diff --git a/backport-Fix-yescrypt-support.patch b/backport-Fix-yescrypt-support.patch new file mode 100644 index 0000000..2b56acb --- /dev/null +++ b/backport-Fix-yescrypt-support.patch @@ -0,0 +1,37 @@ +From 29da702491eea314b915ea9c7a83c9af80cf5797 Mon Sep 17 00:00:00 2001 +From: Bernd Kuhls +Date: Sun, 9 Jul 2023 10:55:03 +0200 +Subject: [PATCH] Fix yescrypt support + +Fixes build error: +newusers.c: In function 'update_passwd': +newusers.c:433:21: error: 'sflg' undeclared (first use in this function); did you mean 'rflg'? + +introduced by +https://github.com/shadow-maint/shadow/commit/5cd04d03f94622c12220d4a6352824af081b8531 +which forgot to define sflg for these configure options: + +--without-sha-crypt --without-bcrypt --with-yescrypt + +Reference: https://github.com/shadow-maint/shadow/commit/29da702491eea314b915ea9c7a83c9af80cf5797 +Conflict: NA +--- + src/newusers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/newusers.c b/src/newusers.c +index 7cb8434b..08f79798 100644 +--- a/src/newusers.c ++++ b/src/newusers.c +@@ -60,7 +60,7 @@ static bool rflg = false; /* create a system account */ + #ifndef USE_PAM + static /*@null@*//*@observer@*/char *crypt_method = NULL; + #define cflg (NULL != crypt_method) +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT) || defined(USE_YESCRYPT) + static bool sflg = false; + #endif + #ifdef USE_SHA_CRYPT +-- +2.27.0 + diff --git a/backport-chpasswd-add-IS_CRYPT_METHOD.patch b/backport-chpasswd-add-IS_CRYPT_METHOD.patch new file mode 100644 index 0000000..9b67226 --- /dev/null +++ b/backport-chpasswd-add-IS_CRYPT_METHOD.patch @@ -0,0 +1,97 @@ +From 9cdb5251b6c30487a7d935a1a7827f493249479d Mon Sep 17 00:00:00 2001 +From: juyin +Date: Sat, 2 Apr 2022 11:48:51 +0800 +Subject: [PATCH] chpasswd: add IS_CRYPT_METHOD +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use macro IS_CRYPT_METHOD instead of ’strcmp(crypt_method, xx)==0’ to make the code more cleanup + +Reference: https://github.com/shadow-maint/shadow/commit/9cdb5251b6c30487a7d935a1a7827f493249479d +Conflict: This patch is adapted to SM3.The pre-optimization of the get_salt function is not incorporated. Therefore, the modification related to the get_salt function is not incorporated in this patch. +--- + src/chpasswd.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/src/chpasswd.c b/src/chpasswd.c +index 3b30c01..cc00180 100644 +--- a/src/chpasswd.c ++++ b/src/chpasswd.c +@@ -52,6 +52,8 @@ + /*@-exitarg@*/ + #include "exitcodes.h" + ++#define IS_CRYPT_METHOD(str) ((crypt_method != NULL && strcmp(crypt_method, str) == 0) ? true : false) ++ + /* + * Global variables + */ +@@ -208,26 +210,26 @@ static void process_flags (int argc, char **argv) + sflg = true; + bad_s = 0; + #if defined(USE_SHA_CRYPT) +- if ( ( ((0 == strcmp (crypt_method, "SHA256")) || (0 == strcmp (crypt_method, "SHA512"))) +- && (0 == getlong(optarg, &sha_rounds)))) { ++ if ((IS_CRYPT_METHOD("SHA256") || IS_CRYPT_METHOD("SHA512")) ++ && (0 == getlong(optarg, &sha_rounds))) { + bad_s = 1; + } + #endif /* USE_SHA_CRYPT */ + #if defined(USE_BCRYPT) +- if (( (0 == strcmp (crypt_method, "BCRYPT")) +- && (0 == getlong(optarg, &bcrypt_rounds)))) { ++ if (IS_CRYPT_METHOD("BCRYPT") ++ && (0 == getlong(optarg, &bcrypt_rounds))) { + bad_s = 1; + } + #endif /* USE_BCRYPT */ + #if defined(USE_YESCRYPT) +- if (( (0 == strcmp (crypt_method, "YESCRYPT")) +- && (0 == getlong(optarg, &yescrypt_cost)))) { ++ if (IS_CRYPT_METHOD("YESCRYPT") ++ && (0 == getlong(optarg, &yescrypt_cost))) { + bad_s = 1; + } + #endif /* USE_YESCRYPT */ + #if defined(USE_SM3_CRYPT) +- if (( (0 == strcmp (crypt_method, "SM3")) +- && (0 == getlong(optarg, &sm3_rounds)))) { ++ if (IS_CRYPT_METHOD("SM3") ++ && (0 == getlong(optarg, &sm3_rounds))) { + bad_s = 1; + } + #endif /* USE_SM3_CRYPT */ +@@ -275,21 +277,21 @@ static void check_flags (void) + } + + if (cflg) { +- if ( (0 != strcmp (crypt_method, "DES")) +- && (0 != strcmp (crypt_method, "MD5")) +- && (0 != strcmp (crypt_method, "NONE")) ++ if ((!IS_CRYPT_METHOD("DES")) ++ &&(!IS_CRYPT_METHOD("MD5")) ++ &&(!IS_CRYPT_METHOD("NONE")) + #ifdef USE_SHA_CRYPT +- && (0 != strcmp (crypt_method, "SHA256")) +- && (0 != strcmp (crypt_method, "SHA512")) ++ &&(!IS_CRYPT_METHOD("SHA256")) ++ &&(!IS_CRYPT_METHOD("SHA512")) + #endif /* USE_SHA_CRYPT */ + #ifdef USE_SM3_CRYPT +- && (0 != strcmp (crypt_method, "SM3")) ++ &&(!IS_CRYPT_METHOD("SM3")) + #endif /* USE_SM3_CRYPT */ + #ifdef USE_BCRYPT +- && (0 != strcmp (crypt_method, "BCRYPT")) ++ &&(!IS_CRYPT_METHOD("BCRYPT")) + #endif /* USE_BCRYPT */ + #ifdef USE_YESCRYPT +- && (0 != strcmp (crypt_method, "YESCRYPT")) ++ &&(!IS_CRYPT_METHOD("YESCRYPT")) + #endif /* USE_YESCRYPT */ + ) { + fprintf (stderr, +-- +2.27.0 + diff --git a/backport-newgrp-fix-potential-string-injection.patch b/backport-newgrp-fix-potential-string-injection.patch new file mode 100644 index 0000000..05f95f3 --- /dev/null +++ b/backport-newgrp-fix-potential-string-injection.patch @@ -0,0 +1,60 @@ +From 9df4801e0b65073cc8a9031b22a73532ef7fdc2c Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Fri, 21 Jul 2023 14:55:19 +0200 +Subject: [PATCH] newgrp: fix potential string injection + +Since newgrp is setuid-root, any write() system calls it does in order +to print error messages will be done as the root user. + +Unprivileged users can get newgrp to print essentially arbitrary strings +to any open file in this way by passing those strings as argv[0] when +calling execve(). For example: + + $ setpid() { (exec -a $1$'\n:' newgrp '' 2>/proc/sys/kernel/ns_last_pid & wait) >/dev/null; } + $ setpid 31000 + $ readlink /proc/self + 31001 + +This is not a vulnerability in newgrp; it is a bug in the Linux kernel. + +However, this type of bug is not new [1] and it makes sense to try to +mitigate these types of bugs in userspace where possible. + +[1]: https://lwn.net/Articles/476947/ + +Signed-off-by: Vegard Nossum + +Reference: https://github.com/shadow-maint/shadow/commit/9df4801e0b65073cc8a9031b22a73532ef7fdc2c +Conflict: NA +--- + src/newgrp.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/newgrp.c b/src/newgrp.c +index babb28e9..f786a96f 100644 +--- a/src/newgrp.c ++++ b/src/newgrp.c +@@ -417,10 +417,17 @@ int main (int argc, char **argv) + * but we do not need to restore the previous process persona and we + * don't need to re-exec anything. -- JWP + */ +- Prog = Basename (argv[0]); ++ ++ /* ++ * Ensure that "Prog" is always either "newgrp" or "sg" to avoid ++ * injecting arbitrary strings into our stderr/stdout, as this can ++ * be an exploit vector. ++ */ ++ is_newgrp = (strcmp (Basename (argv[0]), "newgrp") == 0); ++ Prog = is_newgrp ? "newgrp" : "sg"; ++ + shadow_logfd = stderr; +- is_newgrp = (strcmp (Prog, "newgrp") == 0); +- OPENLOG (is_newgrp ? "newgrp" : "sg"); ++ OPENLOG (Prog); + argc--; + argv++; + +-- +2.27.0 + diff --git a/backport-script-to-kill-subjects-processes-from-userdel.patch b/backport-script-to-kill-subjects-processes-from-userdel.patch new file mode 100644 index 0000000..b40cf3d --- /dev/null +++ b/backport-script-to-kill-subjects-processes-from-userdel.patch @@ -0,0 +1,54 @@ +From dcca8653a54b5a03b0234238dbc6388f6b59adc3 Mon Sep 17 00:00:00 2001 +From: ed neville +Date: Fri, 17 Dec 2021 14:29:48 +0000 +Subject: [PATCH] script to kill subjects processes from userdel + +Closes #404 +Closes #317 + +Signed-off-by: ed neville + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/dcca8653a54b5a03b0234238dbc6388f6b59adc3 +--- + .../userdel-pre.d/01-kill_user_procs.sh | 28 +++++++++++++++++++ + 1 file changed, 28 insertions(+) + create mode 100755 etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh + +diff --git a/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh b/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh +new file mode 100755 +index 00000000..ca481b1b +--- /dev/null ++++ b/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh +@@ -0,0 +1,28 @@ ++#!