Compare commits
17 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 9698b06fef | |||
| 406dd68863 | |||
| 2ff04fd9b5 | |||
| 97a3bc0c43 | |||
| 485b374d09 | |||
| 25f0b936c0 | |||
| 776d4d23ac | |||
| 9f285306f3 | |||
| f569ea06ff | |||
| 50defcfa5d | |||
| 56c7502686 | |||
| 7c66acdd2e | |||
| 4806645316 | |||
| 05a41bc4d5 | |||
| 75eb241552 | |||
| d7ce68863e | |||
| 095f9d48ef |
Vendored
+8
@@ -1,3 +1,11 @@
|
|||||||
|
shadow (1:4.13+dfsg1-2) unstable; urgency=medium
|
||||||
|
|
||||||
|
The previous entry falsely states that PREVENT_NO_AUTH in /etc/login.defs
|
||||||
|
affects authentication. The historical default of letting all users with
|
||||||
|
empty password field in without authentication is still in effect.
|
||||||
|
|
||||||
|
-- Balint Reczey <balint@balintreczey.hu> Mon, 25 Sep 2023 17:04:09 +0200
|
||||||
|
|
||||||
shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
|
shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
|
||||||
|
|
||||||
Login now prevents an empty password field to be interpreted as
|
Login now prevents an empty password field to be interpreted as
|
||||||
|
|||||||
Vendored
+34
-12
@@ -1,22 +1,44 @@
|
|||||||
shadow (1:4.13+dfsg1-1+deb12u2) bookworm; urgency=medium
|
shadow (1:4.13+dfsg1-4.1) unstable; urgency=medium
|
||||||
|
|
||||||
* Apply upstream patch to fix groupmod -U "" segfault (Closes: #1122913)
|
* Enhance the manpage for vipw (closes #1064940).
|
||||||
|
|
||||||
-- Chris Hofstaedtler <zeha@debian.org> Sun, 14 Dec 2025 15:00:01 +0100
|
-- Toni Mueller <toni@debian.org> Thu, 29 Feb 2024 16:37:32 +0000
|
||||||
|
|
||||||
shadow (1:4.13+dfsg1-1+deb12u1) bookworm; urgency=medium
|
shadow (1:4.13+dfsg1-4) unstable; urgency=medium
|
||||||
|
|
||||||
|
[ Helmut Grohne ]
|
||||||
|
* DEP17: Move login and shadowconfig to /usr. (Closes: #1059915)
|
||||||
|
|
||||||
|
-- Serge Hallyn <serge@hallyn.com> Sun, 04 Feb 2024 20:28:27 +0000
|
||||||
|
|
||||||
|
shadow (1:4.13+dfsg1-3) unstable; urgency=medium
|
||||||
|
|
||||||
|
* Team upload
|
||||||
|
* Remove myself from uploaders
|
||||||
|
|
||||||
|
-- Balint Reczey <balint@balintreczey.hu> Sun, 15 Oct 2023 19:10:52 +0200
|
||||||
|
|
||||||
|
shadow (1:4.13+dfsg1-2) unstable; urgency=medium
|
||||||
|
|
||||||
[ Balint Reczey ]
|
[ Balint Reczey ]
|
||||||
* Cherry-pick upstream patch to fix gpasswd passwd leak (Closes: #1051062)
|
* debian/gitlab-ci.yml: Use sudo to fix reprotest test
|
||||||
CVE-2023-4641
|
* debian/login.pam: Drop reference to Debian Etch (Closes: #1040064)
|
||||||
* Cherry-pick upstream patch to fix chfn vulnerability (Closes: #1034482)
|
* debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication.
|
||||||
CVE-2023-29383
|
Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547)
|
||||||
* Fix valid_field() that regressed in upstream's chfn fix
|
* Cherry-pick upstream patch to fix gpasswd passwd leak
|
||||||
|
(CVE-2023-4641) (Closes: #1051062)
|
||||||
|
* Cherry-pick upstream patch to fix chfn vulnerability allowing injection of
|
||||||
|
control characters into some /etc/passwd fields.
