Update changelog for 1:4.13+dfsg1-1+deb12u2 release

Closes: #1122913

debian/NEWS

@@ -1,11 +1,3 @@
-shadow (1:4.13+dfsg1-2) unstable; urgency=medium
-
-  The previous entry falsely states that PREVENT_NO_AUTH in /etc/login.defs
-  affects authentication.  The historical default of letting all users with
-  empty password field in without authentication is still in effect.
-
- -- Balint Reczey <balint@balintreczey.hu>  Mon, 25 Sep 2023 17:04:09 +0200
-
 shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
 
   Login now prevents an empty password field to be interpreted as

debian/changelog

@@ -1,44 +1,22 @@
-shadow (1:4.13+dfsg1-4.1) unstable; urgency=medium
+shadow (1:4.13+dfsg1-1+deb12u2) bookworm; urgency=medium
 
-  * Enhance the manpage for vipw (closes #1064940).
+  * Apply upstream patch to fix groupmod -U "" segfault (Closes: #1122913)
 
- -- Toni Mueller <toni@debian.org>  Thu, 29 Feb 2024 16:37:32 +0000
+ -- Chris Hofstaedtler <zeha@debian.org>  Sun, 14 Dec 2025 15:00:01 +0100
 
-shadow (1:4.13+dfsg1-4) unstable; urgency=medium
-
-  [ Helmut Grohne ]
-  * DEP17: Move login and shadowconfig to /usr. (Closes: #1059915)
-
- -- Serge Hallyn <serge@hallyn.com>  Sun, 04 Feb 2024 20:28:27 +0000
-
-shadow (1:4.13+dfsg1-3) unstable; urgency=medium
-
-  * Team upload
-  * Remove myself from uploaders
-
- -- Balint Reczey <balint@balintreczey.hu>  Sun, 15 Oct 2023 19:10:52 +0200
-
-shadow (1:4.13+dfsg1-2) unstable; urgency=medium
+shadow (1:4.13+dfsg1-1+deb12u1) bookworm; urgency=medium
 
   [ Balint Reczey ]
-  * debian/gitlab-ci.yml: Use sudo to fix reprotest test
-  * debian/login.pam: Drop reference to Debian Etch (Closes: #1040064)
-  * debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication.
-    Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547)
-  * Cherry-pick upstream patch to fix gpasswd passwd leak
-    (CVE-2023-4641) (Closes: #1051062)
-  * Cherry-pick upstream patch to fix chfn vulnerability allowing injection of
-    control characters into some /etc/passwd fields.
-    (CVE-2023-29383) (Closes: #1034482)
+  * Cherry-pick upstream patch to fix gpasswd passwd leak (Closes: #1051062)
+    CVE-2023-4641
+  * Cherry-pick upstream patch to fix chfn vulnerability (Closes: #1034482)
+    CVE-2023-29383
+  * Fix valid_field() that regressed in upstream's chfn fix
 
-  [ Gioele Barabucci ]
-  * Support <nodoc> build profile
-    `xsltproc`, `docbook` and all other XML-related packages are not needed
-    when the `<nodoc>` build profile is active, as long as `./configure` is
-    called with `--disable-man`. (Closes: #1051827)
+  [ Chris Hofstaedtler ]
+  * Update Uploaders: field from unstable
 
-
- -- Balint Reczey <balint@balintreczey.hu>  Tue, 26 Sep 2023 22:01:52 +0200
+ -- Chris Hofstaedtler <zeha@debian.org>  Mon, 07 Apr 2025 12:38:46 +0200
 
 shadow (1:4.13+dfsg1-1) unstable; urgency=medium
 

debian/control

@@ -1,6 +1,8 @@
 Source: shadow
 Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
-Uploaders: Serge Hallyn <serge@hallyn.com>
+Uploaders:
+ Serge Hallyn <serge@hallyn.com>,
+ Chris Hofstaedtler <zeha@debian.org>
 Section: admin
 Priority: required
 Build-Depends: debhelper-compat (= 13),
@@ -8,13 +10,13 @@ Build-Depends: debhelper-compat (= 13),
                libcrypt-dev,
                libpam0g-dev,
                quilt,
-               xsltproc <!nodoc>,
-               docbook-xsl <!nodoc>,
-               docbook-xml <!nodoc>,
-               libxml2-utils <!nodoc>,
+               xsltproc,
+               docbook-xsl,
+               docbook-xml,
+               libxml2-utils,
                libselinux1-dev [linux-any],
                libsemanage-dev [linux-any],
-               itstool <!nodoc>,
+               itstool,
                bison,
                libaudit-dev [linux-any]
 Standards-Version: 4.6.1

debian/gitlab-ci.yml

@@ -1,7 +1,5 @@
 variables:
-  RELEASE: 'unstable'
-  # workaround for https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/259
-  SALSA_CI_REPROTEST_ARGS: --vary=domain_host.use_sudo=1
+ RELEASE: 'unstable'
 include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml

