Import Debian changes 1:4.8.1-1+deb11u1

shadow (1:4.8.1-1+deb11u1) bullseye-security; urgency=high
.
  * Non-maintainer upload by the LTS Security Team.
  * CVE-2023-4641: When asking for a new password, shadow-utils asks the
    password twice. If the password fails on the second attempt,
    shadow-utils fails in cleaning the buffer used to store the first
    entry. This may allow an attacker with enough access to retrieve the
    password from the memory. (Closes: #1051062)
  * CVE-2023-29383: It is possible to inject control characters into
    fields provided to the SUID program chfn (change finger). Although it
    is not possible to exploit this directly (e.g., adding a new user
    fails because \n is in the block list), it is possible to misrepresent
    the /etc/passwd file when viewed. (Closes: #1034482)
  * Add Salsa-CI configuration.
  * Silence lintian error that can't be fixed after freeze.

debian/changelog

@@ -1,35 +1,20 @@
-shadow (1:4.8.1-2) unstable; urgency=medium
+shadow (1:4.8.1-1+deb11u1) bullseye-security; urgency=high
 
-  * debian/control: Switch to libsemanage-dev from libsemanage1-dev
-    (Closes: #998633)
-  * ACK NMU, thanks for all the changes
-  * Make passwd recommend sensible-utils because vipw uses sensible-editor
-  * Add files to debian/not-installed or install them when they were missed
-    This change ships a few more man page translations
-  * debian/control: Bump debhelper-compat version to 13
-  * List man pages to install in debian/*.manpages instead of in
-    debian/*.install
-  * Clean up debian/control using 'cme fix dpkg-control'
-  * Rename deprecated debian/passwd.tmpfile to debian/passwd.tmpfiles
-  * debian/control: Revert to my personal email address in the Maintainer field
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2023-4641: When asking for a new password, shadow-utils asks the
+    password twice. If the password fails on the second attempt,
+    shadow-utils fails in cleaning the buffer used to store the first
+    entry. This may allow an attacker with enough access to retrieve the
+    password from the memory. (Closes: #1051062)
+  * CVE-2023-29383: It is possible to inject control characters into
+    fields provided to the SUID program chfn (change finger). Although it
+    is not possible to exploit this directly (e.g., adding a new user
+    fails because \n is in the block list), it is possible to misrepresent
+    the /etc/passwd file when viewed. (Closes: #1034482)
+  * Add Salsa-CI configuration.
+  * Silence lintian error that can't be fixed after freeze.
 
- -- Balint Reczey <balint@balintreczey.hu>  Wed, 10 Nov 2021 10:39:04 +0100
-
-shadow (1:4.8.1-1.1) unstable; urgency=medium
-
-  [ Johannes Schauer Marin Rodrigues ]
-  * Non-maintainer upload.
-
-  [ Niels Thykier ]
-  * Remove obsolete login.preinst
-  * Remove obsolete code from passwd maintscripts
-
-  [ Helmut Grohne ]
-  * logoutd is gone since at least buster (closes: #989712)
-  * Delete duplicate subuid/subgid creation.
-  * login.postinstd support for DPKG_ROOT (closes: #992578)
-
- -- Johannes Schauer Marin Rodrigues <josch@debian.org>  Sat, 23 Oct 2021 21:04:57 +0200
+ -- Sylvain Beucler <beuc@debian.org>  Fri, 18 Apr 2025 15:46:55 +0200
 
 shadow (1:4.8.1-1) unstable; urgency=medium
 

debian/control

@@ -1,10 +1,10 @@
 Source: shadow
 Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
-Uploaders: Balint Reczey <balint@balintreczey.hu>,
+Uploaders: Balint Reczey <rbalint@ubuntu.com>,
            Serge Hallyn <serge@hallyn.com>
 Section: admin
 Priority: required
-Build-Depends: debhelper-compat (= 13),
+Build-Depends: debhelper-compat (= 12),
                gettext,
                libpam0g-dev,
                quilt,
@@ -13,13 +13,13 @@ Build-Depends: debhelper-compat (= 13),
                docbook-xml,
                libxml2-utils,
                libselinux1-dev [linux-any],
-               libsemanage-dev [linux-any],
+               libsemanage1-dev [linux-any],
                itstool,
                bison,
                libaudit-dev [linux-any]
-Standards-Version: 4.5.1
-Vcs-Browser: https://salsa.debian.org/debian/shadow
+Standards-Version: 3.9.5
 Vcs-Git: https://salsa.debian.org/debian/shadow -b master
+Vcs-Browser: https://salsa.debian.org/debian/shadow
 Homepage: https://github.com/shadow-maint/shadow
 Rules-Requires-Root: binary-targets
 
