Compare commits

..

7 Commits

Author SHA1 Message Date
Chris Hofstaedtler b158bb0a5c Update changelog for 1:4.13+dfsg1-1+deb12u2 release 2025-12-14 15:02:57 +01:00
Chris Hofstaedtler 803a1636e4 Apply upstream patch to fix groupmod -U "" segfault
Closes: #1122913
2025-12-14 15:02:26 +01:00
Chris Hofstaedtler feff3a90fd Update changelog for 1:4.13+dfsg1-1+deb12u1 release 2025-04-07 12:38:59 +02:00
Chris Hofstaedtler e22bb067e6 Update Uploaders: field from unstable 2025-04-05 17:01:59 +02:00
Balint Reczey b1d59753d5 Fix valid_field() that regressed in upstream's first CVE fix
cherry-picking upstream's regression fix.

Follow-up for commit 50defcfa5d (on
master), 6ee8dfcaba.
2025-04-05 17:00:55 +02:00
Balint Reczey 6ee8dfcaba Cherry-pick upstream patch to fix chfn vulnerability
(CVE-2023-29383)

Closes: #1034482
2025-04-05 16:58:53 +02:00
Balint Reczey 2421c91c37 Cherry-pick upstream patch to fix gpasswd passwd leak
(CVE-2023-4641)