debian/login.defs

@@ -337,6 +337,14 @@ NONEXISTENT	/nonexistent
 #
 #GRANT_AUX_GROUP_SUBIDS yes
 
+#
+# Prevents an empty password field to be interpreted as "no authentication
+# required".
+# Set to "yes" to prevent for all accounts
+# Set to "superuser" to prevent for UID 0 / root (default)
+# Set to "no" to not prevent for any account (dangerous, historical default)
+PREVENT_NO_AUTH superuser
+
 #
 # Select the HMAC cryptography algorithm.
 # Used in pam_timestamp module to calculate the keyed-hash message

debian/login.install

@@ -4,4 +4,4 @@ sbin/nologin usr/sbin
 usr/bin/faillog
 usr/bin/lastlog
 usr/bin/newgrp
-bin/login usr/bin
+bin/login

debian/login.pam

@@ -49,7 +49,7 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux
 # 
 # parsing /etc/environment needs "readenv=1"
 session       required   pam_env.so readenv=1
-# locale variables can also be set in /etc/default/locale
+# locale variables are also kept into /etc/default/locale in etch
 # reading this file *in addition to /etc/environment* does not hurt
 session       required   pam_env.so readenv=1 envfile=/etc/default/locale
 

debian/passwd.install

@@ -1,5 +1,5 @@
 debian/default/useradd etc/default
-debian/shadowconfig usr/sbin
+debian/shadowconfig sbin
 usr/bin/chage
 usr/bin/chfn
 usr/bin/chsh

debian/patches/series

@@ -1,3 +1,6 @@
+# Debian #1122913
+upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
+
 # CVE-2023-4641
 0001-gpasswd-1-Fix-password-leak.patch
 

debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch

@@ -0,0 +1,54 @@
+From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001
+From: lixinyun <li.xinyun@h3c.com>
+Date: Wed, 29 May 2024 06:53:02 +0800
+Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double
+ free
+
+Groupmod -U may cause crashes because of double free. If without -a, the first free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update without -n or gr_remove with -n.
+Considering the minimal impact of modifications on existing code, delete gr_free_members(&grp) to avoid double free.Although this may seem reckless, the second free in two different positions will definitely be triggered, and the following two test cases can be used to illustrate the situation :
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -n g2 -U u1,u2 g1
+Segmentation fault
+
+This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)), which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again.
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -U u1,u2 g1
+Segmentation fault
+
+The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to free (*ogrp).gr_mem again.
+
+So the first free is unnecessary, maybe we can drop it.
+
+Fixes: 342c934a3590 ("add -U option to groupadd and groupmod")
+Closes: <https://github.com/shadow-maint/shadow/issues/1013>
+Link: <https://github.com/shadow-maint/shadow/pull/1007>
+Link: <https://github.com/shadow-maint/shadow/pull/271>
+Link: <https://github.com/shadow-maint/shadow/issues/265>
+Cc: "Serge E. Hallyn" <serge@hallyn.com>
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: lixinyun <li.xinyun@h3c.com>
+---
+ src/groupmod.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git i/src/groupmod.c w/src/groupmod.c
+index 006eca1c..7eae4c6f 100644
+--- i/src/groupmod.c
++++ w/src/groupmod.c
+@@ -244,8 +244,6 @@ static void grp_update (void)
+ 
+ 		if (!aflg) {
+ 			// requested to replace the existing groups
+-			if (NULL != grp.gr_mem[0])
+-				gr_free_members(&grp);
+ 			grp.gr_mem = (char **)xmalloc(sizeof(char *));
+ 			grp.gr_mem[0] = (char *)0;
+ 		} else {

debian/rules

@@ -21,10 +21,6 @@ DEB_CONFIGURE_EXTRA_FLAGS := --without-libcrack \
 	--without-tcb \
 	 SHELL=/bin/sh
 
-ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
-DEB_CONFIGURE_EXTRA_FLAGS += --disable-man
-endif
-
 # Set the default editor for vipw/vigr
 CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
 
@@ -42,7 +38,7 @@ endif
 	dh_install -a
 ifeq ($(DEB_HOST_ARCH_OS),hurd)
 	# /bin/login is provided by the hurd package.
-	rm -f debian/login/usr/bin/login
+	rm -f debian/login/bin/login
 endif
 
 override_dh_installpam:

man/vipw.8.xml

@@ -73,20 +73,10 @@
       the appropriate locks to prevent file corruption. When looking for an
       editor, the programs will first try the environment variable
       <envar>$VISUAL</envar>, then the environment variable
-      <envar>$EDITOR</envar>, then the editor from
-      <filename>~/.selected_editor</filename>, and finally
-      <command>nano</command>.
+      <envar>$EDITOR</envar>, and finally the default editor,
       <citerefentry><refentrytitle>vi</refentrytitle>
       <manvolnum>1</manvolnum></citerefentry>.
     </para>
-    <para>
-        On the first run, if the environment variables <envar>$VISUAL</envar>
-        and <envar>$EDITOR</envar> are both unset, this program asks you for
-        an editor and stores your selection in
-        <filename>~/.selected_editor</filename>. If the editor mentioned
-        therein does not exist on your system, the program will fall back
-        to using <command>nano</command>.
-    </para>
   </refsect1>
 
   <refsect1 id='options'>
@@ -220,9 +210,6 @@
       <citerefentry>
 	<refentrytitle>gshadow</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>
-      <citerefentry>
-          <refentrytitle>~/.selected_editor</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>
       <citerefentry condition="tcb">
 	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>,