|
||||||
|
(CVE-2023-29383) (Closes: #1034482)
|
||||||
|
|
||||||
[ Chris Hofstaedtler ]
|
[ Gioele Barabucci ]
|
||||||
* Update Uploaders: field from unstable
|
* Support <nodoc> build profile
|
||||||
|
`xsltproc`, `docbook` and all other XML-related packages are not needed
|
||||||
|
when the `<nodoc>` build profile is active, as long as `./configure` is
|
||||||
|
called with `--disable-man`. (Closes: #1051827)
|
||||||
|
|
||||||
-- Chris Hofstaedtler <zeha@debian.org> Mon, 07 Apr 2025 12:38:46 +0200
|
|
||||||
|
-- Balint Reczey <balint@balintreczey.hu> Tue, 26 Sep 2023 22:01:52 +0200
|
||||||
|
|
||||||
shadow (1:4.13+dfsg1-1) unstable; urgency=medium
|
shadow (1:4.13+dfsg1-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
|||||||
Vendored
+6
-8
@@ -1,8 +1,6 @@
|
|||||||
Source: shadow
|
Source: shadow
|
||||||
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
|
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
|
||||||
Uploaders:
|
Uploaders: Serge Hallyn <serge@hallyn.com>
|
||||||
Serge Hallyn <serge@hallyn.com>,
|
|
||||||
Chris Hofstaedtler <zeha@debian.org>
|
|
||||||
Section: admin
|
Section: admin
|
||||||
Priority: required
|
Priority: required
|
||||||
Build-Depends: debhelper-compat (= 13),
|
Build-Depends: debhelper-compat (= 13),
|
||||||
@@ -10,13 +8,13 @@ Build-Depends: debhelper-compat (= 13),
|
|||||||
libcrypt-dev,
|
libcrypt-dev,
|
||||||
libpam0g-dev,
|
libpam0g-dev,
|
||||||
quilt,
|
quilt,
|
||||||
xsltproc,
|
xsltproc <!nodoc>,
|
||||||
docbook-xsl,
|
docbook-xsl <!nodoc>,
|
||||||
docbook-xml,
|
docbook-xml <!nodoc>,
|
||||||
libxml2-utils,
|
libxml2-utils <!nodoc>,
|
||||||
libselinux1-dev [linux-any],
|
libselinux1-dev [linux-any],
|
||||||
libsemanage-dev [linux-any],
|
libsemanage-dev [linux-any],
|
||||||
itstool,
|
itstool <!nodoc>,
|
||||||
bison,
|
bison,
|
||||||
libaudit-dev [linux-any]
|
libaudit-dev [linux-any]
|
||||||
Standards-Version: 4.6.1
|
Standards-Version: 4.6.1
|
||||||
|
|||||||
Vendored
+3
-1
@@ -1,5 +1,7 @@
|
|||||||
variables:
|
variables:
|
||||||
RELEASE: 'unstable'
|
RELEASE: 'unstable'
|
||||||
|
# workaround for https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/259
|
||||||
|
SALSA_CI_REPROTEST_ARGS: --vary=domain_host.use_sudo=1
|
||||||
include:
|
include:
|
||||||
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
|
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
|
||||||
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
|
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
|
||||||
|
|||||||
Vendored
-8
@@ -337,14 +337,6 @@ NONEXISTENT /nonexistent
|
|||||||
#
|
#
|
||||||
#GRANT_AUX_GROUP_SUBIDS yes
|
#GRANT_AUX_GROUP_SUBIDS yes
|
||||||
|
|
||||||
#
|
|
||||||
# Prevents an empty password field to be interpreted as "no authentication
|
|
||||||
# required".
|
|
||||||
# Set to "yes" to prevent for all accounts
|
|
||||||
# Set to "superuser" to prevent for UID 0 / root (default)
|
|
||||||
# Set to "no" to not prevent for any account (dangerous, historical default)
|
|
||||||
PREVENT_NO_AUTH superuser
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Select the HMAC cryptography algorithm.
