++	if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++		*allow_setgroups = true;
+ 		return true;
++	}
+ 
+-	/* Allow a process to map its own gid */
+-	if ((range->count == 1) && (pw->pw_gid == range->lower))
++	/* Allow a process to map its own gid. */
++	if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++		/* noop -- if setgroups is enabled already we won't disable it. */
+ 		return true;
++	}
+ 
+ 	return false;
+ }
+ 
+ static void verify_ranges(struct passwd *pw, int ranges,
+-	struct map_range *mappings)
++	struct map_range *mappings, bool *allow_setgroups)
+ {
+ 	struct map_range *mapping;
+ 	int idx;
+ 
+ 	mapping = mappings;
+ 	for (idx = 0; idx < ranges; idx++, mapping++) {
+-		if (!verify_range(pw, mapping)) {
++		if (!verify_range(pw, mapping, allow_setgroups)) {
+ 			fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
+ 				Prog,
+ 				mapping->upper,
+@@ -89,6 +94,70 @@ static void usage(void)
+ 	exit(EXIT_FAILURE);
+ }
+ 
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++	int setgroups_fd;
++	char *policy, policy_buffer[4096];
++
++	/*
++	 * Default is "deny", and any "allow" will out-rank a "deny". We don't
++	 * forcefully write an "allow" here because the process we are writing
++	 * mappings for may have already set themselves to "deny" (and "allow"
++	 * is the default anyway). So allow_setgroups == true is a noop.
++	 */
++	policy = "deny\n";
++	if (allow_setgroups)
++		return;
++
++	setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
++	if (setgroups_fd < 0) {
++		/*
++		 * If it's an ENOENT then we are on too old a kernel for the setgroups
++		 * code to exist. Emit a warning and bail on this.
++		 */
++		if (ENOENT == errno) {
++			fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
++			goto out;
++		}
++		fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++	/*
++	 * Check whether the policy is already what we want. /proc/self/setgroups
++	 * is write-once, so attempting to write after it's already written to will
++	 * fail.
++	 */
++	if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
++		fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (!strncmp(policy_buffer, policy, strlen(policy)))
++		goto out;
++
++	/* Write the policy. */
++	if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
++		fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (dprintf(setgroups_fd, "%s", policy) < 0) {
++		fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
++			Prog,
++			policy,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++out:
++	close(setgroups_fd);
++}
++
+ /*
+  * newgidmap - Set the gid_map for the specified process
+  */
+@@ -103,6 +172,7 @@ int main(int argc, char **argv)
+ 	struct stat st;
+ 	struct passwd *pw;
+ 	int written;
++	bool allow_setgroups = false;
+ 
+ 	Prog = Basename (argv[0]);
+ 
+@@ -145,7 +215,7 @@ int main(int argc, char **argv)
+ 				(unsigned long) getuid ()));
+ 		return EXIT_FAILURE;
+ 	}
+-	
++
+ 	/* Get the effective uid and effective gid of the target process */
+ 	if (fstat(proc_dir_fd, &st) < 0) {
+ 		fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
+@@ -177,8 +247,9 @@ int main(int argc, char **argv)
+ 	if (!mappings)
+ 		usage();
+ 
+-	verify_ranges(pw, ranges, mappings);
++	verify_ranges(pw, ranges, mappings, &allow_setgroups);
+ 
++	write_setgroups(proc_dir_fd, allow_setgroups);
+ 	write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+ 	sub_gid_close();
+ 
+-- 
+2.30.2
+

debian/patches/0002-Last-bits-of-enabling-subuids.patch

@@ -0,0 +1,29 @@
+From 578d495f91af8dc5dd774d4310ca06f7013712e7 Mon Sep 17 00:00:00 2001
+From: Micah Anderson <micah@riseup.net>
+Date: Wed, 18 Jan 2017 18:06:05 +0100
+Subject: [PATCH 2/2] Last bits of enabling subuids
+
+This patch has been carried by Debian, originally
+submitted to BTS in #739981
+---
+ src/newusers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/newusers.c b/src/newusers.c
+index 724cbb4..0c0cfe4 100644
+--- a/src/newusers.c
++++ b/src/newusers.c
+@@ -988,8 +988,8 @@ int main (int argc, char **argv)
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+ #ifdef ENABLE_SUBIDS
+-	is_sub_uid = sub_uid_file_present ();
+-	is_sub_gid = sub_gid_file_present ();
++	is_sub_uid = sub_uid_file_present () && !rflg;
++	is_sub_gid = sub_gid_file_present () && !rflg;
+ #endif				/* ENABLE_SUBIDS */
+ 
+ 	open_files ();
+-- 
+2.1.4
+

debian/patches/0002-gpasswd-1-Fix-password-leak.patch

@@ -0,0 +1,142 @@
+From c64784990ca4de6e998f67796faa7bafc15dab00 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index c4a492b1..cbbd8068 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -917,6 +917,7 @@ static void change_passwd (struct group *gr)
+ 		strzero (cp);
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 
+-- 
+2.30.2
+

debian/patches/0003-Added-control-character-check.patch

@@ -0,0 +1,45 @@
+From d6f0f7cd86b189cf3bbd49e404864cb599e10244 Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 649fae17..b8f13ba7 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -44,9 +44,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -68,10 +68,13 @@ int valid_field (const char *field, const char *illegal)
+ 	}
+ 
+ 	if (0 == err) {
+-		/* Search if there are some non-printable characters */
++		/* Search if there are non-printable or control characters */
+ 		for (cp = field; '\0' != *cp; cp++) {
+ 			if (!isprint (*cp)) {
+ 				err = 1;
++			}
++			if (!iscntrl (*cp)) {
++				err = -1;
+ 				break;
+ 			}
+ 		}
+-- 
+2.30.2
+

