Add Salsa-CI config

shadow (1:4.2-3+deb8u6) jessie-security; urgency=high
.
  * Non-maintainer upload by the ELTS Security Team.
  * CVE-2023-4641: When asking for a new password, shadow-utils asks the
    password twice. If the password fails on the second attempt,
    shadow-utils fails in cleaning the buffer used to store the first
    entry. This may allow an attacker with enough access to retrieve the
    password from the memory. (Closes: #1051062)
  * CVE-2023-29383: It is possible to inject control characters into
    fields provided to the SUID program chfn (change finger). Although it
    is not possible to exploit this directly (e.g., adding a new user
    fails because \n is in the block list), it is possible to misrepresent
    the /etc/passwd file when viewed. (Closes: #1034482)

debian/changelog

@@ -1,3 +1,74 @@
+shadow (1:4.2-3+deb8u6) jessie-security; urgency=high
+
+  * Non-maintainer upload by the ELTS Security Team.
+  * CVE-2023-4641: When asking for a new password, shadow-utils asks the
+    password twice. If the password fails on the second attempt,
+    shadow-utils fails in cleaning the buffer used to store the first
+    entry. This may allow an attacker with enough access to retrieve the
+    password from the memory. (Closes: #1051062)
+  * CVE-2023-29383: It is possible to inject control characters into
+    fields provided to the SUID program chfn (change finger). Although it
+    is not possible to exploit this directly (e.g., adding a new user
+    fails because \n is in the block list), it is possible to misrepresent
+    the /etc/passwd file when viewed. (Closes: #1034482)
+
+ -- Sylvain Beucler <beuc@debian.org>  Tue, 15 Apr 2025 14:26:11 +0200
+  
+shadow (1:4.2-3+deb8u5) jessie-security; urgency=high
+
+  * Non-maintainer upload by the ELTS team.
+  * SECURITY UPDATE: Crash or buffer overflow
+    - debian/patches/CVE-2017-12424.patch: fix buffer overflow if
+      NULL line is present in db in lib/commonio.c.
+    - CVE-2017-12424
+  * SECURITY UPDATE: Access to privileged information
+    - debian/patches/CVE-2018-7169.patch: newgidmap:
+      enforce setgroups=deny if self-mapping a group in
+      src/newgidmap.c.
+    - CVE-2018-7169
+
+ -- Utkarsh Gupta <utkarsh@ubuntu.com>  Tue, 01 Feb 2022 04:40:19 +0530
+
+shadow (1:4.2-3+deb8u4) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Reset pid_child only if waitpid was successful.
+    This is a regression fix for CVE-2017-2616. If su receives a signal like
+    SIGTERM, it is not propagated to the child. (Closes: #862806)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 17 May 2017 12:58:54 +0200
+
+shadow (1:4.2-3+deb8u3) jessie-security; urgency=high
+
+  * Fix integer overflow in getulong.c (CVE-2016-6252) (Closes: #832170)
+  * Refresh patches
+  * Add myself to uploaders replacing Nicolas FRANCOIS (Nekral)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Fri, 24 Feb 2017 00:57:31 +0100
+
+shadow (1:4.2-3+deb8u2) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 23 Feb 2017 17:21:08 +0100
+
+shadow (1:4.2-3+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix error handling in busy user detection. (Closes: #778287)
+
+ -- Bastian Blank <bastian.blank@credativ.de>  Wed, 18 Nov 2015 08:07:09 +0000
+
+shadow (1:4.2-3) unstable; urgency=low
+
+  * Enforce hardened builds to workaround cdbs sometimes not building
+    with hardening flags as in 1:4.2-2+b1
+    Thanks to Dr. Markus Waldeck for pointing the issue and Simon Ruderich
+    For providing a working patch.
+
+ -- Christian Perrier <bubulle@debian.org>  Wed, 19 Nov 2014 21:59:09 +0100
+
 shadow (1:4.2-2) unstable; urgency=low
 