|
# Select the HMAC cryptography algorithm.
|
||||||
# Used in pam_timestamp module to calculate the keyed-hash message
|
# Used in pam_timestamp module to calculate the keyed-hash message
|
||||||
|
|||||||
Vendored
+1
-1
@@ -4,4 +4,4 @@ sbin/nologin usr/sbin
|
|||||||
usr/bin/faillog
|
usr/bin/faillog
|
||||||
usr/bin/lastlog
|
usr/bin/lastlog
|
||||||
usr/bin/newgrp
|
usr/bin/newgrp
|
||||||
bin/login
|
bin/login usr/bin
|
||||||
|
|||||||
Vendored
+1
-1
@@ -49,7 +49,7 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux
|
|||||||
#
|
#
|
||||||
# parsing /etc/environment needs "readenv=1"
|
# parsing /etc/environment needs "readenv=1"
|
||||||
session required pam_env.so readenv=1
|
session required pam_env.so readenv=1
|
||||||
# locale variables are also kept into /etc/default/locale in etch
|
# locale variables can also be set in /etc/default/locale
|
||||||
# reading this file *in addition to /etc/environment* does not hurt
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
|||||||
Vendored
+1
-1
@@ -1,5 +1,5 @@
|
|||||||
debian/default/useradd etc/default
|
debian/default/useradd etc/default
|
||||||
debian/shadowconfig sbin
|
debian/shadowconfig usr/sbin
|
||||||
usr/bin/chage
|
usr/bin/chage
|
||||||
usr/bin/chfn
|
usr/bin/chfn
|
||||||
usr/bin/chsh
|
usr/bin/chsh
|
||||||
|
|||||||
Vendored
-3
@@ -1,6 +1,3 @@
|
|||||||
# Debian #1122913
|
|
||||||
upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
|
|
||||||
|
|
||||||
# CVE-2023-4641
|
# CVE-2023-4641
|
||||||
0001-gpasswd-1-Fix-password-leak.patch
|
0001-gpasswd-1-Fix-password-leak.patch
|
||||||
|
|
||||||
|
|||||||
@@ -1,54 +0,0 @@
|
|||||||
From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001
|
|
||||||
From: lixinyun <li.xinyun@h3c.com>
|
|
||||||
Date: Wed, 29 May 2024 06:53:02 +0800
|
|
||||||
Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double
|
|
||||||
free
|
|
||||||
|
|
||||||
Groupmod -U may cause crashes because of double free. If without -a, the first free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update without -n or gr_remove with -n.
|
|
||||||
Considering the minimal impact of modifications on existing code, delete gr_free_members(&grp) to avoid double free.Although this may seem reckless, the second free in two different positions will definitely be triggered, and the following two test cases can be used to illustrate the situation :
|
|
||||||
|
|
||||||
[root@localhost src]# ./useradd u1
|
|
||||||
[root@localhost src]# ./useradd u2
|
|
||||||
[root@localhost src]# ./useradd u3
|
|
||||||
[root@localhost src]# ./groupadd -U u1,u2,u3 g1
|
|
||||||
[root@localhost src]# ./groupmod -n g2 -U u1,u2 g1
|
|
||||||
Segmentation fault
|
|
||||||
|
|
||||||
This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)), which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again.
|
|
||||||
|
|
||||||
[root@localhost src]# ./useradd u1
|
|
||||||
[root@localhost src]# ./useradd u2
|
|
||||||
[root@localhost src]# ./useradd u3
|
|
||||||
[root@localhost src]# ./groupadd -U u1,u2,u3 g1
|
|
||||||
[root@localhost src]# ./groupmod -U u1,u2 g1
|
|
||||||
Segmentation fault
|
|
||||||
|
|
||||||
The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to free (*ogrp).gr_mem again.
|
|
||||||
|
|
||||||
So the first free is unnecessary, maybe we can drop it.