debian/patches/0004-Overhaul-valid_field.patch

@@ -0,0 +1,61 @@
+From aad293ef78b1657978adb2049974805bf20af5bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index b8f13ba7..191257e8 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -60,26 +60,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are non-printable or control characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-			}
+-			if (!iscntrl (*cp)) {
+-				err = -1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 
+-- 
+2.30.2
+

debian/patches/0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch

@@ -0,0 +1,98 @@
+From 8a122a90fa2afe39f2b1e56c5d45ea20f486bf0b Mon Sep 17 00:00:00 2001
+From: Lars Bahner <bahner@debian.org>
+Date: Thu, 19 Jan 2017 17:50:24 +0100
+Subject: [PATCH 7/7] Fix some spelling issues in the Norwegian translation
+
+---
+ po/nb.po | 13 +++++++------
+ po/nl.po |  8 ++++----
+ 2 files changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/po/nb.po b/po/nb.po
+index d42a864..7ad1ecb 100644
+--- a/po/nb.po
++++ b/po/nb.po
+@@ -7,12 +7,13 @@
+ # Bjørn Steensrud <bjornst@powertech.no>, 2006.
+ # Bjørn Steensrud <bjornst@skogkatt.homelinux.org>, 2009, 2012.
+ # Hans Fredrik Nordhaug <hans@nordhaug.priv.no>, 2012.
++# Lars Bahner <bahner@debian.org>, 2015
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: shadow 4.0.17\n"
+ "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
+ "POT-Creation-Date: 2016-09-18 14:03-0500\n"
+-"PO-Revision-Date: 2012-01-18 17:19+0100\n"
++"PO-Revision-Date: 2015-09-30 18:15+0100\n"
+ "Last-Translator: Bjørn Steensrud <bjornst@skogkatt.homelinux.org>\n"
+ "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n"
+ "Language: nb\n"
+@@ -20,7 +21,7 @@ msgstr ""
+ "Content-Type: text/plain; charset=UTF-8\n"
+ "Content-Transfer-Encoding: 8bit\n"
+ "Plural-Forms: nplurals=2; plural=(n != 1);\n"
+-"X-Generator: Lokalize 1.2\n"
++"X-Generator: Poedit 1.7.5\n"
+ 
+ #, c-format
+ msgid ""
+@@ -48,10 +49,9 @@ msgstr "feil med oppsettet - ukjent element «%s» (kontakt administrator)\n"
+ msgid "%s: nscd did not terminate normally (signal %d)\n"
+ msgstr "%s: nscd avsluttet ikke normallt (signal %d)\n"
+ 
+-#, fuzzy, c-format
+-#| msgid "%s: nscd exited with status %d"
++#, c-format
+ msgid "%s: nscd exited with status %d\n"
+-msgstr "%s: nscd avsluttet med status %d"
++msgstr "%s: nscd avsluttet med status %d\n"
+ 
+ msgid "Password: "
+ msgstr "Passord: "
+@@ -415,8 +415,9 @@ msgstr "passwd: %s\n"
+ msgid "passwd: password unchanged\n"
+ msgstr "passwd: passordet er uendret\n"
+ 
++#, fuzzy
+ msgid "passwd: password updated successfully\n"
+-msgstr "passwd: passorder ble oppdatert\n"
++msgstr "passwd: passordet ble oppdatert\n"
+ 
+ #, c-format
+ msgid "Incorrect password for %s.\n"
+diff --git a/po/nl.po b/po/nl.po
+index 923c1d1..6cbabdd 100644
+--- a/po/nl.po
++++ b/po/nl.po
+@@ -745,7 +745,7 @@ msgstr "%s: ongeldige naam: '%s'\n"
+ 
+ #, c-format
+ msgid "%s: room number with non-ASCII characters: '%s'\n"
+-msgstr "%s: kamernummer bevat niet-ASCII tekens: '%s'"
++msgstr "%s: kamernummer bevat niet-ASCII tekens: '%s'\n"
+ 
+ #, c-format
+ msgid "%s: invalid room number: '%s'\n"
+@@ -1571,7 +1571,7 @@ msgstr "Ongeldig wachtwoord.\n"
+ 
+ #, c-format
+ msgid "%s: failure forking: %s\n"
+-msgstr "%s: nieuw proces beginnen is mislukt: %s"
++msgstr "%s: nieuw proces beginnen is mislukt: %s\n"
+ 
+ #, c-format
+ msgid "%s: GID '%lu' does not exist\n"
+@@ -2633,8 +2633,8 @@ msgstr "Kon bestand niet vergrendelen"
+ msgid "Couldn't make backup"
+ msgstr "Kon geen reservekopie maken"
+ 
+-#| msgid "Unable to open group file\n"
+-msgid "failed to open scratch file"
++#| msgid "Unable to open group file"
++msgid "failed to open scratch file\n"
+ msgstr "initieel bestand openen is mislukt\n"
+ 
+ #| msgid "%s: fields too long\n"
+-- 
+2.1.4
+

debian/patches/0008-su-properly-clear-child-PID.patch

@@ -0,0 +1,60 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,11 +363,13 @@
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+@@ -377,9 +379,22 @@
+ 		snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 

