From 0f4c588d1b2291db94d075c9877bf9eeff092378 Mon Sep 17 00:00:00 2001
From: yunjia_w <yunjia.wang@huawei.com>
Date: Mon, 19 Jun 2023 15:34:53 +0800
Subject: [PATCH] backport some patches

Signed-off-by: yunjia_w <yunjia.wang@huawei.com>
---
 backport-Read-whole-line-in-yes_or_no.patch   | 67 ++++++++++++++++
 ...mmonio-free-removed-database-entries.patch | 39 ++++++++++
 ...onnect-to-free-libsemanage-internals.patch | 76 +++++++++++++++++++
 shadow.spec                                   | 10 ++-
 4 files changed, 190 insertions(+), 2 deletions(-)
 create mode 100644 backport-Read-whole-line-in-yes_or_no.patch
 create mode 100644 backport-commonio-free-removed-database-entries.patch
 create mode 100644 backport-semanage-disconnect-to-free-libsemanage-internals.patch

diff --git a/backport-Read-whole-line-in-yes_or_no.patch b/backport-Read-whole-line-in-yes_or_no.patch
new file mode 100644
index 0000000..c70a8b8
--- /dev/null
+++ b/backport-Read-whole-line-in-yes_or_no.patch
@@ -0,0 +1,67 @@
+From 0c83b981053b65c9bab4f1c2e60d004e920f8faf Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Fri, 27 Jan 2023 11:53:57 +0000
+Subject: [PATCH] Read whole line in yes_or_no
+
+Do not stop after 79 characters. Read the complete line to avoid
+arbitrary limitations.
+
+Proof of Concept:
+
+```
+cat > passwd-poc << EOF
+root:x:0:0:root:/root:/bin/bash
+root:x:0:0:root:/root:/bin/bash
+root:x:0:0:root:/root:/bin/bash
+EOF
+python -c "print(80*'y')" | pwck passwd-poc
+```
+
+Two lines should still be within the file because we agreed only once
+to remove a duplicated line.
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Reviewed-by: Serge Hallyn <serge@hallyn.com>
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/0c83b981053b65c9bab4f1c2e60d004e920f8faf
+---
+ libmisc/yesno.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/libmisc/yesno.c b/libmisc/yesno.c
+index 1a1a3714..d8847e40 100644
+--- a/libmisc/yesno.c
++++ b/libmisc/yesno.c
+@@ -28,7 +28,8 @@
+  */
+ bool yes_or_no (bool read_only)
+ {
+-	char buf[80];
++	int c;
++	bool result;
+ 
+ 	/*
+ 	 * In read-only mode all questions are answered "no".
+@@ -46,11 +47,13 @@ bool yes_or_no (bool read_only)
+ 	/*
+ 	 * Get a line and see what the first character is.
+ 	 */
++	c = fgetc(stdin);
+ 	/* TODO: use gettext */
+-	if (fgets (buf, (int) sizeof buf, stdin) == buf) {
+-		return buf[0] == 'y' || buf[0] == 'Y';
+-	}
++	result = (c == 'y' || c == 'Y');
++
++	while (c != '\n' && c != EOF)
++		c = fgetc(stdin);
+ 
+-	return false;
++	return result;
+ }
+ 
+-- 
+2.27.0
+
diff --git a/backport-commonio-free-removed-database-entries.patch b/backport-commonio-free-removed-database-entries.patch
new file mode 100644
index 0000000..13322f7
--- /dev/null
+++ b/backport-commonio-free-removed-database-entries.patch
@@ -0,0 +1,39 @@
+From a8dd8ce6c9a5f6e69ed4e9fa7b0c0976bb4ba332 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 1 Apr 2023 13:36:51 +0200
+Subject: [PATCH] commonio: free removed database entries
+
+Free the actual struct of the removed entry.
+
+Example userdel report:
+
+    Direct leak of 40 byte(s) in 1 object(s) allocated from:
+        #0 0x55b230efe857 in reallocarray (./src/userdel+0xda857)
+        #1 0x55b230f6041f in mallocarray ./lib/./alloc.h:97:9
+        #2 0x55b230f6041f in commonio_open ./lib/commonio.c:563:7
+        #3 0x55b230f39098 in open_files ./src/userdel.c:555:6
+        #4 0x55b230f39098 in main ./src/userdel.c:1189:2
+        #5 0x7f9b48c64189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/a8dd8ce6c9a5f6e69ed4e9fa7b0c0976bb4ba332
+---
+ lib/commonio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 40e62298..a0449c83 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -1060,6 +1060,8 @@ int commonio_remove (struct commonio_db *db, const char *name)
+ 		db->ops->free (p->eptr);
+ 	}
+ 