   * The "Soumaintrain" release

debian/control

@@ -3,8 +3,10 @@ Section: admin
 Priority: required
 Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
 Standards-Version: 3.9.5
-Uploaders: Christian Perrier <bubulle@debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
+Uploaders: Christian Perrier <bubulle@debian.org>,
+           Balint Reczey <balint@balintreczey.hu>
 Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison, libaudit-dev [linux-any]
+ ,hardening-wrapper
 Vcs-Git: git://anonscm.debian.org/git/pkg-shadow/shadow.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-shadow/shadow.git;a=summary
 Homepage: http://pkg-shadow.alioth.debian.org/

debian/patches/1020_fix_user_busy_errors

@@ -0,0 +1,38 @@
+Description: Fix user_busy to not leave subuid open in case of error.
+Author: William Grant <wgrant@ubuntu.com>
+Bug: https://bugs.launchpad.net/ubuntu/vivid/+source/shadow/+bug/1436937
+
+Index: shadow-4.2/libmisc/user_busy.c
+===================================================================
+--- shadow-4.2.orig/libmisc/user_busy.c
++++ shadow-4.2/libmisc/user_busy.c
+@@ -175,6 +175,9 @@ static int user_busy_processes (const ch
+ 	if (stat ("/", &sbroot) != 0) {
+ 		perror ("stat (\"/\")");
+ 		(void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++		sub_uid_close();
++#endif				/* ENABLE_SUBIDS */
+ 		return 0;
+ 	}
+ 
+@@ -212,6 +215,9 @@ static int user_busy_processes (const ch
+ 
+ 		if (check_status (name, tmp_d_name, uid) != 0) {
+ 			(void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++			sub_uid_close();
++#endif				/* ENABLE_SUBIDS */
+ 			fprintf (stderr,
+ 			         _("%s: user %s is currently used by process %d\n"),
+ 			         Prog, name, pid);
+@@ -232,6 +238,9 @@ static int user_busy_processes (const ch
+ 				}
+ 				if (check_status (name, task_path+6, uid) != 0) {
+ 					(void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++					sub_uid_close();
++#endif				/* ENABLE_SUBIDS */
+ 					fprintf (stderr,
+ 					         _("%s: user %s is currently used by process %d\n"),
+ 					         Prog, name, pid);

debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch

@@ -0,0 +1,59 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 

debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch

@@ -0,0 +1,46 @@
+From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer@suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
++++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+  */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+-	long long int val;
++	unsigned long int val;
+ 	char *endptr;
+ 
+ 	errno = 0;
+-	val = strtoll (numstr, &endptr, 0);
++	val = strtoul (numstr, &endptr, 0);
+ 	if (    ('\0' == *numstr)
+ 	     || ('\0' != *endptr)
+ 	     || (ERANGE == errno)
+-	     /*@+ignoresigns@*/
+-	     || (val != (unsigned long int)val)
+-	     /*@=ignoresigns@*/
+ 	   ) {
+ 		return 0;
+ 	}
+ 
+-	*result = (unsigned long int)val;
++	*result = val;
+ 	return 1;
+ }
+ 
+-- 
+2.1.4
+

debian/patches/303-Reset-pid_child-only-if-waitpid-was-successful.patch

@@ -0,0 +1,29 @@
+From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 14 May 2017 17:58:10 +0200
+Subject: [PATCH] Reset pid_child only if waitpid was successful.
+
+Do not reset the pid_child to 0 if the child process is still
+running. This else-condition can be reached with pid being -1,
+therefore explicitly test this condition.
+
+This is a regression fix for CVE-2017-2616. If su receives a
+signal like SIGTERM, it is not propagated to the child.
+
+Reported-by: Radu Duta <raduduta@gmail.com>
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/su.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+-			} else {
++			} else if (   (pid_t)-1 != pid) {
+ 				pid_child = 0;
+ 			}
+ 		} while (!stop);

debian/patches/523_su_arguments_are_concatenated

@@ -8,11 +8,9 @@ Status wrt upstream: This is a Debian specific patch.
 Note: the fix of the man page is still missing.
       (to be taken from the trunk)
 
-Index: git/src/su.c
-===================================================================
---- git.orig/src/su.c
-+++ git/src/su.c
-@@ -1152,6 +1152,35 @@
+--- a/src/su.c
++++ b/src/su.c
+@@ -1167,6 +1167,35 @@
  			argv[0] = "-c";
  			argv[1] = command;
  		}

debian/patches/523_su_arguments_are_no_more_concatenated_by_default

@@ -8,10 +8,8 @@ Etch.
 