@@ -29,7 +29,8 @@ Multi-Arch: foreign
 Depends: ${shlibs:Depends},
          ${misc:Depends},
          libpam-modules
-Recommends: sensible-utils
+Replaces: manpages-tr (<< 1.0.5),
+          manpages-zh (<< 1.5.1-1)
 Description: change and administer password and group data
  This package includes passwd, chsh, chfn, and many other programs to
  maintain password and group data.
@@ -43,11 +44,22 @@ Essential: yes
 Pre-Depends: ${shlibs:Depends},
              ${misc:Depends},
              libpam-runtime,
-             libpam-modules
-Breaks: hurd (<< 20140206~) [hurd-any],
+             libpam-modules (>= 1.1.8-1)
+Breaks: coreutils (<< 8.21~) [hurd-any],
+        passwd (<< 1:4.1.5.1-2~) [hurd-any],
+        hurd (<< 20140206~) [hurd-any],
         util-linux (<< 2.32-0.2~)
-Conflicts: python-4suite (<< 0.99cvs20060405-1)
-Replaces: hurd (<< 20140206~) [hurd-any]
+Conflicts: gnunet (<< 0.7.0c-2),
+           amavisd-new (<< 2.3.3-8),
+           python-4suite (<< 0.99cvs20060405-1),
+           backupninja (<< 0.9.3-5),
+           echolot (<< 2.1.8-4)
+Replaces: manpages-de (<< 0.5-3),
+          manpages-tr (<< 1.0.5),
+          manpages-zh (<< 1.5.1-1),
+          passwd (<< 1:4.1.5.1-2~) [hurd-any],
+          coreutils (<< 8.21~) [hurd-any],
+          hurd (<< 20140206~) [hurd-any]
 Description: system login tools
  This package provides some required infrastructure for logins and for
  changing effective user or group IDs, including:

debian/login.install

@@ -1,5 +1,21 @@
 debian/login.defs etc
 usr/share/locale/*/LC_MESSAGES/shadow.mo
+usr/share/man/*/man1/login.1
+usr/share/man/*/man1/newgrp.1
+usr/share/man/*/man1/sg.1
+usr/share/man/*/man5/faillog.5
+usr/share/man/*/man5/login.defs.5
+usr/share/man/*/man8/faillog.8
+usr/share/man/*/man8/lastlog.8
+usr/share/man/*/man8/nologin.8
+usr/share/man/man1/login.1
+usr/share/man/man1/newgrp.1
+usr/share/man/man1/sg.1
+usr/share/man/man5/faillog.5
+usr/share/man/man5/login.defs.5
+usr/share/man/man8/faillog.8
+usr/share/man/man8/lastlog.8
+usr/share/man/man8/nologin.8
 usr/sbin/nologin
 usr/bin/faillog
 usr/bin/lastlog

debian/login.manpages

@@ -1,16 +0,0 @@
-usr/share/man/*/man1/login.1
-usr/share/man/*/man1/newgrp.1
-usr/share/man/*/man1/sg.1
-usr/share/man/*/man5/faillog.5
-usr/share/man/*/man5/login.defs.5
-usr/share/man/*/man8/faillog.8
-usr/share/man/*/man8/lastlog.8
-usr/share/man/*/man8/nologin.8
-usr/share/man/man1/login.1
-usr/share/man/man1/newgrp.1
-usr/share/man/man1/sg.1
-usr/share/man/man5/faillog.5
-usr/share/man/man5/login.defs.5
-usr/share/man/man8/faillog.8
-usr/share/man/man8/lastlog.8
-usr/share/man/man8/nologin.8