debian/patches/1000_configure_userns

@@ -1,15 +0,0 @@
-Index: git/src/newusers.c
-===================================================================
---- git.orig/src/newusers.c
-+++ git/src/newusers.c
-@@ -988,8 +988,8 @@
- 	is_shadow_grp = sgr_file_present ();
- #endif
- #ifdef ENABLE_SUBIDS
--	is_sub_uid = sub_uid_file_present ();
--	is_sub_gid = sub_gid_file_present ();
-+	is_sub_uid = sub_uid_file_present () && !rflg;
-+	is_sub_gid = sub_gid_file_present () && !rflg;
- #endif				/* ENABLE_SUBIDS */
- 
- 	open_files ();

debian/patches/1010_vietnamese_translation

@@ -1,7 +1,17 @@
-Index: shadow-4.4/po/vi.po
-===================================================================
---- shadow-4.4.orig/po/vi.po
-+++ shadow-4.4/po/vi.po
+From a87e2bcdf156607cffdac0fe4d1d6ce51b0dd343 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tr=E1=BA=A7n=20Ng=E1=BB=8Dc=20Qu=C3=A2n?=
+ <vnwildman@gmail.com>
+Date: Thu, 6 Oct 2016 12:15:19 -0500
+Subject: [PATCH] Update Vietnamese translations
+
+---
+ po/vi.po | 1420 ++++++++++++++++++++++++--------------------------------------
+ 1 file changed, 545 insertions(+), 875 deletions(-)
+
+diff --git a/po/vi.po b/po/vi.po
+index 8f066f0..16a29e7 100644
+--- a/po/vi.po
++++ b/po/vi.po
 @@ -1,54 +1,56 @@
  # Vietnamese translation for Shadow.
 -# Copyright © 2009 Free Software Foundation, Inc.
@@ -15,11 +25,10 @@ Index: shadow-4.4/po/vi.po
 -"Project-Id-Version: shadow\n"
 +"Project-Id-Version: shadow master\n"
  "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
--"POT-Creation-Date: 2016-09-18 21:41-0500\n"
+ "POT-Creation-Date: 2016-09-18 14:03-0500\n"
 -"PO-Revision-Date: 2012-01-08 18:13+0100\n"
 -"Last-Translator: Clytie Siddall <clytie@riverland.net.au>\n"
 -"Language-Team: Vietnamese <vi-VN@googlegroups.com>\n"
-+"POT-Creation-Date: 2016-09-18 14:03-0500\n"
 +"PO-Revision-Date: 2016-10-04 07:07+0700\n"
 +"Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n"
 +"Language-Team: Vietnamese <debian-l10n-vietnamese@lists.debian.org>\n"
@@ -399,7 +408,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: Can't get unique system GID (no more available GIDs)\n"
-@@ -343,13 +331,15 @@ msgstr "%s: Không thể lấy GID duy n
+@@ -343,13 +331,15 @@ msgstr "%s: Không thể lấy GID duy nhất (không còn có sẵn GID thêm n
  
  #, c-format
  msgid "%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"
@@ -425,7 +434,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "too similar"
  msgstr "quá tương tự"
-@@ -403,10 +393,10 @@ msgstr "passwd: pam_start() (mật khẩ
+@@ -403,10 +393,10 @@ msgstr "passwd: pam_start() (mật khẩu: bắt đầu pam) đã thất bại v
  
  #, c-format
  msgid "passwd: %s\n"
@@ -438,7 +447,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "passwd: password updated successfully\n"
  msgstr "passwd: mật khẩu đã được cập nhật\n"
-@@ -417,50 +407,46 @@ msgstr "Mật khẩu không đúng cho %
+@@ -417,50 +407,46 @@ msgstr "Mật khẩu không đúng cho %s .\n"
  
  #, c-format
  msgid "%s: multiple --root options\n"
@@ -565,7 +574,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "Minimum number of days between password change\t\t: %ld\n"
-@@ -595,15 +582,15 @@ msgstr "Số ngày cảnh báo trước
+@@ -595,15 +582,15 @@ msgstr "Số ngày cảnh báo trước khi mật khẩu hết hạn\t: %ld\n"
  
  #, c-format
  msgid "%s: invalid date '%s'\n"
@@ -605,7 +614,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: cannot open %s\n"
-@@ -632,15 +618,15 @@ msgstr "%s: gặp lỗi trong khi ghi th
+@@ -632,15 +618,15 @@ msgstr "%s: gặp lỗi trong khi ghi thay đổi vào %s\n"
  
  #, c-format
  msgid "%s: failed to prepare the new %s entry '%s'\n"
@@ -624,7 +633,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "Changing the aging information for %s\n"
-@@ -650,50 +636,48 @@ msgstr "Ä<EFBFBD>ang thay đổi thông tin vá»
+@@ -650,50 +636,48 @@ msgstr "Đang thay đổi thông tin về thời gian hoạt động đối vớ
  msgid "%s: error changing fields\n"
  msgstr "%s: gặp lỗi khi thay đổi trường\n"
  
@@ -787,7 +796,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: %s flag is only allowed with the %s flag\n"
-@@ -794,11 +777,11 @@ msgstr "%s: cho phép cá»<EFBFBD> %s chỉ cùn
+@@ -794,11 +777,11 @@ msgstr "%s: cho phép cờ %s chỉ cùng với cờ %s\n"
  
  #, c-format
  msgid "%s: the -c, -e, and -m flags are exclusive\n"
@@ -824,7 +833,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: error detected, changes ignored\n"
-@@ -831,51 +813,51 @@ msgstr "%s: (dòng %d, ngÆ°á»<EFBFBD>i dùng %s
+@@ -831,51 +813,51 @@ msgstr "%s: (dòng %d, người dùng %s) mật khẩu chưa thay đổi\n"
  
