Compare commits

..

5 Commits

Author SHA1 Message Date
Chris Hofstaedtler feff3a90fd Update changelog for 1:4.13+dfsg1-1+deb12u1 release 2025-04-07 12:38:59 +02:00
Chris Hofstaedtler e22bb067e6 Update Uploaders: field from unstable 2025-04-05 17:01:59 +02:00
Balint Reczey b1d59753d5 Fix valid_field() that regressed in upstream's first CVE fix
cherry-picking upstream's regression fix.

Follow-up for commit 50defcfa5d (on
master), 6ee8dfcaba.
2025-04-05 17:00:55 +02:00
Balint Reczey 6ee8dfcaba Cherry-pick upstream patch to fix chfn vulnerability
(CVE-2023-29383)

Closes: #1034482
2025-04-05 16:58:53 +02:00
Balint Reczey 2421c91c37 Cherry-pick upstream patch to fix gpasswd passwd leak
(CVE-2023-4641)

Closes: #1051062
2025-04-05 16:58:50 +02:00
10 changed files with 31 additions and 76 deletions
Vendored
-8
View File
@@ -1,11 +1,3 @@
shadow (1:4.13+dfsg1-2) unstable; urgency=medium
The previous entry falsely states that PREVENT_NO_AUTH in /etc/login.defs
affects authentication. The historical default of letting all users with
empty password field in without authentication is still in effect.
-- Balint Reczey <balint@balintreczey.hu> Mon, 25 Sep 2023 17:04:09 +0200
shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
Login now prevents an empty password field to be interpreted as
+9 -37
View File
@@ -1,44 +1,16 @@
shadow (1:4.13+dfsg1-4.1) unstable; urgency=medium
* Enhance the manpage for vipw (closes #1064940).
-- Toni Mueller <toni@debian.org> Thu, 29 Feb 2024 16:37:32 +0000
shadow (1:4.13+dfsg1-4) unstable; urgency=medium
[ Helmut Grohne ]
* DEP17: Move login and shadowconfig to /usr. (Closes: #1059915)
-- Serge Hallyn <serge@hallyn.com> Sun, 04 Feb 2024 20:28:27 +0000
shadow (1:4.13+dfsg1-3) unstable; urgency=medium
* Team upload
* Remove myself from uploaders
-- Balint Reczey <balint@balintreczey.hu> Sun, 15 Oct 2023 19:10:52 +0200
shadow (1:4.13+dfsg1-2) unstable; urgency=medium
shadow (1:4.13+dfsg1-1+deb12u1) bookworm; urgency=medium
[ Balint Reczey ]
* debian/gitlab-ci.yml: Use sudo to fix reprotest test
* debian/login.pam: Drop reference to Debian Etch (Closes: #1040064)
* debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication.
Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547)
* Cherry-pick upstream patch to fix gpasswd passwd leak
(CVE-2023-4641) (Closes: #1051062)
* Cherry-pick upstream patch to fix chfn vulnerability allowing injection of
control characters into some /etc/passwd fields.
(CVE-2023-29383) (Closes: #1034482)
* Cherry-pick upstream patch to fix gpasswd passwd leak (Closes: #1051062)
CVE-2023-4641
* Cherry-pick upstream patch to fix chfn vulnerability (Closes: #1034482)
CVE-2023-29383
* Fix valid_field() that regressed in upstream's chfn fix
[ Gioele Barabucci ]
* Support <nodoc> build profile
`xsltproc`, `docbook` and all other XML-related packages are not needed
when the `<nodoc>` build profile is active, as long as `./configure` is
called with `--disable-man`. (Closes: #1051827)
[ Chris Hofstaedtler ]
* Update Uploaders: field from unstable
-- Balint Reczey <balint@balintreczey.hu> Tue, 26 Sep 2023 22:01:52 +0200
-- Chris Hofstaedtler <zeha@debian.org> Mon, 07 Apr 2025 12:38:46 +0200
shadow (1:4.13+dfsg1-1) unstable; urgency=medium
+8 -6
View File
@@ -1,6 +1,8 @@
Source: shadow
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Uploaders: Serge Hallyn <serge@hallyn.com>
Uploaders:
Serge Hallyn <serge@hallyn.com>,
Chris Hofstaedtler <zeha@debian.org>
Section: admin
Priority: required
Build-Depends: debhelper-compat (= 13),
@@ -8,13 +10,13 @@ Build-Depends: debhelper-compat (= 13),
libcrypt-dev,
libpam0g-dev,
quilt,
xsltproc <!nodoc>,
docbook-xsl <!nodoc>,
docbook-xml <!nodoc>,
libxml2-utils <!nodoc>,
xsltproc,
docbook-xsl,
docbook-xml,
libxml2-utils,
libselinux1-dev [linux-any],
libsemanage-dev [linux-any],
itstool <!nodoc>,
itstool,
bison,
libaudit-dev [linux-any]
Standards-Version: 4.6.1
+1 -3
View File
@@ -1,7 +1,5 @@
variables:
RELEASE: 'unstable'
# workaround for https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/259
SALSA_CI_REPROTEST_ARGS: --vary=domain_host.use_sudo=1
RELEASE: 'unstable'
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+8
View File
@@ -337,6 +337,14 @@ NONEXISTENT /nonexistent
#
#GRANT_AUX_GROUP_SUBIDS yes
#
# Prevents an empty password field to be interpreted as "no authentication
# required".
# Set to "yes" to prevent for all accounts
# Set to "superuser" to prevent for UID 0 / root (default)
# Set to "no" to not prevent for any account (dangerous, historical default)
PREVENT_NO_AUTH superuser
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
+1 -1
View File
@@ -4,4 +4,4 @@ sbin/nologin usr/sbin
usr/bin/faillog
usr/bin/lastlog
usr/bin/newgrp
bin/login usr/bin
bin/login
+1 -1
View File
@@ -49,7 +49,7 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables can also be set in /etc/default/locale
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
+1 -1
View File
@@ -1,5 +1,5 @@
debian/default/useradd etc/default
debian/shadowconfig usr/sbin
debian/shadowconfig sbin
usr/bin/chage
usr/bin/chfn
usr/bin/chsh
+1 -5
View File
@@ -21,10 +21,6 @@ DEB_CONFIGURE_EXTRA_FLAGS := --without-libcrack \
--without-tcb \
SHELL=/bin/sh
ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
DEB_CONFIGURE_EXTRA_FLAGS += --disable-man
endif
# Set the default editor for vipw/vigr
CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
@@ -42,7 +38,7 @@ endif
dh_install -a
ifeq ($(DEB_HOST_ARCH_OS),hurd)
# /bin/login is provided by the hurd package.
rm -f debian/login/usr/bin/login
rm -f debian/login/bin/login
endif
override_dh_installpam:
+1 -14
View File
@@ -73,20 +73,10 @@
the appropriate locks to prevent file corruption. When looking for an
editor, the programs will first try the environment variable
<envar>$VISUAL</envar>, then the environment variable
<envar>$EDITOR</envar>, then the editor from
<filename>~/.selected_editor</filename>, and finally
<command>nano</command>.
<envar>$EDITOR</envar>, and finally the default editor,
<citerefentry><refentrytitle>vi</refentrytitle>
<manvolnum>1</manvolnum></citerefentry>.
</para>
<para>
On the first run, if the environment variables <envar>$VISUAL</envar>
and <envar>$EDITOR</envar> are both unset, this program asks you for
an editor and stores your selection in
<filename>~/.selected_editor</filename>. If the editor mentioned
therein does not exist on your system, the program will fall back
to using <command>nano</command>.
</para>
</refsect1>
<refsect1 id='options'>
@@ -220,9 +210,6 @@
<citerefentry>
<refentrytitle>gshadow</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>
<citerefentry>
<refentrytitle>~/.selected_editor</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>
<citerefentry condition="tcb">
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,