debian/login.postinst

@@ -2,29 +2,55 @@
 
 set -e
 
+if test "$1" = configure
+then
+	if test -f /etc/init.d/logoutd
+	then 
+		if test "$(md5sum /etc/init.d/logoutd)" = "9080f92783dd53f6f2108e698c06bd53  /etc/init.d/logoutd"
+		then	
+			echo "removing logoutd cruft"
+			rm /etc/init.d/logoutd
+			update-rc.d logoutd remove
+		fi
+	fi
+fi
+rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
 
 if [ "$1" = "configure" ]; then
 	# Install faillog during initial installs only
-	if [ "$2" = "" ] && [ ! -f "$DPKG_ROOT/var/log/faillog" ] ; then
-		touch "$DPKG_ROOT/var/log/faillog"
-		chown 0:0 "$DPKG_ROOT/var/log/faillog"
-		chmod 644 "$DPKG_ROOT/var/log/faillog"
+	if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
+		touch /var/log/faillog
+		chown root:root /var/log/faillog
+		chmod 644 /var/log/faillog
 	fi
 
 	# Create subuid/subgid if missing
-	if [ ! -e "$DPKG_ROOT/etc/subuid" ]; then
-		touch "$DPKG_ROOT/etc/subuid"
-		chown 0:0 "$DPKG_ROOT/etc/subuid"
-		chmod 644 "$DPKG_ROOT/etc/subuid"
+	if [ ! -e /etc/subuid ]; then
+		touch /etc/subuid
+		chown root:root /etc/subuid
+		chmod 644 /etc/subuid
 	fi
 
-	if [ ! -e "$DPKG_ROOT/etc/subgid" ]; then
-		touch "$DPKG_ROOT/etc/subgid"
-		chown 0:0 "$DPKG_ROOT/etc/subgid"
-		chmod 644 "$DPKG_ROOT/etc/subgid"
+	if [ ! -e /etc/subgid ]; then
+		touch /etc/subgid
+		chown root:root /etc/subgid
+		chmod 644 /etc/subgid
 	fi
 fi
 
+        # Create subuid/subgid if missing
+        if [ ! -e /etc/subuid ]; then
+                touch /etc/subuid
+                chown root:root /etc/subuid
+                chmod 644 /etc/subuid
+        fi
+
+        if [ ! -e /etc/subgid ]; then
+                touch /etc/subgid
+                chown root:root /etc/subgid
+                chmod 644 /etc/subgid
+        fi
+
 #DEBHELPER#
 
 exit 0

debian/login.preinst

@@ -0,0 +1,52 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#][ \t]*assword[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/login 5e61c3334e25625fe1fa4d79cf9123ff
+		fi
+	    fi
+	    
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

debian/not-installed

@@ -1,35 +0,0 @@
-bin/groups
-etc/default/useradd
-etc/login.defs
-etc/pam.d/chfn
-etc/pam.d/chage
-etc/pam.d/chpasswd
-etc/pam.d/chsh
-etc/pam.d/groupadd
-etc/pam.d/groupdel
-etc/pam.d/groupmems
-etc/pam.d/groupmod
-etc/pam.d/login
-etc/pam.d/newusers
-etc/pam.d/passwd
-etc/pam.d/useradd
-etc/pam.d/userdel
-etc/pam.d/usermod
-usr/bin/sg
-usr/sbin/logoutd
-usr/sbin/vigr
-usr/share/man/*/man1/groups.1
-usr/share/man/*/man1/logoutd.1
-usr/share/man/*/man1/su.1
-usr/share/man/*/man3/getspnam.3
-usr/share/man/*/man3/shadow.3
-usr/share/man/*/man5/suauth.5
-usr/share/man/*/man8/logoutd.8
-usr/share/man/man1/groups.1
-usr/share/man/man1/logoutd.1
-usr/share/man/man1/su.1
-usr/share/man/man3/getspnam.3
-usr/share/man/man3/shadow.3
-usr/share/man/man5/suauth.5
-usr/share/man/man8/logoutd.8
-