  #, c-format
  msgid "%s: line %d: user '%s' does not exist\n"
@@ -974,7 +983,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "  -a, --add USER                add USER to GROUP\n"
  msgstr "  -a, --add NGƯỜI_DÙNG          thêm người dùng này vào NHÓM\n"
-@@ -984,7 +965,7 @@ msgid "  -d, --delete USER             r
+@@ -984,7 +965,7 @@ msgid "  -d, --delete USER             remove USER from GROUP\n"
  msgstr "  -d, --delete NGƯỜI_DÙNG       gỡ bỏ người dùng này khỏi NHÓM\n"
  
  msgid "  -Q, --root CHROOT_DIR         directory to chroot into\n"
@@ -1032,7 +1041,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "Adding user %s to group %s\n"
-@@ -1051,7 +1032,7 @@ msgstr "Ä<EFBFBD>ang gỡ bá»<C3A1> ngÆ°á»<C3A1>i dùng %
+@@ -1051,7 +1032,7 @@ msgstr "Đang gỡ bỏ người dùng %s khỏi nhóm %s\n"
  
  #, c-format
  msgid "%s: user '%s' is not a member of '%s'\n"
@@ -1073,7 +1082,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid ""
  "  -o, --non-unique              allow to create groups with duplicate\n"
-@@ -1101,53 +1082,50 @@ msgstr "  -r, --system
+@@ -1101,53 +1082,50 @@ msgstr "  -r, --system                  tạo một tài khoản hệ thống\n"
  
  #, c-format
  msgid "%s: '%s' is not a valid group name\n"
@@ -1183,7 +1192,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid ""
  "  -a, --add username            add username to the members of the group\n"
-@@ -1206,7 +1184,7 @@ msgstr "%s: tên nhóm của bạn khôn
+@@ -1206,7 +1184,7 @@ msgstr "%s: tên nhóm của bạn không tương ứng với tên người dùn
  
  #, c-format
  msgid "%s: only root can use the -g/--group option\n"
@@ -1201,7 +1210,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: group %s is a NIS group\n"
-@@ -1239,70 +1217,57 @@ msgstr "%s: nhóm %s là má»™t nhóm kiá
+@@ -1239,70 +1217,57 @@ msgstr "%s: nhóm %s là một nhóm kiểu NIS\n"
  msgid "%s: unknown user %s\n"
  msgstr "%s: không rõ người dùng %s\n"
  
@@ -1287,7 +1296,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "group %s: no user %s\n"
-@@ -1310,40 +1275,40 @@ msgstr "nhóm %s: không có ngÆ°á»<EFBFBD>i dÃ
+@@ -1310,40 +1275,40 @@ msgstr "nhóm %s: không có người dùng %s\n"
  
  #, c-format
  msgid "delete member '%s'? "
@@ -1461,7 +1470,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: Cannot possibly work without effective root\n"
-@@ -1471,8 +1429,8 @@ msgstr "%s: Không thể làm việc mà
+@@ -1471,8 +1429,8 @@ msgstr "%s: Không thể làm việc mà không có gốc có hiệu lực\n"
  
  msgid "No utmp entry.  You must exec \"login\" from the lowest level \"sh\""
  msgstr ""
@@ -1481,7 +1490,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s login: "
-@@ -1503,10 +1461,9 @@ msgstr "login: (đăng nhập) PAM đã
+@@ -1503,10 +1461,9 @@ msgstr "login: (đăng nhập) PAM đã yêu cầu hủy bỏ\n"
  msgid "Login incorrect"
  msgstr "Đăng nhập không đúng"
  
@@ -1531,7 +1540,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "Invalid password.\n"
  msgstr "Mật khẩu không hợp lệ.\n"
-@@ -1573,7 +1529,7 @@ msgstr "%s: lỗi tạo tiến trình co
+@@ -1573,7 +1529,7 @@ msgstr "%s: lỗi tạo tiến trình con: %s\n"
  
  #, c-format
  msgid "%s: GID '%lu' does not exist\n"
@@ -1540,7 +1549,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "too many groups\n"
  msgstr "quá nhiều nhóm\n"
-@@ -1584,15 +1540,15 @@ msgstr "  -r, --system
+@@ -1584,15 +1540,15 @@ msgstr "  -r, --system                  tạo các tài khoản hệ thống\n"
  #, c-format
  msgid "%s: group '%s' is a shadow group, but does not exist in /etc/group\n"
  msgstr ""
@@ -1559,7 +1568,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: line %d: invalid line\n"
-@@ -1601,7 +1557,7 @@ msgstr "%s: dòng %d: dòng không hợp
+@@ -1601,7 +1557,7 @@ msgstr "%s: dòng %d: dòng không hợp lệ\n"
  #, c-format
  msgid "%s: cannot update the entry of user %s (not in the passwd database)\n"
  msgstr ""
@@ -1568,7 +1577,7 @@ Index: shadow-4.4/po/vi.po
  "liệu mật khẩu passwd)\n"
  
  #, c-format
-@@ -1614,7 +1570,7 @@ msgstr "%s: dòng %d: không thể tạo
+@@ -1614,7 +1570,7 @@ msgstr "%s: dòng %d: không thể tạo nhóm\n"
  
  #, c-format
  msgid "%s: line %d: user '%s' does not exist in %s\n"
@@ -1577,7 +1586,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: line %d: can't update password\n"
-@@ -1630,22 +1586,19 @@ msgstr "%s: dòng %d: lỗi chown (thay
+@@ -1630,22 +1586,19 @@ msgstr "%s: dòng %d: lỗi chown (thay đổi quyền sở hữu) %s: %s\n"
  
