diff --git a/0001-Fix-errors-with-Werror-format-security.patch b/0001-Fix-errors-with-Werror-format-security.patch deleted file mode 100644 index eeb9efbffe85dbe766f1f3a8ded977bae90ef92e..0000000000000000000000000000000000000000 --- a/0001-Fix-errors-with-Werror-format-security.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 9317afc8bb7eec656444fc2eecfcd1ea3bfdda82 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Wed, 15 Mar 2017 12:43:03 -0400 -Subject: [PATCH] Fix errors with -Werror=format-security - -Recent versions of the Fedora build system treat format-security -warnings as errors, resulting in failure to build. This patch -ensures that appropriate format strings are present. - -Signed-off-by: Stephen Gallagher ---- - modules/files.c | 2 +- - modules/ldap.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/modules/files.c b/modules/files.c -index 4ef0a57be9f2aad99d82abfae5204009a93e5572..6a7787e28112ba07e0fc44f2887ce1d1540af29e 100644 ---- a/modules/files.c -+++ b/modules/files.c -@@ -532,11 +532,11 @@ parse_field(const struct format_specifier *format, GValue *value, - err = NULL; - ret = lu_value_init_set_attr_from_string(value, format->attribute, - string, &err); - if (ret == FALSE) { - g_assert(err != NULL); -- g_warning(lu_strerror(err)); -+ g_warning("%s", lu_strerror(err)); - lu_error_free(&err); - } - return ret; - } - -diff --git a/modules/ldap.c b/modules/ldap.c -index ad10f7394c5735f3180cbab5bc7314301fd83ffc..02e9eb6a0cf10595d730e3dc719f2e848a3491d4 100644 ---- a/modules/ldap.c -+++ b/modules/ldap.c -@@ -670,11 +670,11 @@ lu_ldap_lookup(struct lu_module *module, - error = NULL; - ok = lu_value_init_set_attr_from_string - (&value, attr, val, &error); - if (ok == FALSE) { - g_assert(error != NULL); -- g_warning(lu_strerror(error)); -+ g_warning("%s", lu_strerror(error)); - lu_error_free(&error); - } else { - lu_ent_add_current(ent, attr, - &value); - g_value_unset(&value); --- -2.12.0 - diff --git a/0009-Check-negative-return-of-PyList_Size.patch b/0009-Check-negative-return-of-PyList_Size.patch deleted file mode 100644 index 6aff0e98c3d108a7d9cd3dd262349809c2cd0e83..0000000000000000000000000000000000000000 --- a/0009-Check-negative-return-of-PyList_Size.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 11a7ff7eeefe763be9ade949e8f2a4a2d53f6129 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 24 Sep 2018 20:51:51 +0200 -Subject: [PATCH 09/12] Check negative return of PyList_Size - -Merges: -https://pagure.io/libuser/issue/28 - -In case of an error, PyList_Size can return a negative value. We should -check that case, also to avoid compiler warnings like: - -Error: COMPILER_WARNING: [#def41] [warning: defect not occurring in libuser-0.60-9.el7] -libuser-0.62/python/misc.c: scope_hint: In function 'libuser_admin_prompt' -libuser-0.62/python/misc.c:160:12: warning: argument 1 range [9223372036854775808, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=] -/usr/include/glib-2.0/glib/glist.h:32: included_from: Included from here. -/usr/include/glib-2.0/glib/ghash.h:33: included_from: Included from here. -/usr/include/glib-2.0/glib.h:50: included_from: Included from here. -libuser-0.62/python/misc.c:25: included_from: Included from here. -/usr/include/glib-2.0/glib/gmem.h:96:10: note: in a call to allocation function 'g_malloc0_n' declared here ---- - python/misc.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/python/misc.c b/python/misc.c -index c4ce819..fcb0ccf 100644 ---- a/python/misc.c -+++ b/python/misc.c -@@ -137,7 +137,12 @@ libuser_admin_prompt(struct libuser_admin *self, PyObject * args, - return NULL; - } - count = PyList_Size(list); -- if (count > INT_MAX) { -+ if (count < 0) { -+ PyErr_SetString(PyExc_TypeError, -+ "prompt_list has no size; probably not a list"); -+ DEBUG_EXIT; -+ return NULL; -+ } else if (count > INT_MAX) { - PyErr_SetString(PyExc_ValueError, "too many prompts"); - DEBUG_EXIT; - return NULL; --- -1.8.3.1 - diff --git a/0010-files.c-Init-char-name-to-NULL.patch b/0010-files.c-Init-char-name-to-NULL.patch deleted file mode 100644 index a06cff6fd35194ccabb395639943ab8201ed625b..0000000000000000000000000000000000000000 --- a/0010-files.c-Init-char-name-to-NULL.