debian/passwd.install

@@ -24,3 +24,60 @@ usr/sbin/useradd
 usr/sbin/userdel
 usr/sbin/usermod
 usr/sbin/vipw
+usr/share/man/*/man1/chage.1
+usr/share/man/*/man1/chfn.1
+usr/share/man/*/man1/chsh.1
+usr/share/man/*/man1/expiry.1
+usr/share/man/*/man1/gpasswd.1
+usr/share/man/*/man1/passwd.1
+usr/share/man/*/man5/passwd.5
+usr/share/man/*/man5/shadow.5
+usr/share/man/*/man5/gshadow.5
+usr/share/man/*/man8/chpasswd.8
+usr/share/man/*/man8/groupadd.8
+usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmod.8
+usr/share/man/*/man8/groupmems.8
+usr/share/man/*/man8/grpck.8
+usr/share/man/*/man8/grpconv.8
+usr/share/man/*/man8/grpunconv.8
+usr/share/man/*/man8/newusers.8
+usr/share/man/*/man8/pwck.8
+usr/share/man/*/man8/pwconv.8
+usr/share/man/*/man8/pwunconv.8
+usr/share/man/*/man8/useradd.8
+usr/share/man/*/man8/userdel.8
+usr/share/man/*/man8/usermod.8
+usr/share/man/*/man8/vigr.8
+usr/share/man/*/man8/vipw.8
+usr/share/man/man1/chage.1
+usr/share/man/man1/chfn.1
+usr/share/man/man1/chsh.1
+usr/share/man/man1/expiry.1
+usr/share/man/man1/gpasswd.1
+usr/share/man/man1/passwd.1
+usr/share/man/man5/passwd.5
+usr/share/man/man5/shadow.5
+usr/share/man/man5/gshadow.5
+usr/share/man/man5/subuid.5
+usr/share/man/man5/subgid.5
+usr/share/man/man5/subgid.5
+usr/share/man/man5/subuid.5
+usr/share/man/man8/chgpasswd.8
+usr/share/man/man8/chpasswd.8
+usr/share/man/man8/groupadd.8
+usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmems.8
+usr/share/man/man8/groupmod.8
+usr/share/man/man8/grpck.8
+usr/share/man/man8/grpconv.8
+usr/share/man/man8/grpunconv.8
+usr/share/man/man8/newusers.8
+usr/share/man/man8/pwck.8
+usr/share/man/man8/pwconv.8
+usr/share/man/man8/pwunconv.8
+usr/share/man/man8/useradd.8
+usr/share/man/man8/userdel.8
+usr/share/man/man8/usermod.8
+usr/share/man/man8/vigr.8
+usr/share/man/man8/vipw.8

debian/passwd.lintian-overrides

@@ -4,3 +4,5 @@ passwd: setuid-binary usr/bin/chsh 4755 root/root
 passwd: setgid-binary usr/bin/expiry 2755 root/shadow
 passwd: setuid-binary usr/bin/gpasswd 4755 root/root
 passwd: setuid-binary usr/bin/passwd 4755 root/root
+# Fixed in a0f09c4de7ad35b1a7c64cbe7024c9b7236ad491 but would add a Recommend: during LTS
+passwd: missing-depends-on-sensible-utils sensible-editor usr/sbin/vipw