  #, c-format
  msgid "%s: line %d: can't update entry\n"
@@ -1683,7 +1692,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: repository %s not supported\n"
-@@ -1800,109 +1754,96 @@ msgstr "%s: mật khẩu đã thay đổ
+@@ -1800,109 +1754,96 @@ msgstr "%s: mật khẩu đã thay đổi.\n"
  msgid "%s: password expiry information changed.\n"
  msgstr "%s: thông tin đã thay đổi về sự hết hạn sử dụng mật khẩu.\n"
  
@@ -1822,7 +1831,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "user %s: last password change in the future\n"
-@@ -1910,18 +1851,18 @@ msgstr "ngÆ°á»<EFBFBD>i dùng %s: lần thay Ä‘
+@@ -1910,18 +1851,18 @@ msgstr "người dùng %s: lần thay đổi mật khẩu cuối cùng nằm tro
  
  #, c-format
  msgid "%s: cannot sort entries in %s\n"
@@ -1844,7 +1853,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "Password authentication bypassed.\n"
  msgstr "Xác thực mật khẩu bị đi vòng.\n"
-@@ -1929,32 +1870,29 @@ msgstr "Xác thực mật khẩu bị đ
+@@ -1929,30 +1870,29 @@ msgstr "Xác thực mật khẩu bị đi vòng.\n"
  msgid "Please enter your OWN password as authentication.\n"
  msgstr "Hãy nhập mật khẩu của MÌNH để xác thực.\n"
  
@@ -1869,12 +1878,10 @@ Index: shadow-4.4/po/vi.po
 -msgstr ""
 +msgstr "Phiên làm việc đã kết thúc, nên kết thúc hệ vỏ…"
  
--#, c-format
  msgid " ...killed.\n"
 -msgstr ""
 +msgstr " …đã chết.\n"
  
--#, c-format
  msgid " ...waiting for child to terminate.\n"
 -msgstr ""
 +msgstr " …đang đợi tiến con chấm dứt.\n"
@@ -1885,7 +1892,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: %s\n"
-@@ -1973,20 +1911,20 @@ msgid ""
+@@ -1971,20 +1911,20 @@ msgid ""
  "  -s, --shell SHELL             use SHELL instead of the default in passwd\n"
  "\n"
  msgstr ""
@@ -1913,7 +1920,7 @@ Index: shadow-4.4/po/vi.po
  "\n"
  
  #, c-format
-@@ -1995,11 +1933,11 @@ msgid ""
+@@ -1993,11 +1933,11 @@ msgid ""
  "(Ignored)\n"
  msgstr ""
  "%s: %s\n"
@@ -1927,7 +1934,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "(Enter your own password)"
  msgstr "(Nhập mật khẩu của mình)"
-@@ -2011,12 +1949,11 @@ msgstr "%s: lỗi xác thực\n"
+@@ -2009,12 +1949,11 @@ msgstr "%s: lỗi xác thực\n"
  #, c-format
  msgid "%s: You are not authorized to su at that time\n"
  msgstr ""
@@ -1943,7 +1950,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: must be run from a terminal\n"
-@@ -2026,15 +1963,13 @@ msgstr "%s: phải chạy từ thiết b
+@@ -2024,15 +1963,13 @@ msgstr "%s: phải chạy từ thiết bị cuối\n"
  msgid "%s: pam_start: error %d\n"
  msgstr "%s: pam_start: (pam bắt đầu) lỗi %d\n"
  
@@ -1963,7 +1970,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "No password file"
  msgstr "Không có tập tin mật khẩu"
-@@ -2043,7 +1978,7 @@ msgid "TIOCSCTTY failed"
+@@ -2041,7 +1978,7 @@ msgid "TIOCSCTTY failed"
  msgstr "TIOCSCTTY bị lỗi"
  
  msgid "No password entry for 'root'"
@@ -1972,7 +1979,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid ""
  "\n"
-@@ -2052,14 +1987,14 @@ msgid ""
+@@ -2050,14 +1987,14 @@ msgid ""
  msgstr ""
  "\n"
  "Hãy gõ tổ hợp phím Ctrl-D để tiếp tục khởi động bình thường,\n"
@@ -1989,7 +1996,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: the %s configuration in %s will be ignored\n"
-@@ -2075,12 +2010,11 @@ msgstr "%s: không thể mở tập tin
+@@ -2073,12 +2010,11 @@ msgstr "%s: không thể mở tập tin mặc định mới\n"
  
  #, c-format
  msgid "%s: line too long in %s: %s..."
@@ -2005,7 +2012,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: rename: %s: %s\n"
-@@ -2088,17 +2022,13 @@ msgstr "%s: thay tên: %s: %s\n"
+@@ -2086,17 +2022,13 @@ msgstr "%s: thay tên: %s: %s\n"
  
  #, c-format
  msgid "%s: group '%s' is a NIS group.\n"
@@ -2025,7 +2032,7 @@ Index: shadow-4.4/po/vi.po
  msgid ""
  "Usage: %s [options] LOGIN\n"
  "       %s -D\n"
-@@ -2106,72 +2036,73 @@ msgid ""
+@@ -2104,72 +2036,73 @@ msgid ""
  "\n"
  "Options:\n"
  msgstr ""
@@ -2115,7 +2122,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid ""
  "  -N, --no-user-group           do not create a group with the same name as\n"
-@@ -2183,16 +2114,15 @@ msgid ""
+@@ -2181,16 +2114,15 @@ msgid ""
  "  -o, --non-unique              allow to create users with duplicate\n"
  "                                (non-unique) UID\n"
  msgstr ""
@@ -2135,7 +2142,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "  -u, --uid UID                 user ID of the new account\n"
  msgstr "  -u, --uid UID                 mã số người dùng của tài khoản mới\n"
-@@ -2206,53 +2136,52 @@ msgid ""
+@@ -2204,53 +2136,52 @@ msgid ""
  "  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user "
  "mapping\n"
  msgstr ""
@@ -2203,7 +2210,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: cannot create directory %s\n"
-@@ -2264,21 +2193,20 @@ msgstr "Ä<EFBFBD>ang tạo tập tin há»™p thÆ°
+@@ -2262,21 +2193,20 @@ msgstr "Đang tạo tập tin hộp thư"
  msgid ""
  "Group 'mail' not found. Creating the user mailbox file with 0600 mode.\n"
  msgstr ""
@@ -2229,7 +2236,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: can't create user\n"
-@@ -2288,37 +2216,34 @@ msgstr "%s: không thể tạo ngÆ°á»<C3A1>i
+@@ -2286,37 +2216,34 @@ msgstr "%s: không thể tạo người dùng\n"
  msgid "%s: UID %lu is not unique\n"
  msgstr "%s: UID %lu không phải duy nhất\n"
  