 Status wrt upstream: This patch is Debian specific.
 
-Index: git/src/su.c
-===================================================================
---- git.orig/src/su.c
-+++ git/src/su.c
+--- a/src/su.c
++++ b/src/su.c
 @@ -104,6 +104,19 @@
  /* If nonzero, change some environment vars to indicate the user su'd to. */
  static bool change_environment = true;
@@ -32,7 +30,7 @@ Index: git/src/su.c
  #ifdef USE_PAM
  static pam_handle_t *pamh = NULL;
  static int caught = 0;
-@@ -949,6 +962,8 @@
+@@ -964,6 +977,8 @@
  	int ret;
  #endif				/* USE_PAM */
  
@@ -41,7 +39,7 @@ Index: git/src/su.c
  	(void) setlocale (LC_ALL, "");
  	(void) bindtextdomain (PACKAGE, LOCALEDIR);
  	(void) textdomain (PACKAGE);
-@@ -1156,7 +1171,7 @@
+@@ -1171,7 +1186,7 @@
  		 * resulting string is always given to the shell with its
  		 * -c option.
  		 */

debian/patches/CVE-2017-12424.patch

@@ -0,0 +1,37 @@
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
+---
+ lib/commonio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -755,16 +755,16 @@
+ 	for (ptr = db->head;
+ 	        (NULL != ptr)
+ #if KEEP_NIS_AT_END
+-	     && (NULL != ptr->line)
+-	     && (   ('+' != ptr->line[0])
+-	         && ('-' != ptr->line[0]))
++	     && ((NULL == ptr->line)
++	         || (('+' != ptr->line[0])
++	             && ('-' != ptr->line[0])))
+ #endif
+ 	     ;
+ 	     ptr = ptr->next) {
+ 		n++;
+ 	}
+ #if KEEP_NIS_AT_END
+-	if ((NULL != ptr) && (NULL != ptr->line)) {
++	if (NULL != ptr) {
+ 		nis = ptr;
+ 	}
+ #endif