++	free(p);
++
+ 	return 1;
+ }
+ 
+-- 
+2.27.0
+
diff --git a/backport-semanage-disconnect-to-free-libsemanage-internals.patch b/backport-semanage-disconnect-to-free-libsemanage-internals.patch
new file mode 100644
index 0000000..94a0722
--- /dev/null
+++ b/backport-semanage-disconnect-to-free-libsemanage-internals.patch
@@ -0,0 +1,76 @@
+From 7078ed1e0b8a197aa9e5103986bce927abef87a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 1 Apr 2023 14:11:06 +0200
+Subject: [PATCH] semanage: disconnect to free libsemanage internals
+
+Destroying the handle does not actually disconnect, see [1].
+Also free the key on user removal.
+
+[1]: https://github.com/SELinuxProject/selinux/blob/e9072e7d45f4559887d11b518099135cbe564163/libsemanage/src/direct_api.c#L330
+
+Example adduser leak:
+
+    Direct leak of 1008 byte(s) in 14 object(s) allocated from:
+        #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+        #1 0x7fb5cfffad09 in dbase_file_init src/database_file.c:170:45
+
+    Direct leak of 392 byte(s) in 7 object(s) allocated from:
+        #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+        #1 0x7fb5cfffc929 in dbase_policydb_init src/database_policydb.c:187:27
+
+    Direct leak of 144 byte(s) in 2 object(s) allocated from:
+        #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+        #1 0x7fb5cfffb519 in dbase_join_init src/database_join.c:249:28
+
+    [...]
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/7078ed1e0b8a197aa9e5103986bce927abef87a4
+---
+ lib/semanage.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/semanage.c b/lib/semanage.c
+index 5d336b08..d412186c 100644
+--- a/lib/semanage.c
++++ b/lib/semanage.c
+@@ -97,6 +97,8 @@ static semanage_handle_t *semanage_init (void)
+ 	return handle;
+ 
+ fail:
++	if (handle)
++		semanage_disconnect (handle);
+ 	semanage_handle_destroy (handle);
+ 	return NULL;
+ }
+@@ -156,7 +158,7 @@ done:
+ 
+ 
+ static int semanage_user_add (semanage_handle_t *handle,
+-                             semanage_seuser_key_t *key,
++                             const semanage_seuser_key_t *key,
+                              const char *login_name,
+                              const char *seuser_name)
+ {
+@@ -279,6 +281,8 @@ int set_seuser (const char *login_name, const char *seuser_name)
+ 
+ done:
+ 	semanage_seuser_key_free (key);
++	if (handle)
++		semanage_disconnect (handle);
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+ }
+@@ -353,6 +357,9 @@ int del_seuser (const char *login_name)
+ 
+ 	ret = 0;
+ done:
++	semanage_seuser_key_free (key);
++	if (handle)
++		semanage_disconnect (handle);
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+ }
+-- 
+2.27.0
+
diff --git a/shadow.spec b/shadow.spec
index 1a48555..1ed1dae 100644
--- a/shadow.spec
+++ b/shadow.spec
@@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.9
-Release: 9
+Release: 10
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@@ -55,6 +55,9 @@ Patch35: backport-Explicitly-override-only-newlines.patch
 Patch36: backport-Prevent-out-of-boundary-access.patch
 Patch37: backport-Added-control-character-check.patch 
 Patch38: backport-Overhaul-valid_field.patch
+Patch39: backport-Read-whole-line-in-yes_or_no.patch
+Patch40: backport-commonio-free-removed-database-entries.patch
+Patch41: backport-semanage-disconnect-to-free-libsemanage-internals.patch
 
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel
@@ -221,8 +224,11 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_mandir}/*/*
 
 %changelog
+* Mon Jun 19 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.9-10
+- backport patches from upstream
+
 * Thu Apr 20 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.9-9
-- fix CVE-2023-29383 
+- fix CVE-2023-29383
 
 * Thu Mar 23 2023 fuanan <fuanan3@h-partners.com> - 2:4.9-8
 - backport patches from upstream