|
|
||||||
|
|
||||||
Fixes: 342c934a3590 ("add -U option to groupadd and groupmod")
|
|
||||||
Closes: <https://github.com/shadow-maint/shadow/issues/1013>
|
|
||||||
Link: <https://github.com/shadow-maint/shadow/pull/1007>
|
|
||||||
Link: <https://github.com/shadow-maint/shadow/pull/271>
|
|
||||||
Link: <https://github.com/shadow-maint/shadow/issues/265>
|
|
||||||
Cc: "Serge E. Hallyn" <serge@hallyn.com>
|
|
||||||
Reviewed-by: Alejandro Colomar <alx@kernel.org>
|
|
||||||
Signed-off-by: lixinyun <li.xinyun@h3c.com>
|
|
||||||
---
|
|
||||||
src/groupmod.c | 2 --
|
|
||||||
1 file changed, 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git i/src/groupmod.c w/src/groupmod.c
|
|
||||||
index 006eca1c..7eae4c6f 100644
|
|
||||||
--- i/src/groupmod.c
|
|
||||||
+++ w/src/groupmod.c
|
|
||||||
@@ -244,8 +244,6 @@ static void grp_update (void)
|
|
||||||
|
|
||||||
if (!aflg) {
|
|
||||||
// requested to replace the existing groups
|
|
||||||
- if (NULL != grp.gr_mem[0])
|
|
||||||
- gr_free_members(&grp);
|
|
||||||
grp.gr_mem = (char **)xmalloc(sizeof(char *));
|
|
||||||
grp.gr_mem[0] = (char *)0;
|
|
||||||
} else {
|
|
||||||
Vendored
+5
-1
@@ -21,6 +21,10 @@ DEB_CONFIGURE_EXTRA_FLAGS := --without-libcrack \
|
|||||||
--without-tcb \
|
--without-tcb \
|
||||||
SHELL=/bin/sh
|
SHELL=/bin/sh
|
||||||
|
|
||||||
|
ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
|
||||||
|
DEB_CONFIGURE_EXTRA_FLAGS += --disable-man
|
||||||
|
endif
|
||||||
|
|
||||||
# Set the default editor for vipw/vigr
|
# Set the default editor for vipw/vigr
|
||||||
CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
|
CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
|
||||||
|
|
||||||
@@ -38,7 +42,7 @@ endif
|
|||||||
dh_install -a
|
dh_install -a
|
||||||
ifeq ($(DEB_HOST_ARCH_OS),hurd)
|
ifeq ($(DEB_HOST_ARCH_OS),hurd)
|
||||||
# /bin/login is provided by the hurd package.
|
# /bin/login is provided by the hurd package.
|
||||||
rm -f debian/login/bin/login
|
rm -f debian/login/usr/bin/login
|
||||||
endif
|
endif
|
||||||
|
|
||||||
override_dh_installpam:
|
override_dh_installpam:
|
||||||
|
|||||||
+14
-1
@@ -73,10 +73,20 @@
|
|||||||
the appropriate locks to prevent file corruption. When looking for an
|
the appropriate locks to prevent file corruption. When looking for an
|
||||||
editor, the programs will first try the environment variable
|
editor, the programs will first try the environment variable
|
||||||
<envar>$VISUAL</envar>, then the environment variable
|
<envar>$VISUAL</envar>, then the environment variable
|
||||||
<envar>$EDITOR</envar>, and finally the default editor,
|
<envar>$EDITOR</envar>, then the editor from
|
||||||
|
<filename>~/.selected_editor</filename>, and finally
|
||||||
|
<command>nano</command>.
|
||||||
<citerefentry><refentrytitle>vi</refentrytitle>
|
<citerefentry><refentrytitle>vi</refentrytitle>
|
||||||
<manvolnum>1</manvolnum></citerefentry>.
|
<manvolnum>1</manvolnum></citerefentry>.
|
||||||
</para>
|
</para>
|
||||||
|
<para>
|
||||||
|
On the first run, if the environment variables <envar>$VISUAL</envar>
|
||||||
|
and <envar>$EDITOR</envar> are both unset, this program asks you for
|
||||||
|
an editor and stores your selection in
|
||||||
|
<filename>~/.selected_editor</filename>. If the editor mentioned
|
||||||
|
therein does not exist on your system, the program will fall back
|
||||||
|
to using <command>nano</command>.
|
||||||
|
</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1 id='options'>
|
<refsect1 id='options'>
|
||||||
@@ -210,6 +220,9 @@
|
|||||||
<citerefentry>
|
<citerefentry>
|
||||||
<refentrytitle>gshadow</refentrytitle><manvolnum>5</manvolnum>
|
<refentrytitle>gshadow</refentrytitle><manvolnum>5</manvolnum>
|
||||||
</citerefentry>
|
</citerefentry>
|
||||||
|
<citerefentry>
|
||||||
|
<refentrytitle>~/.selected_editor</refentrytitle><manvolnum>5</manvolnum>
|
||||||
|
</citerefentry>
|
||||||
<citerefentry condition="tcb">
|
<citerefentry condition="tcb">
|
||||||
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
|
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
|
||||||
</citerefentry>,
|
</citerefentry>,
|
||||||
|
|||||||
Reference in New Issue
Block a user