backport some patches

Signed-off-by: yunjia_w <yunjia.wang@huawei.com>

backport-Fix-yescrypt-support.patch

@@ -0,0 +1,37 @@
+From 29da702491eea314b915ea9c7a83c9af80cf5797 Mon Sep 17 00:00:00 2001
+From: Bernd Kuhls <bernd@kuhls.net>
+Date: Sun, 9 Jul 2023 10:55:03 +0200
+Subject: [PATCH] Fix yescrypt support
+ 
+Fixes build error:
+newusers.c: In function 'update_passwd':
+newusers.c:433:21: error: 'sflg' undeclared (first use in this function); did you mean 'rflg'?
+ 
+introduced by
+https://github.com/shadow-maint/shadow/commit/5cd04d03f94622c12220d4a6352824af081b8531
+which forgot to define sflg for these configure options:
+ 
+--without-sha-crypt --without-bcrypt --with-yescrypt
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/29da702491eea314b915ea9c7a83c9af80cf5797
+Conflict: NA
+---
+ src/newusers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/src/newusers.c b/src/newusers.c
+index 7cb8434b..08f79798 100644
+--- a/src/newusers.c
++++ b/src/newusers.c
+@@ -60,7 +60,7 @@ static bool rflg = false;	/* create a system account */
+ #ifndef USE_PAM
+ static /*@null@*//*@observer@*/char *crypt_method = NULL;
+ #define cflg (NULL != crypt_method)
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT) || defined(USE_YESCRYPT)
+ static bool sflg = false;
+ #endif
+ #ifdef USE_SHA_CRYPT
+-- 
+2.27.0
+

backport-chpasswd-add-IS_CRYPT_METHOD.patch

@@ -0,0 +1,97 @@
+From 9cdb5251b6c30487a7d935a1a7827f493249479d Mon Sep 17 00:00:00 2001
+From: juyin <zhuyan34@huawei.com>
+Date: Sat, 2 Apr 2022 11:48:51 +0800
+Subject: [PATCH] chpasswd: add IS_CRYPT_METHOD
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Use macro IS_CRYPT_METHOD instead of ’strcmp(crypt_method, xx)==0’ to make the code more cleanup
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/9cdb5251b6c30487a7d935a1a7827f493249479d
+Conflict: This patch is adapted to SM3.The pre-optimization of the get_salt function is not incorporated. Therefore, the modification related to the get_salt function is not incorporated in this patch.
+---
+ src/chpasswd.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+ 
+diff --git a/src/chpasswd.c b/src/chpasswd.c
+index 3b30c01..cc00180 100644
+--- a/src/chpasswd.c
++++ b/src/chpasswd.c
+@@ -52,6 +52,8 @@
+ /*@-exitarg@*/
+ #include "exitcodes.h"
+ 
++#define IS_CRYPT_METHOD(str) ((crypt_method != NULL && strcmp(crypt_method, str) == 0) ? true : false)
++
+ /*
+  * Global variables
+  */
+@@ -208,26 +210,26 @@ static void process_flags (int argc, char **argv)
+ 			sflg = true;
+                         bad_s = 0;
+ #if defined(USE_SHA_CRYPT)
+-			if (  (   ((0 == strcmp (crypt_method, "SHA256")) || (0 == strcmp (crypt_method, "SHA512")))
+-			       && (0 == getlong(optarg, &sha_rounds)))) {
++			if ((IS_CRYPT_METHOD("SHA256") || IS_CRYPT_METHOD("SHA512"))
++			    && (0 == getlong(optarg, &sha_rounds))) {                            
+                             bad_s = 1;
+                         }
+ #endif				/* USE_SHA_CRYPT */
+ #if defined(USE_BCRYPT)
+-                        if ((   (0 == strcmp (crypt_method, "BCRYPT"))
+-			       && (0 == getlong(optarg, &bcrypt_rounds)))) {
++                        if (IS_CRYPT_METHOD("BCRYPT")
++			    && (0 == getlong(optarg, &bcrypt_rounds))) {
+                             bad_s = 1;
+                         }
+ #endif				/* USE_BCRYPT */
+ #if defined(USE_YESCRYPT)
+-                        if ((   (0 == strcmp (crypt_method, "YESCRYPT"))
+-			       && (0 == getlong(optarg, &yescrypt_cost)))) {
++                        if (IS_CRYPT_METHOD("YESCRYPT")
++			    && (0 == getlong(optarg, &yescrypt_cost))) {
+                             bad_s = 1;
+                         }
+ #endif				/* USE_YESCRYPT */
+ #if defined(USE_SM3_CRYPT)
+-                        if ((   (0 == strcmp (crypt_method, "SM3"))
+-			       && (0 == getlong(optarg, &sm3_rounds)))) {
++                        if (IS_CRYPT_METHOD("SM3")
++			    && (0 == getlong(optarg, &sm3_rounds))) {
+                             bad_s = 1;
+                         }
+ #endif				/* USE_SM3_CRYPT */
+@@ -275,21 +277,21 @@ static void check_flags (void)
+ 	}
+ 
+ 	if (cflg) {
+-		if (   (0 != strcmp (crypt_method, "DES"))
+-		    && (0 != strcmp (crypt_method, "MD5"))
+-		    && (0 != strcmp (crypt_method, "NONE"))
++		if ((!IS_CRYPT_METHOD("DES"))
++		    &&(!IS_CRYPT_METHOD("MD5"))
++		    &&(!IS_CRYPT_METHOD("NONE"))
+ #ifdef USE_SHA_CRYPT
+-		    && (0 != strcmp (crypt_method, "SHA256"))
+-		    && (0 != strcmp (crypt_method, "SHA512"))
++		    &&(!IS_CRYPT_METHOD("SHA256"))
++		    &&(!IS_CRYPT_METHOD("SHA512"))
+ #endif				/* USE_SHA_CRYPT */
+ #ifdef USE_SM3_CRYPT
+-		    && (0 != strcmp (crypt_method, "SM3"))
++		    &&(!IS_CRYPT_METHOD("SM3"))
+ #endif				/* USE_SM3_CRYPT */
+ #ifdef USE_BCRYPT
+-		    && (0 != strcmp (crypt_method, "BCRYPT"))
++		    &&(!IS_CRYPT_METHOD("BCRYPT"))
+ #endif				/* USE_BCRYPT */
+ #ifdef USE_YESCRYPT
+-		    && (0 != strcmp (crypt_method, "YESCRYPT"))
++		    &&(!IS_CRYPT_METHOD("YESCRYPT"))
+ #endif				/* USE_YESCRYPT */
+ 		    ) {
+ 			fprintf (stderr,
+-- 
+2.27.0
+