@@ -2276,7 +2283,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid ""
  "  -f, --force                   force removal of files,\n"
-@@ -2329,47 +2254,42 @@ msgstr ""
+@@ -2327,47 +2254,42 @@ msgstr ""
  
  msgid "  -r, --remove                  remove home directory and mail spool\n"
  msgstr ""
@@ -2337,7 +2344,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: %s not owned by %s, not removing\n"
-@@ -2377,22 +2297,19 @@ msgstr "%s: %s không phải được %s
+@@ -2375,22 +2297,19 @@ msgstr "%s: %s không phải được %s sở hữu nên không gỡ bỏ nó\n"
  
  #, c-format
  msgid "%s: Can't allocate memory, tcb entry for %s not removed.\n"
@@ -2367,7 +2374,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: user %s is a NIS user\n"
-@@ -2400,23 +2317,21 @@ msgstr "%s: ngÆ°á»<EFBFBD>i dùng %s là ngÆ°á»
+@@ -2398,23 +2317,21 @@ msgstr "%s: người dùng %s là người dùng kiểu NIS\n"
  
  #, c-format
  msgid "%s: %s home directory (%s) not found\n"
@@ -2395,7 +2402,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "  -c, --comment COMMENT         new value of the GECOS field\n"
  msgstr "  -c, --comment GHI_LƯU         giá trị mới của trường GECOS\n"
-@@ -2424,7 +2339,7 @@ msgstr "  -c, --comment GHI_LƯU
+@@ -2422,7 +2339,7 @@ msgstr "  -c, --comment GHI_LƯU         giá trị mới của trường GECOS\
  msgid ""
  "  -d, --home HOME_DIR           new home directory for the user account\n"
  msgstr ""
@@ -2404,7 +2411,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid ""
  "  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE\n"
-@@ -2452,23 +2367,23 @@ msgid ""
+@@ -2450,23 +2367,23 @@ msgid ""
  "                                mentioned by the -G option without removing\n"
  "                                him/her from other groups\n"
  msgstr ""
@@ -2433,7 +2440,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid ""
  "  -o, --non-unique              allow using duplicate (non-unique) UID\n"
-@@ -2477,82 +2392,73 @@ msgstr ""
+@@ -2475,82 +2392,73 @@ msgstr ""
  
  msgid ""
  "  -p, --password PASSWORD       use encrypted password for the new password\n"
@@ -2537,7 +2544,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: directory %s exists\n"
-@@ -2563,15 +2469,16 @@ msgid ""
+@@ -2561,15 +2469,16 @@ msgid ""
  "%s: The previous home directory (%s) was not a directory. It is not removed "
  "and no home directories are created.\n"
  msgstr ""
@@ -2558,7 +2565,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid "%s: cannot rename directory %s to %s\n"
-@@ -2580,44 +2487,40 @@ msgstr "%s: không thể thay đổi láº
+@@ -2578,44 +2487,40 @@ msgstr "%s: không thể thay đổi lại tên thư mục %s thành %s\n"
  #, c-format
  msgid "%s: failed to copy the lastlog entry of user %lu to user %lu: %s\n"
  msgstr ""
@@ -2616,7 +2623,7 @@ Index: shadow-4.4/po/vi.po
  
  #, c-format
  msgid ""
-@@ -2627,7 +2530,7 @@ msgid ""
+@@ -2625,7 +2530,7 @@ msgid ""
  msgstr ""
  "Bạn đã sửa đổi %s.\n"
  "Để thống nhất thì bạn cũng có thể cần sửa đổi %s.\n"
@@ -2625,7 +2632,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "  -g, --group                   edit group database\n"
  msgstr "  -g, --group                   sửa đổi cơ sở dữ liệu nhóm\n"
-@@ -2639,28 +2542,22 @@ msgid "  -s, --shadow                  e
+@@ -2637,28 +2542,22 @@ msgid "  -s, --shadow                  edit shadow or gshadow database\n"
  msgstr ""
  "  -s, --shadow                  sửa đổi cơ sở dữ liệu shadow hay gshadow\n"
  
@@ -2658,7 +2665,7 @@ Index: shadow-4.4/po/vi.po
  
  msgid "Couldn't get file context"
  msgstr "Không thể lấy ngữ cảnh tập tin"
-@@ -2668,63 +2565,49 @@ msgstr "Không thể lấy ngữ cảnh
+@@ -2666,63 +2565,49 @@ msgstr "Không thể lấy ngữ cảnh tập tin"
  msgid "setfscreatecon () failed"
  msgstr "setfscreatecon () bị lỗi"
  