Closes: #1051062
2025-04-05 16:58:50 +02:00
12 changed files with 91 additions and 73 deletions
Vendored
-8
View File
@@ -1,11 +1,3 @@
shadow (1:4.13+dfsg1-2) unstable; urgency=medium
The previous entry falsely states that PREVENT_NO_AUTH in /etc/login.defs
affects authentication. The historical default of letting all users with
empty password field in without authentication is still in effect.
-- Balint Reczey <balint@balintreczey.hu> Mon, 25 Sep 2023 17:04:09 +0200
shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
Login now prevents an empty password field to be interpreted as Login now prevents an empty password field to be interpreted as
+12 -34
View File
@@ -1,44 +1,22 @@
shadow (1:4.13+dfsg1-4.1) unstable; urgency=medium shadow (1:4.13+dfsg1-1+deb12u2) bookworm; urgency=medium
* Enhance the manpage for vipw (closes #1064940). * Apply upstream patch to fix groupmod -U "" segfault (Closes: #1122913)
-- Toni Mueller <toni@debian.org> Thu, 29 Feb 2024 16:37:32 +0000 -- Chris Hofstaedtler <zeha@debian.org> Sun, 14 Dec 2025 15:00:01 +0100
shadow (1:4.13+dfsg1-4) unstable; urgency=medium shadow (1:4.13+dfsg1-1+deb12u1) bookworm; urgency=medium
[ Helmut Grohne ]
* DEP17: Move login and shadowconfig to /usr. (Closes: #1059915)
-- Serge Hallyn <serge@hallyn.com> Sun, 04 Feb 2024 20:28:27 +0000
shadow (1:4.13+dfsg1-3) unstable; urgency=medium
* Team upload
* Remove myself from uploaders
-- Balint Reczey <balint@balintreczey.hu> Sun, 15 Oct 2023 19:10:52 +0200
shadow (1:4.13+dfsg1-2) unstable; urgency=medium
[ Balint Reczey ] [ Balint Reczey ]
* debian/gitlab-ci.yml: Use sudo to fix reprotest test * Cherry-pick upstream patch to fix gpasswd passwd leak (Closes: #1051062)
* debian/login.pam: Drop reference to Debian Etch (Closes: #1040064) CVE-2023-4641
* debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication. * Cherry-pick upstream patch to fix chfn vulnerability (Closes: #1034482)
Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547) CVE-2023-29383
* Cherry-pick upstream patch to fix gpasswd passwd leak * Fix valid_field() that regressed in upstream's chfn fix
(CVE-2023-4641) (Closes: #1051062)
* Cherry-pick upstream patch to fix chfn vulnerability allowing injection of
control characters into some /etc/passwd fields.
(CVE-2023-29383) (Closes: #1034482)
[ Gioele Barabucci ] [ Chris Hofstaedtler ]
* Support <nodoc> build profile * Update Uploaders: field from unstable
`xsltproc`, `docbook` and all other XML-related packages are not needed
when the `<nodoc>` build profile is active, as long as `./configure` is
called with `--disable-man`. (Closes: #1051827)
-- Chris Hofstaedtler <zeha@debian.org> Mon, 07 Apr 2025 12:38:46 +0200
-- Balint Reczey <balint@balintreczey.hu> Tue, 26 Sep 2023 22:01:52 +0200
shadow (1:4.13+dfsg1-1) unstable; urgency=medium shadow (1:4.13+dfsg1-1) unstable; urgency=medium
+8 -6
View File
@@ -1,6 +1,8 @@
Source: shadow Source: shadow
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org> Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Uploaders: Serge Hallyn <serge@hallyn.com> Uploaders:
Serge Hallyn <serge@hallyn.com>,
Chris Hofstaedtler <zeha@debian.org>
Section: admin Section: admin
Priority: required Priority: required
Build-Depends: debhelper-compat (= 13), Build-Depends: debhelper-compat (= 13),
@@ -8,13 +10,13 @@ Build-Depends: debhelper-compat (= 13),
libcrypt-dev, libcrypt-dev,
libpam0g-dev, libpam0g-dev,
quilt, quilt,
xsltproc <!nodoc>, xsltproc,
docbook-xsl <!nodoc>, docbook-xsl,
docbook-xml <!nodoc>, docbook-xml,
libxml2-utils <!nodoc>, libxml2-utils,
libselinux1-dev [linux-any], libselinux1-dev [linux-any],
libsemanage-dev [linux-any], libsemanage-dev [linux-any],
itstool <!nodoc>, itstool,
bison, bison,
libaudit-dev [linux-any] libaudit-dev [linux-any]
Standards-Version: 4.6.1 Standards-Version: 4.6.1
+1 -3
View File
@@ -1,7 +1,5 @@
variables: variables:
RELEASE: 'unstable' RELEASE: 'unstable'
# workaround for https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/259
SALSA_CI_REPROTEST_ARGS: --vary=domain_host.use_sudo=1
include: include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+8
View File
@@ -337,6 +337,14 @@ NONEXISTENT /nonexistent
# #
#GRANT_AUX_GROUP_SUBIDS yes #GRANT_AUX_GROUP_SUBIDS yes
#
# Prevents an empty password field to be interpreted as "no authentication
# required".
# Set to "yes" to prevent for all accounts
# Set to "superuser" to prevent for UID 0 / root (default)
# Set to "no" to not prevent for any account (dangerous, historical default)
PREVENT_NO_AUTH superuser
# #
# Select the HMAC cryptography algorithm. # Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message # Used in pam_timestamp module to calculate the keyed-hash message
+1 -1
View File
@@ -4,4 +4,4 @@ sbin/nologin usr/sbin
usr/bin/faillog usr/bin/faillog
usr/bin/lastlog usr/bin/lastlog
usr/bin/newgrp usr/bin/newgrp
bin/login usr/bin bin/login
+1 -1
View File
@@ -49,7 +49,7 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux
# #
# parsing /etc/environment needs "readenv=1" # parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1 session required pam_env.so readenv=1
# locale variables can also be set in /etc/default/locale # locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt # reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale session required pam_env.so readenv=1 envfile=/etc/default/locale
+1 -1