debian/passwd.manpages

@@ -1,60 +1,2 @@
 debian/cpgr.8
 debian/cppw.8
-usr/share/man/*/man1/chage.1
-usr/share/man/*/man1/chfn.1
-usr/share/man/*/man1/chsh.1
-usr/share/man/*/man1/expiry.1
-usr/share/man/*/man1/gpasswd.1
-usr/share/man/*/man1/passwd.1
-usr/share/man/*/man5/passwd.5
-usr/share/man/*/man5/subgid.5
-usr/share/man/*/man5/subuid.5
-usr/share/man/*/man5/shadow.5
-usr/share/man/*/man5/gshadow.5
-usr/share/man/*/man8/chpasswd.8
-usr/share/man/*/man8/chgpasswd.8
-usr/share/man/*/man8/groupadd.8
-usr/share/man/*/man8/groupdel.8
-usr/share/man/*/man8/groupmod.8
-usr/share/man/*/man8/groupmems.8
-usr/share/man/*/man8/grpck.8
-usr/share/man/*/man8/grpconv.8
-usr/share/man/*/man8/grpunconv.8
-usr/share/man/*/man8/newusers.8
-usr/share/man/*/man8/pwck.8
-usr/share/man/*/man8/pwconv.8
-usr/share/man/*/man8/pwunconv.8
-usr/share/man/*/man8/useradd.8
-usr/share/man/*/man8/userdel.8
-usr/share/man/*/man8/usermod.8
-usr/share/man/*/man8/vigr.8
-usr/share/man/*/man8/vipw.8
-usr/share/man/man1/chage.1
-usr/share/man/man1/chfn.1
-usr/share/man/man1/chsh.1
-usr/share/man/man1/expiry.1
-usr/share/man/man1/gpasswd.1
-usr/share/man/man1/passwd.1
-usr/share/man/man5/passwd.5
-usr/share/man/man5/shadow.5
-usr/share/man/man5/gshadow.5
-usr/share/man/man5/subuid.5
-usr/share/man/man5/subgid.5
-usr/share/man/man8/chgpasswd.8
-usr/share/man/man8/chpasswd.8
-usr/share/man/man8/groupadd.8
-usr/share/man/man8/groupdel.8
-usr/share/man/man8/groupmems.8
-usr/share/man/man8/groupmod.8
-usr/share/man/man8/grpck.8
-usr/share/man/man8/grpconv.8
-usr/share/man/man8/grpunconv.8
-usr/share/man/man8/newusers.8
-usr/share/man/man8/pwck.8
-usr/share/man/man8/pwconv.8
-usr/share/man/man8/pwunconv.8
-usr/share/man/man8/useradd.8
-usr/share/man/man8/userdel.8
-usr/share/man/man8/usermod.8
-usr/share/man/man8/vigr.8
-usr/share/man/man8/vipw.8

debian/passwd.postinst

@@ -4,6 +4,20 @@ set -e
 
 case "$1" in
 configure)
+    # Fix permissions on various log files from old versions of the debian
+    # installer, some unrelated to passwd but we decided to put the fix
+    # here since there was no better place. This can safely be removed
+    # after etch is released.
+    if dpkg --compare-versions "$2" lt "1:4.0.14-9"; then
+	    for log in /var/log/base-config* \
+		    $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+		if [ -e "$log" ]; then
+			chmod 600 "$log"
+		fi
+            done
+    fi
+
+    rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
 	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
 	then
 		groupadd -g 42 shadow || (

debian/passwd.preinst

@@ -0,0 +1,51 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#]*[ \t]*password[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/passwd 23a5d1465bbc1e39ca6e0c32f22a75c9
+	    fi
+	fi
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

debian/patches/CVE-2023-29383.patch

@@ -0,0 +1,83 @@
+Origin: https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+Origin: https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2025-04-15
+
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+Index: shadow-4.8.1/lib/fields.c
+===================================================================
+--- shadow-4.8.1.orig/lib/fields.c
++++ shadow-4.8.1/lib/fields.c
+@@ -44,9 +44,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -60,23 +60,22 @@ int valid_field (const char *field, cons
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are some non-printable characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 

debian/patches/CVE-2023-4641.patch

@@ -0,0 +1,143 @@
+Origin: https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2025-04-15
+
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: shadow-4.8.1/src/gpasswd.c
+===================================================================
+--- shadow-4.8.1.orig/src/gpasswd.c
++++ shadow-4.8.1/src/gpasswd.c
+@@ -911,6 +911,7 @@ static void change_passwd (struct group
+ 	for (retries = 0; retries < RETRIES; retries++) {
+ 		cp = getpass (_("New Password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 

debian/patches/series

@@ -14,3 +14,6 @@
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
 501_commonio_group_shadow
+
+CVE-2023-4641.patch
+CVE-2023-29383.patch

debian/salsa-ci.yml

@@ -0,0 +1,13 @@
+---
+# LTS/ELTS CI
+
+include:
+- https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/bullseye.yml
+
+# These didn't work before LTS, not attempting to fix after freeze
+#blhc:
+#  allow_failure: true
+
+# https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/275
+piuparts:
+  allow_failure: true

debian/uidmap.install

@@ -1,2 +1,4 @@
 usr/bin/newuidmap
 usr/bin/newgidmap
+usr/share/man/man1/newuidmap.1
+usr/share/man/man1/newgidmap.1

debian/uidmap.manpages

@@ -1,4 +0,0 @@
-usr/share/man/*/man1/newgidmap.1
-usr/share/man/*/man1/newuidmap.1
-usr/share/man/man1/newgidmap.1
-usr/share/man/man1/newuidmap.1