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 7acf0fad0ca468f33f86084f36251df5baf3dc94 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 26 Sep 2018 21:01:59 +0200 -Subject: [PATCH 10/12] files.c: Init char *name to NULL - -Merges: -https://pagure.io/libuser/issue/27 - -This is mostly to silence coverity warnings. "enum lu_entity_type" has -three values and several places in the code follow logic as: - -char *name; -if ent->type == user: - name = foo() -if ent->type == group - name = bar() -g_assert(name != NULL) - -it shouldn't be possible for ent->type to be anything else but in the -odd case it is, initializing name to NULL will ensure that name will be -still NULL after the code falls through the conditions and at least the -behaviour is defined. ---- - modules/files.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/modules/files.c b/modules/files.c -index 6a7787e..8c2a282 100644 ---- a/modules/files.c -+++ b/modules/files.c -@@ -1501,7 +1501,7 @@ generic_lock(struct lu_module *module, const char *file_suffix, int field, - struct lu_ent *ent, enum lock_op op, struct lu_error **error) - { - struct editing *e; -- char *value, *new_value, *name; -+ char *value, *new_value, *name = NULL; - gboolean commit = FALSE, ret = FALSE; - - /* Get the name which keys the entries of interest in the file. */ -@@ -1561,7 +1561,7 @@ generic_is_locked(struct lu_module *module, const char *file_suffix, - int field, struct lu_ent *ent, struct lu_error **error) - { - char *filename; -- char *value, *name; -+ char *value, *name = NULL; - int fd; - gboolean ret = FALSE; - -@@ -1752,7 +1752,7 @@ generic_setpass(struct lu_module *module, const char *file_suffix, int field, - struct lu_error **error) - { - struct editing *e; -- char *value, *name; -+ char *value, *name = NULL; - gboolean ret = FALSE; - - /* Get the name of this account. */ --- -1.8.3.1 - diff --git a/0011-merge_ent_array_duplicates-Only-use-values-if-valid.patch b/0011-merge_ent_array_duplicates-Only-use-values-if-valid.patch deleted file mode 100644 index 9b0a46e3bdfa15ed5386bf9db846b5f0a91e396e..0000000000000000000000000000000000000000 --- a/0011-merge_ent_array_duplicates-Only-use-values-if-valid.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 8da7fc83aa3e9fd868c6a8da9261b72dae7d29e7 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 26 Sep 2018 21:38:02 +0200 -Subject: [PATCH 11/12] merge_ent_array_duplicates: Only use values if valid - -Merges: -https://pagure.io/libuser/issue/22 - -Don't attempt to dereference a NULL pointer ---- - lib/user.c | 22 ++++++++++++++-------- - 1 file changed, 14 insertions(+), 8 deletions(-) - -diff --git a/lib/user.c b/lib/user.c -index ad2bb09..2500565 100644 ---- a/lib/user.c -+++ b/lib/user.c -@@ -691,10 +691,13 @@ merge_ent_array_duplicates(GPtrArray *array) - while (attributes != NULL) { - attr = (const char *)attributes->data; - values = lu_ent_get_current(current, attr); -- for (j = 0; j < values->n_values; j++) { -- value = g_value_array_get_nth(values, -- j); -- lu_ent_add_current(saved, attr, value); -+ if (values != NULL) { -+ for (j = 0; j < values->n_values; j++) { -+ value = g_value_array_get_nth( -+ values, -+ j); -+ lu_ent_add_current(saved, attr, value); -+ } - } - attributes = g_list_next(attributes); - } -@@ -705,10 +708,13 @@ merge_ent_array_duplicates(GPtrArray *array) - while (attributes != NULL) { - attr = (const