@@ -2735,7 +2742,7 @@ Index: shadow-4.4/po/vi.po
  
  #~ msgid "  -c, --crypt-method            the crypt method (one of %s)\n"
  #~ msgstr "  -c, --crypt-method            phương pháp mật mã (một của %s)\n"
-@@ -2734,9 +2617,9 @@ msgstr "%s: thÆ° mục cÆ¡ ban không há
+@@ -2732,9 +2617,9 @@ msgstr "%s: thư mục cơ ban không hợp lệ « %s »\n"
  #~ "\n"
  #~ "Options:\n"
  #~ msgstr ""
@@ -2747,7 +2754,7 @@ Index: shadow-4.4/po/vi.po
  
  #~ msgid "malloc(%d) failed\n"
  #~ msgstr "malloc(%d) (cấp phát bộ nhớ) bị lỗi\n"
-@@ -2762,9 +2645,9 @@ msgstr "%s: thÆ° mục cÆ¡ ban không há
+@@ -2760,9 +2645,9 @@ msgstr "%s: thư mục cơ ban không hợp lệ « %s »\n"
  #~ "  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS\n"
  #~ "\n"
  #~ msgstr ""
@@ -2759,7 +2766,7 @@ Index: shadow-4.4/po/vi.po
  #~ "  -d, --lastday NGÀY_CUỐI        đặt ngày thay đổi mật khẩu cuối cùng "
  #~ "thành ngày này\n"
  #~ "  -E, --expiredate NGÀY_HẾT_HẠN    đặt ngày hết hạn dùng tài khoản thành "
-@@ -2790,12 +2673,12 @@ msgstr "%s: thÆ° mục cÆ¡ ban không há
+@@ -2788,12 +2673,12 @@ msgstr "%s: thư mục cơ ban không hợp lệ « %s »\n"
  #~ "Usage: %s [-f full_name] [-r room_no] [-w work_ph]\n"
  #~ "\t[-h home_ph] [-o other] [user]\n"
  #~ msgstr ""
@@ -2774,7 +2781,7 @@ Index: shadow-4.4/po/vi.po
  #~ "\t[-h điện_thoại_ở_nhà]\n"
  
  #~ msgid ""
-@@ -2809,13 +2692,13 @@ msgstr "%s: thÆ° mục cÆ¡ ban không há
+@@ -2807,13 +2692,13 @@ msgstr "%s: thư mục cơ ban không hợp lệ « %s »\n"
  #~ "                                the MD5 algorithm\n"
  #~ "%s\n"
  #~ msgstr ""
@@ -2792,7 +2799,7 @@ Index: shadow-4.4/po/vi.po
  #~ "%s\n"
  
  #~ msgid ""
-@@ -2826,21 +2709,21 @@ msgstr "%s: thÆ° mục cÆ¡ ban không há
+@@ -2824,21 +2709,21 @@ msgstr "%s: thư mục cơ ban không hợp lệ « %s »\n"
  #~ "  -s, --shell SHELL             new login shell for the user account\n"
  #~ "\n"
  #~ msgstr ""
@@ -2818,7 +2825,7 @@ Index: shadow-4.4/po/vi.po
  
  #~ msgid "faillog: Cannot open %s: %s\n"
  #~ msgstr "faillog: không thể mở %s: %s\n"
-@@ -2850,23 +2733,23 @@ msgstr "%s: thÆ° mục cÆ¡ ban không há
+@@ -2848,23 +2733,23 @@ msgstr "%s: thư mục cơ ban không hợp lệ « %s »\n"
  
  #~ msgid "Usage: groupdel group\n"
  #~ msgstr ""
@@ -2849,7 +2856,7 @@ Index: shadow-4.4/po/vi.po
  
  #~ msgid ""
  #~ "Usage: lastlog [options]\n"
-@@ -2881,7 +2764,7 @@ msgstr "%s: thÆ° mục cÆ¡ ban không há
+@@ -2879,7 +2764,7 @@ msgstr "%s: thư mục cơ ban không hợp lệ « %s »\n"
  #~ "LOGIN\n"
  #~ "\n"
  #~ msgstr ""
@@ -2858,7 +2865,7 @@ Index: shadow-4.4/po/vi.po
  #~ "\n"
  #~ "[lastlog: bản ghi cuối cùng]\n"
  #~ "\n"
-@@ -2923,11 +2806,11 @@ msgstr "%s: thÆ° mục cÆ¡ ban không há
+@@ -2921,11 +2806,11 @@ msgstr "%s: thư mục cơ ban không hợp lệ « %s »\n"
  #~ "                                change to MAX_DAYS\n"
  #~ "\n"
  #~ msgstr ""
@@ -2873,7 +2880,7 @@ Index: shadow-4.4/po/vi.po
  #~ "  -e, --expire         \tép buộc hết hạn dùng mật khẩu cho tài khoản đặt "
  #~ "tên\n"
  #~ "  -h, --help                  \thiển thị trợ giúp này, sau đó thoát\n"
-@@ -2935,231 +2818,16 @@ msgstr "%s: thÆ° mục cÆ¡ ban không há
+@@ -2933,231 +2818,16 @@ msgstr "%s: thư mục cơ ban không hợp lệ « %s »\n"
  #~ "  -i, --inactive INACTIVE\tđặt thành INACTIVE mật khẩu không còn hoạt "
  #~ "động lại\n"
  #~ "\t\t\t\t\tsau khi hết hạn dùng\n"
@@ -3107,3 +3114,6 @@ Index: shadow-4.4/po/vi.po
 -
 -#~ msgid "%s: can't chown %s\n"
 -#~ msgstr "%s: không thể chown (thay đổi quyền sở hữu) %s\n"
+-- 
+2.1.4
+