View File
@@ -1,5 +1,5 @@
debian/default/useradd etc/default debian/default/useradd etc/default
debian/shadowconfig usr/sbin debian/shadowconfig sbin
usr/bin/chage usr/bin/chage
usr/bin/chfn usr/bin/chfn
usr/bin/chsh usr/bin/chsh
+3
View File
@@ -1,3 +1,6 @@
# Debian #1122913
upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
# CVE-2023-4641 # CVE-2023-4641
0001-gpasswd-1-Fix-password-leak.patch 0001-gpasswd-1-Fix-password-leak.patch
@@ -0,0 +1,54 @@
From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001
From: lixinyun <li.xinyun@h3c.com>
Date: Wed, 29 May 2024 06:53:02 +0800
Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double
free
Groupmod -U may cause crashes because of double free. If without -a, the first free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update without -n or gr_remove with -n.
Considering the minimal impact of modifications on existing code, delete gr_free_members(&grp) to avoid double free.Although this may seem reckless, the second free in two different positions will definitely be triggered, and the following two test cases can be used to illustrate the situation :
[root@localhost src]# ./useradd u1
[root@localhost src]# ./useradd u2
[root@localhost src]# ./useradd u3
[root@localhost src]# ./groupadd -U u1,u2,u3 g1
[root@localhost src]# ./groupmod -n g2 -U u1,u2 g1
Segmentation fault
This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)), which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again.
[root@localhost src]# ./useradd u1
[root@localhost src]# ./useradd u2
[root@localhost src]# ./useradd u3
[root@localhost src]# ./groupadd -U u1,u2,u3 g1
[root@localhost src]# ./groupmod -U u1,u2 g1
Segmentation fault
The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to free (*ogrp).gr_mem again.
So the first free is unnecessary, maybe we can drop it.
Fixes: 342c934a3590 ("add -U option to groupadd and groupmod")
Closes: <https://github.com/shadow-maint/shadow/issues/1013>
Link: <https://github.com/shadow-maint/shadow/pull/1007>
Link: <https://github.com/shadow-maint/shadow/pull/271>
Link: <https://github.com/shadow-maint/shadow/issues/265>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: lixinyun <li.xinyun@h3c.com>
---
src/groupmod.c | 2 --
1 file changed, 2 deletions(-)
diff --git i/src/groupmod.c w/src/groupmod.c
index 006eca1c..7eae4c6f 100644
--- i/src/groupmod.c
+++ w/src/groupmod.c
@@ -244,8 +244,6 @@ static void grp_update (void)
if (!aflg) {
// requested to replace the existing groups
- if (NULL != grp.gr_mem[0])
- gr_free_members(&grp);
grp.gr_mem = (char **)xmalloc(sizeof(char *));
grp.gr_mem[0] = (char *)0;
} else {
+1 -5
View File
@@ -21,10 +21,6 @@ DEB_CONFIGURE_EXTRA_FLAGS := --without-libcrack \
--without-tcb \ --without-tcb \
SHELL=/bin/sh SHELL=/bin/sh
ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
DEB_CONFIGURE_EXTRA_FLAGS += --disable-man
endif
# Set the default editor for vipw/vigr # Set the default editor for vipw/vigr
CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\"" CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
@@ -42,7 +38,7 @@ endif
dh_install -a dh_install -a
ifeq ($(DEB_HOST_ARCH_OS),hurd) ifeq ($(DEB_HOST_ARCH_OS),hurd)
# /bin/login is provided by the hurd package. # /bin/login is provided by the hurd package.
rm -f debian/login/usr/bin/login rm -f debian/login/bin/login
endif endif
override_dh_installpam: override_dh_installpam:
+1 -14
View File
@@ -73,20 +73,10 @@
the appropriate locks to prevent file corruption. When looking for an the appropriate locks to prevent file corruption. When looking for an
editor, the programs will first try the environment variable editor, the programs will first try the environment variable
<envar>$VISUAL</envar>, then the environment variable <envar>$VISUAL</envar>, then the environment variable
<envar>$EDITOR</envar>, then the editor from <envar>$EDITOR</envar>, and finally the default editor,
<filename>~/.selected_editor</filename>, and finally
<command>nano</command>.
<citerefentry><refentrytitle>vi</refentrytitle> <citerefentry><refentrytitle>vi</refentrytitle>
<manvolnum>1</manvolnum></citerefentry>. <manvolnum>1</manvolnum></citerefentry>.
</para> </para>
<para>
On the first run, if the environment variables <envar>$VISUAL</envar>
and <envar>$EDITOR</envar> are both unset, this program asks you for
an editor and stores your selection in
<filename>~/.selected_editor</filename>. If the editor mentioned
therein does not exist on your system, the program will fall back
to using <command>nano</command>.
</para>
</refsect1> </refsect1>
<refsect1 id='options'> <refsect1 id='options'>
@@ -220,9 +210,6 @@
<citerefentry> <citerefentry>
<refentrytitle>gshadow</refentrytitle><manvolnum>5</manvolnum> <refentrytitle>gshadow</refentrytitle><manvolnum>5</manvolnum>
</citerefentry> </citerefentry>
<citerefentry>
<refentrytitle>~/.selected_editor</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>
<citerefentry condition="tcb"> <citerefentry condition="tcb">
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum> <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>, </citerefentry>,