/bin/sh ++ ++PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ++ ++# Check user exists, and if so, send sigkill to processes that the user owns ++ ++RUNNING=`ps -eo user | grep -Fx "$SUBJECT" | wc -l` ++ ++# if the user does not exist, RUNNING will be 0 ++ ++if [ "${RUNNING}x" = "0x" ]; then ++ exit 0 ++fi ++ ++ls -1 /proc | while IFS= read -r PROC; do ++ echo "$PROC" | grep -E '^[0-9]+$' >/dev/null ++ if [ $? -ne 0 ]; then ++ continue ++ fi ++ if [ -d "/proc/${PROC}" ]; then ++ USR=`stat -c "%U" /proc/${PROC}` ++ if [ "${USR}" = "${SUBJECT}" ]; then ++ echo "Killing ${SUBJECT} owned ${PROC}" ++ kill -9 "${PROC}" ++ fi ++ fi ++done ++ +-- +2.27.0 + diff --git a/backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch b/backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch new file mode 100644 index 0000000..10430da --- /dev/null +++ b/backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch @@ -0,0 +1,56 @@ +From 7bced397c9fd66965753e5fc0fd3dfa535ca1c9b Mon Sep 17 00:00:00 2001 +From: xiongshenglan +Date: Wed, 19 Jul 2023 15:13:06 +0800 +Subject: [PATCH] shadow userdel: add the adaptation to the busybox ps in + 01-kill_user_procs.sh + +In some embedded systems, users only use the ps +provided by the busybox. But the ps provided by +the busybox does not support the -eo option by +default. As a result, an error is reported when +the userdel is used. So add a judgment on ps. +If there is no ps -eo, traverse the process directly. + +The error information is as follows: + # userdel xsl +ps: invalid option -- 'e' + +Signed-off-by: xiongshenglan + +Reference: https://github.com/shadow-maint/shadow/commit/7bced397c9fd66965753e5fc0fd3dfa535ca1c9b +Conflict: NA +--- + .../userdel-pre.d/01-kill_user_procs.sh | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh b/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh +index ca481b1b..d2d7ef26 100755 +--- a/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh ++++ b/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh +@@ -4,14 +4,17 @@ PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + + # Check user exists, and if so, send sigkill to processes that the user owns + +-RUNNING=`ps -eo user | grep -Fx "$SUBJECT" | wc -l` +- +-# if the user does not exist, RUNNING will be 0 +- +-if [ "${RUNNING}x" = "0x" ]; then +- exit 0 ++ps -eo user >/dev/null 2>&1 ++if [ $? -eq 0 ]; then ++ RUNNING=`ps -eo user | grep -Fx "$SUBJECT" | wc -l` ++ # if the user does not exist, RUNNING will be 0 ++ if [ "${RUNNING}x" = "0x" ]; then ++ exit 0 ++ fi + fi + ++# If there is no ps -eo, traverse the process directly. ++ + ls -1 /proc | while IFS= read -r PROC; do + echo "$PROC" | grep -E '^[0-9]+$' >/dev/null + if [ $? -ne 0 ]; then +-- +2.27.0 + diff --git a/shadow.spec b/shadow.spec index d09cf9b..896d512 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.9 -Release: 12 +Release: 13 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -67,6 +67,11 @@ Patch47: backport-Check-if-crypt_method-null-before-dereferencing.patch Patch48: backport-usermod-fix-off-by-one-issues.patch Patch49: backport-gpasswd-1-Fix-password-leak.patch Patch50: backport-chgpasswd-fix-segfault-in-command-line-options.patch +Patch51: backport-chpasswd-add-IS_CRYPT_METHOD.patch +Patch52: backport-Fix-yescrypt-support.patch +Patch53: backport-newgrp-fix-potential-string-injection.patch +Patch54: backport-script-to-kill-subjects-processes-from-userdel.patch +Patch55: backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -233,6 +238,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_mandir}/*/* %changelog +* Wed Sep 20 2023 wangyunjia - 2:4.9-13 +- backport some patches + * Tue Aug 22 2023 wangyunjia - 2:4.9-12 - backport patches from upstream