debian/patches/CVE-2018-7169.patch

@@ -0,0 +1,174 @@
+From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+Reported-by: Craig Furman <craig.furman89@gmail.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+  */
+ const char *Prog;
+ 
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
+ {
+ 	/* An empty range is invalid */
+ 	if (range->count == 0)
+ 		return false;
+ 
+-	/* Test /etc/subgid */
+-	if (have_sub_gids(pw->pw_name, range->lower, range->count))
++	/* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++	if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++		*allow_setgroups = true;
+ 		return true;
++	}
+ 
+-	/* Allow a process to map it's own gid */
+-	if ((range->count == 1) && (pw->pw_gid == range->lower))
++	/* Allow a process to map its own gid. */
++	if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++		/* noop -- if setgroups is enabled already we won't disable it. */
+ 		return true;
+ 
++	}
+ 	return false;
+ }
+ 
+ static void verify_ranges(struct passwd *pw, int ranges,
+-	struct map_range *mappings)
++	struct map_range *mappings, bool *allow_setgroups)
+ {
+ 	struct map_range *mapping;
+ 	int idx;
+ 
+ 	mapping = mappings;
+ 	for (idx = 0; idx < ranges; idx++, mapping++) {
+-		if (!verify_range(pw, mapping)) {
++		if (!verify_range(pw, mapping, allow_setgroups)) {
+ 			fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
+ 				Prog,
+ 				mapping->upper,
+@@ -89,6 +94,70 @@
+ 	exit(EXIT_FAILURE);
+ }
+ 
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++	int setgroups_fd;
++	char *policy, policy_buffer[4096];
++
++	/*
++	 * Default is "deny", and any "allow" will out-rank a "deny". We don't
++	 * forcefully write an "allow" here because the process we are writing
++	 * mappings for may have already set themselves to "deny" (and "allow"
++	 * is the default anyway). So allow_setgroups == true is a noop.
++	 */
++	policy = "deny\n";
++	if (allow_setgroups)
++		return;
++
++	setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
++	if (setgroups_fd < 0) {
++		/*
++		 * If it's an ENOENT then we are on too old a kernel for the setgroups
++		 * code to exist. Emit a warning and bail on this.
++		 */
++		if (ENOENT == errno) {
++			fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
++			goto out;
++		}
++		fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++	/*
++	 * Check whether the policy is already what we want. /proc/self/setgroups
++	 * is write-once, so attempting to write after it's already written to will
++	 * fail.
++	 */
++	if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
++		fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (!strncmp(policy_buffer, policy, strlen(policy)))
++		goto out;
++
++	/* Write the policy. */
++	if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
++		fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (dprintf(setgroups_fd, "%s", policy) < 0) {
++		fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
++			Prog,
++			policy,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++out:
++	close(setgroups_fd);
++}
++
+ /*
+  * newgidmap - Set the gid_map for the specified process
+  */
+@@ -103,6 +172,7 @@
+ 	struct stat st;
+ 	struct passwd *pw;
+ 	int written;
++	bool allow_setgroups = false;
+ 
+ 	Prog = Basename (argv[0]);
+ 
+@@ -144,7 +214,7 @@
+ 				(unsigned long) getuid ()));
+ 		return EXIT_FAILURE;
+ 	}
+-	
++
+ 	/* Get the effective uid and effective gid of the target process */
+ 	if (fstat(proc_dir_fd, &st) < 0) {
+ 		fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
+@@ -174,8 +244,9 @@
+ 	if (!mappings)
+ 		usage();
+ 
+-	verify_ranges(pw, ranges, mappings);
++	verify_ranges(pw, ranges, mappings, &allow_setgroups);
+ 
++	write_setgroups(proc_dir_fd, allow_setgroups);
+ 	write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+ 	sub_gid_close();
+ 

debian/patches/CVE-2023-29383.patch

@@ -0,0 +1,83 @@
+Origin: https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+Origin: https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2025-04-15
+
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+Index: shadow-4.2/lib/fields.c
+===================================================================
+--- shadow-4.2.orig/lib/fields.c
++++ shadow-4.2/lib/fields.c
+@@ -44,9 +44,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -60,23 +60,22 @@ int valid_field (const char *field, cons
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are some non-printable characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 

debian/patches/CVE-2023-4641.patch

@@ -0,0 +1,143 @@
+Origin: https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2025-04-15
+
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: shadow-4.2/src/gpasswd.c
+===================================================================
+--- shadow-4.2.orig/src/gpasswd.c
++++ shadow-4.2/src/gpasswd.c
+@@ -911,6 +911,7 @@ static void change_passwd (struct group
+ 	for (retries = 0; retries < RETRIES; retries++) {
+ 		cp = getpass (_("New Password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 

debian/patches/series

@@ -4,6 +4,9 @@
 
 503_shadowconfig.8
 008_login_log_failure_in_FTMP
+301-CVE-2017-2616-su-properly-clear-child-PID.patch
+302-CVE-2016-6252-fix-integer-overflow.patch
+303-Reset-pid_child-only-if-waitpid-was-successful.patch
 429_login_FAILLOG_ENAB
 401_cppw_src.dpatch
 # 402 should be merged in 401, but should be reviewed by SE Linux experts first
@@ -34,3 +37,9 @@
 #userns/16_add-argument-sanity-checking.patch
 1000_configure_userns
 1010_vietnamese_translation
+1020_fix_user_busy_errors
+CVE-2017-12424.patch
+CVE-2018-7169.patch
+
+CVE-2023-4641.patch
+CVE-2023-29383.patch

debian/rules

@@ -3,6 +3,8 @@
 
 DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
 
+export DEB_BUILD_HARDENING=1
+
 # Enable PIE, BINDNOW, and possible future flags.
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 

debian/salsa-ci.yml

@@ -0,0 +1,9 @@
+---
+# LTS/ELTS CI
+
+include:
+- https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/jessie.yml
+
+# These didn't work before LTS, not attempting to fix after freeze
+#blhc:
+#  allow_failure: true