backport-newgrp-fix-potential-string-injection.patch

@@ -0,0 +1,60 @@
+From 9df4801e0b65073cc8a9031b22a73532ef7fdc2c Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Fri, 21 Jul 2023 14:55:19 +0200
+Subject: [PATCH] newgrp: fix potential string injection
+ 
+Since newgrp is setuid-root, any write() system calls it does in order
+to print error messages will be done as the root user.
+ 
+Unprivileged users can get newgrp to print essentially arbitrary strings
+to any open file in this way by passing those strings as argv[0] when
+calling execve(). For example:
+ 
+    $ setpid() { (exec -a $1$'\n:' newgrp '' 2>/proc/sys/kernel/ns_last_pid & wait) >/dev/null; }
+    $ setpid 31000
+    $ readlink /proc/self
+    31001
+ 
+This is not a vulnerability in newgrp; it is a bug in the Linux kernel.
+ 
+However, this type of bug is not new [1] and it makes sense to try to
+mitigate these types of bugs in userspace where possible.
+ 
+[1]: https://lwn.net/Articles/476947/
+ 
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/9df4801e0b65073cc8a9031b22a73532ef7fdc2c
+Conflict: NA
+---
+ src/newgrp.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+ 
+diff --git a/src/newgrp.c b/src/newgrp.c
+index babb28e9..f786a96f 100644
+--- a/src/newgrp.c
++++ b/src/newgrp.c
+@@ -417,10 +417,17 @@ int main (int argc, char **argv)
+ 	 * but we do not need to restore the previous process persona and we
+ 	 * don't need to re-exec anything.  -- JWP
+ 	 */
+-	Prog = Basename (argv[0]);
++
++	/*
++	 * Ensure that "Prog" is always either "newgrp" or "sg" to avoid
++	 * injecting arbitrary strings into our stderr/stdout, as this can
++	 * be an exploit vector.
++	 */
++	is_newgrp = (strcmp (Basename (argv[0]), "newgrp") == 0);
++	Prog = is_newgrp ? "newgrp" : "sg";
++
+ 	shadow_logfd = stderr;
+-	is_newgrp = (strcmp (Prog, "newgrp") == 0);
+-	OPENLOG (is_newgrp ? "newgrp" : "sg");
++	OPENLOG (Prog);
+ 	argc--;
+ 	argv++;
+ 
+-- 
+2.27.0
+