debian/patches/301-Reset-pid_child-only-if-waitpid-was-successful.patch

@@ -0,0 +1,29 @@
+From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 14 May 2017 17:58:10 +0200
+Subject: [PATCH] Reset pid_child only if waitpid was successful.
+
+Do not reset the pid_child to 0 if the child process is still
+running. This else-condition can be reached with pid being -1,
+therefore explicitly test this condition.
+
+This is a regression fix for CVE-2017-2616. If su receives a
+signal like SIGTERM, it is not propagated to the child.
+
+Reported-by: Radu Duta <raduduta@gmail.com>
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/su.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+-			} else {
++			} else if (   (pid_t)-1 != pid) {
+ 				pid_child = 0;
+ 			}
+ 		} while (!stop);

debian/patches/CVE-2017-12424.patch

@@ -0,0 +1,43 @@
+Origin: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2021-03-16
+
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
+---
+ lib/commonio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+Index: shadow-4.4/lib/commonio.c
+===================================================================
+--- shadow-4.4.orig/lib/commonio.c
++++ shadow-4.4/lib/commonio.c
+@@ -755,16 +755,16 @@ commonio_sort (struct commonio_db *db, i
+ 	for (ptr = db->head;
+ 	        (NULL != ptr)
+ #if KEEP_NIS_AT_END
+-	     && (NULL != ptr->line)
+-	     && (   ('+' != ptr->line[0])
+-	         && ('-' != ptr->line[0]))
++	     && ((NULL == ptr->line)
++	         || (('+' != ptr->line[0])
++	             && ('-' != ptr->line[0])))
+ #endif
+ 	     ;
+ 	     ptr = ptr->next) {
+ 		n++;
+ 	}
+ #if KEEP_NIS_AT_END
+-	if ((NULL != ptr) && (NULL != ptr->line)) {
++	if (NULL != ptr) {
+ 		nis = ptr;
+ 	}
+ #endif

debian/patches/README.patches

@@ -1,6 +1,8 @@
 Small intro to the system for numbering the patches here...
 
--The 0xx series of patches are patches isolated from the latest
+-The 00xx-... patches are forwarded to upstream's git repository
+
+-The 0xx_... series of patches are patches isolated from the latest
  version of the shadow Debian package not using quilt in order to
  separate upstream from Debian-specific stuff.
 

debian/patches/series

@@ -1,3 +1,13 @@
+0001-Typos-fix-in-german-translation-of-man-pages.patch
+0002-Last-bits-of-enabling-subuids.patch
+0003-Dutch-translation-update.patch
+0004-Updated-Czech-translation.patch
+0005-Update-for-German-man-pages.patch
+0006-French-manpage-translation.patch
+0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
+0008-su-properly-clear-child-PID.patch
+301-Reset-pid_child-only-if-waitpid-was-successful.patch
+
 # These patches are only for the testsuite:
 #900_testsuite_groupmems
 #901_testsuite_gcov
@@ -16,6 +26,11 @@
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
 501_commonio_group_shadow
-1000_configure_userns
 # does not apply cleanly, please merge at upstream
-#1010_vietnamese_translation
+1010_vietnamese_translation
+
+CVE-2017-12424.patch
+0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch
+0002-gpasswd-1-Fix-password-leak.patch
+0003-Added-control-character-check.patch
+0004-Overhaul-valid_field.patch

debian/rules

@@ -21,7 +21,18 @@ DEB_DESTDIR=$(CURDIR)/debian/tmp
 include /usr/share/cdbs/1/class/autotools.mk
 
 # Adds extra options when calling the configure script:
-DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared --without-libcrack --mandir=/usr/share/man --with-libpam --enable-shadowgrp --enable-man --disable-account-tools-setuid --with-group-name-max-length=32 --without-acl --without-attr --without-tcb
+DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
+	--without-libcrack \
+	--mandir=/usr/share/man \
+	--with-libpam \
+	--enable-shadowgrp \
+	--enable-man \
+	--disable-account-tools-setuid \
+	--with-group-name-max-length=32 \
+	--without-acl \
+	--without-attr \
+	--without-tcb \
+	 SHELL=/bin/sh
 ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
   DEB_CONFIGURE_EXTRA_FLAGS += --host=$(DEB_HOST_GNU_TYPE)
 endif
@@ -34,6 +45,9 @@ binary-install/login::
 ifeq ($(DEB_HOST_ARCH_OS),hurd)
 	# /bin/login is provided by the hurd package.
 	rm -f debian/login/bin/login
+endif
+ifneq ($(DEB_HOST_ARCH_OS),linux)
+	sed -i 's/session    optional   pam_keyinit.so/# Linux only # session    optional   pam_keyinit.so/' debian/login.pam
 endif
 	dh_installpam -p login
 	dh_installpam -p login --name=su
@@ -79,3 +93,6 @@ binary-predeb/passwd::
 	chgrp shadow debian/passwd/usr/bin/expiry
 	chmod g+s debian/passwd/usr/bin/chage
 	chmod g+s debian/passwd/usr/bin/expiry
+
+clean::
+	sed -i 's/# Linux only # //' debian/login.pam

debian/securetty.linux

@@ -211,6 +211,12 @@ ttySC0
 ttySC1
 ttySC2
 ttySC3
+ttySC4
+ttySC5
+ttySC6
+ttySC7
+ttySC8
+ttySC9
 
 # ARM "AMBA" serial ports
 ttyAM0
@@ -398,3 +404,9 @@ duart1
 
 # s390 and s390x ports in LPAR mode
 ttysclp0
+
+# ODROID XU4 serial console
+ttySAC0
+ttySAC1
+ttySAC2
+ttySAC3