backport-script-to-kill-subjects-processes-from-userdel.patch

@@ -0,0 +1,54 @@
+From dcca8653a54b5a03b0234238dbc6388f6b59adc3 Mon Sep 17 00:00:00 2001
+From: ed neville <ed@s5h.net>
+Date: Fri, 17 Dec 2021 14:29:48 +0000
+Subject: [PATCH] script to kill subjects processes from userdel
+ 
+Closes #404
+Closes #317
+ 
+Signed-off-by: ed neville <ed@s5h.net>
+ 
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/dcca8653a54b5a03b0234238dbc6388f6b59adc3
+---
+ .../userdel-pre.d/01-kill_user_procs.sh       | 28 +++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+ create mode 100755 etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh
+ 
+diff --git a/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh b/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh
+new file mode 100755
+index 00000000..ca481b1b
+--- /dev/null
++++ b/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh
+@@ -0,0 +1,28 @@
++#!/bin/sh
++
++PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
++
++# Check user exists, and if so, send sigkill to processes that the user owns
++
++RUNNING=`ps -eo user | grep -Fx "$SUBJECT" | wc -l`
++
++# if the user does not exist, RUNNING will be 0
++
++if [ "${RUNNING}x" = "0x" ]; then
++  exit 0
++fi
++
++ls -1 /proc | while IFS= read -r PROC; do
++  echo "$PROC" | grep -E '^[0-9]+$' >/dev/null
++  if [ $? -ne 0 ]; then
++    continue
++  fi
++  if [ -d "/proc/${PROC}" ]; then
++    USR=`stat -c "%U" /proc/${PROC}`
++    if [ "${USR}" = "${SUBJECT}" ]; then
++      echo "Killing ${SUBJECT} owned ${PROC}"
++      kill -9 "${PROC}"
++    fi
++  fi
++done
++
+-- 
+2.27.0
+

backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch

@@ -0,0 +1,56 @@
+From 7bced397c9fd66965753e5fc0fd3dfa535ca1c9b Mon Sep 17 00:00:00 2001
+From: xiongshenglan <xiongshenglan@huawei.com>
+Date: Wed, 19 Jul 2023 15:13:06 +0800
+Subject: [PATCH] shadow userdel: add the adaptation to the busybox ps in
+ 01-kill_user_procs.sh
+ 
+In some embedded systems, users only use the ps
+provided by the busybox. But the ps provided by
+the busybox does not support the -eo option by
+default. As a result, an error is reported when
+the userdel is used. So add a judgment on ps.
+If there is no ps -eo, traverse the process directly.
+ 
+The error information is as follows:
+ # userdel xsl
+ps: invalid option -- 'e'
+ 
+Signed-off-by: xiongshenglan <xiongshenglan@huawei.com>
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/7bced397c9fd66965753e5fc0fd3dfa535ca1c9b
+Conflict: NA
+---
+ .../userdel-pre.d/01-kill_user_procs.sh           | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+ 
+diff --git a/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh b/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh
+index ca481b1b..d2d7ef26 100755
+--- a/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh
++++ b/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh
+@@ -4,14 +4,17 @@ PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+ 
+ # Check user exists, and if so, send sigkill to processes that the user owns
+ 
+-RUNNING=`ps -eo user | grep -Fx "$SUBJECT" | wc -l`
+-
+-# if the user does not exist, RUNNING will be 0
+-
+-if [ "${RUNNING}x" = "0x" ]; then
+-  exit 0
++ps -eo user >/dev/null 2>&1
++if [ $? -eq 0 ]; then
++    RUNNING=`ps -eo user | grep -Fx "$SUBJECT" | wc -l`
++    # if the user does not exist, RUNNING will be 0
++    if [ "${RUNNING}x" = "0x" ]; then
++        exit 0
++    fi
+ fi
+ 
++# If there is no ps -eo, traverse the process directly.
++
+ ls -1 /proc | while IFS= read -r PROC; do
+   echo "$PROC" | grep -E '^[0-9]+$' >/dev/null
+   if [ $? -ne 0 ]; then
+-- 
+2.27.0
+

shadow.spec

@@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.9
-Release: 12
+Release: 13
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@@ -67,6 +67,11 @@ Patch47: backport-Check-if-crypt_method-null-before-dereferencing.patch
 Patch48: backport-usermod-fix-off-by-one-issues.patch
 Patch49: backport-gpasswd-1-Fix-password-leak.patch
 Patch50: backport-chgpasswd-fix-segfault-in-command-line-options.patch
+Patch51: backport-chpasswd-add-IS_CRYPT_METHOD.patch
+Patch52: backport-Fix-yescrypt-support.patch
+Patch53: backport-newgrp-fix-potential-string-injection.patch
+Patch54: backport-script-to-kill-subjects-processes-from-userdel.patch
+Patch55: backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch
 
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel
@@ -233,6 +238,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_mandir}/*/*
 
 %changelog
+* Wed Sep 20 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.9-13
+- backport some patches
+
 * Tue Aug 22 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.9-12
 - backport patches from upstream