char *)attributes->data; - values = lu_ent_get(current, attr); -- for (j = 0; j < values->n_values; j++) { -- value = g_value_array_get_nth(values, -- j); -- lu_ent_add(saved, attr, value); -+ if (values != NULL) { -+ for (j = 0; j < values->n_values; j++) { -+ value = g_value_array_get_nth( -+ values, -+ j); -+ lu_ent_add(saved, attr, value); -+ } - } - attributes = g_list_next(attributes); - } --- -1.8.3.1 - diff --git a/0012-editing_open-close-fd-after-we-ve-established-its-va.patch b/0012-editing_open-close-fd-after-we-ve-established-its-va.patch deleted file mode 100644 index 5a7f29c186f28f1441cdd6eccb2dfae69ce71d95..0000000000000000000000000000000000000000 --- a/0012-editing_open-close-fd-after-we-ve-established-its-va.patch +++ /dev/null @@ -1,33 +0,0 @@ -From e5536845298b6672a16e5866a823fcf6562c6cf3 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 26 Sep 2018 21:15:38 +0200 -Subject: [PATCH 12/12] editing_open: close fd after we've established its - validity - -Merges: -https://pagure.io/libuser/issue/26 - -The code used to first close(fd) and only then check if it's != -1. -Reverse the logic so that the fd is only closed if valid. ---- - modules/files.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/files.c b/modules/files.c -index 8c2a282..b8bf8a6 100644 ---- a/modules/files.c -+++ b/modules/files.c -@@ -387,9 +387,9 @@ editing_open(struct lu_module *module, const char *file_suffix, - backup_name = g_strconcat(e->filename, "-", NULL); - fd = open_and_copy_file(e->filename, backup_name, FALSE, error); - g_free (backup_name); -- close(fd); - if (fd == -1) - goto err_fscreate; -+ close(fd); - - e->new_filename = g_strconcat(e->filename, "+", NULL); - e->new_fd = open_and_copy_file(e->filename, e->new_filename, TRUE, --- -1.8.3.1 - diff --git a/fix-ldap-test-because-openldap-was-upgraded.patch b/fix-ldap-test-because-openldap-was-upgraded.patch new file mode 100644 index 0000000000000000000000000000000000000000..22bff4e791a97d2c5b91a60cb0ebc238b0dceee8 --- /dev/null +++ b/fix-ldap-test-because-openldap-was-upgraded.patch @@ -0,0 +1,67 @@ +From 85bcf0efc3d3e6453f6e50da877dc7eb1a4d1ae1 Mon Sep 17 00:00:00 2001 +From: panxiaohe +Date: Mon, 10 Jan 2022 13:17:22 +0800 +Subject: [PATCH] fix ldap test because openldap was upgraded to 2.6.0 + +The new version of openldap has removed deprecated -h and -p options +to client tools. And it has deleted back-bdb, so this patch uses mdb. +--- + tests/default_pw_test | 6 ++++-- + tests/ldap_test | 3 ++- + tests/slapd.conf.in | 2 +- + 3 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tests/default_pw_test b/tests/default_pw_test +index 733c85c..932dcb2 100755 +--- a/tests/default_pw_test ++++ b/tests/default_pw_test +@@ -69,7 +69,8 @@ get_file_password() # file under $workdir/files, entry name + get_ldap_password() # entry filter + { + echo "Checking $1 ..." >&2 +- ldapsearch -LLL -h 127.0.0.1 -p "$ldap_port" -x -b 'dc=libuser' "$1" \ ++ URI="ldap://127.0.0.1:$ldap_port/" ++ ldapsearch -LLL -H "$URI" -x -b 'dc=libuser' "$1" \ + userPassword | sed -n 's/userPassword:: //p' + } + +@@ -103,7 +104,8 @@ for modules in \ + tests/wait_for_slapd_start "$workdir"/slapd.pid "$ldap_port" + slapd_pid=$(cat "$workdir"/slapd.pid) + trap 'status=$?; kill $slapd_pid; rm -rf "$workdir"; exit $status' 0 +- ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \ ++ URI="ldap://127.0.0.1:$ldap_port/" ++ ldapadd -H "$URI" -f "$srcdir/ldap_skel.ldif" -x \ + -D cn=Manager,dc=libuser -w password + ;; + esac +diff --git a/tests/ldap_test b/tests/ldap_test +index 54609b1..de9308c 100755 +--- a/tests/ldap_test ++++ b/tests/ldap_test +@@ -56,7 +56,8 @@ slapd_pid=$(cat "$workdir"/slapd.pid) + trap 'status=$?; kill $slapd_pid + tests/wait_for_slapd_exit "$workdir"/slapd.pid "$ldap_port" + rm -rf "$workdir"; exit $status' 0 +-ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \ ++URI="ldap://127.0.0.1:$ldap_port/" ++ldapadd -H "$URI" -f "$srcdir/ldap_skel.ldif" -x \ + -D cn=Manager,dc=libuser -w password + + +diff --git a/tests/slapd.conf.in b/tests/slapd.conf.in +index 06ef10d..8e49a36 100644 +--- a/tests/slapd.conf.in ++++ b/tests/slapd.conf.in +@@ -10,7 +10,7 @@ pidfile @WORKDIR@/slapd.pid + TLSCertificateFile @WORKDIR@/key.pem + TLSCertificateKeyFile @WORKDIR@/key.pem + +-database bdb ++database mdb + suffix "dc=libuser" + rootdn "cn=Manager,dc=libuser" + rootpw {SSHA}ABgelmLFZQ/OJzVEp3OM5MzWQ9rt3b4F +-- +1.8.3.1 + diff --git a/libuser-0.62.tar.xz b/libuser-0.62.tar.xz deleted file mode 100644 index 5ae0da689f562e9fc677196079d2e2349eac0b8f..0000000000000000000000000000000000000000 Binary files a/libuser-0.62.tar.xz and /dev/null differ diff --git a/libuser-0.63-PR49_add_yescrypt.patch b/libuser-0.63-PR49_add_yescrypt.patch new file mode 100644 index 0000000000000000000000000000000000000000..18a767d98acc496b5860161bd3ddf3a4a07bf8a7 --- /dev/null +++ b/libuser-0.63-PR49_add_yescrypt.patch @@ -0,0 +1,260 @@ +From 3b8a2aa52bcee6e03f047840251ae42ab971a8a0 Mon Sep 17 00:00:00 2001 +From: Björn Esser +Date: Jun 07 2021 20:25:41 +0000 +Subject: [PATCH 1/5] lib/util.c: bcrypt should use $2b$ as prefix for setting. + + +This prefix is the recommended one for new bcrypt hashes +for a long time. + +Signed-off-by: Björn Esser + +--- + +diff --git a/lib/util.c b/lib/util.c +index 1b03f7d..e549a35 100644 +--- a/lib/util.c ++++ b/lib/util.c +@@ -124,7 +124,7 @@ static const struct { + } salt_type_info[] = { + {"$1$", "$", 8, FALSE }, + /* FIXME: number of rounds, base64 of 128 bits */ +- {"$2a$", "$", 8, FALSE }, ++ {"$2b$", "$", 8, FALSE }, + {"$5$", "$", 16, TRUE }, + {"$6$", "$", 16, TRUE }, + { "", "", 2 }, +@@ -231,7 +231,7 @@ lu_util_default_salt_specifier(struct lu_context *context) + } salt_types[] = { + { "des", "", FALSE }, + { "md5", "$1$", FALSE }, +- { "blowfish", "$2a$", FALSE }, ++ { "blowfish", "$2b$", FALSE }, + { "sha256", "$5$", TRUE }, + { "sha512", "$6$", TRUE }, + }; + +From 9dcc69425677cf510ec6da5ababfdd295f875c1a Mon Sep 17 00:00:00 2001 +From: Björn Esser +Date: Jun 17 2021 15:34:02 +0000 +Subject: [PATCH 2/5] lib/util.c: Use crypt_gensalt(), if available in libcrypt. + + +Most Linux distributions, including Fedora and RHEL 8, are shipping +with libxcrypt >= 4.0. + +Since that version of libxcrypt the provided family of crypt_gensalt() +functions are able to use automatic entropy drawn from secure system +ressources, like arc4random(), getentropy() or getrandom(). + +Anyways, the settings generated by crypt_gensalt() are always +guaranteed to works with the crypt() function. + +Using crypt_gesalt() is also needed to make proper use of newer +hashing methods, like yescrypt, provided by libxcrypt. + +Signed-off-by: Björn Esser + +--- + +diff --git a/lib/util.c b/lib/util.c +index e549a35..b6db2af 100644 +--- a/lib/util.c ++++ b/lib/util.c +@@ -43,6 +43,13 @@ + #define HASH_ROUNDS_MIN 1000 + #define HASH_ROUNDS_MAX 999999999 + ++#if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \ ++ CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) ++#define USE_XCRYPT_GENSALT 1 ++#else ++#define USE_XCRYPT_GENSALT 0 ++#endif ++ + struct lu_lock { + int fd; + struct flock lock; +@@ -66,6 +73,7 @@ lu_strcmp(gconstpointer v1, gconstpointer v2) + return strcmp((char *) v1, (char *) v2); + } + ++#if !USE_XCRYPT_GENSALT + /* A list of allowed salt characters, according to SUSv2. */ + #define ACCEPTABLE "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \ + "abcdefghijklmnopqrstuvwxyz" \ +@@ -115,6 +123,7 @@ fill_urandom(char *output, size_t length) + close(fd); + return TRUE; + } ++#endif + + static const struct { + const char initial[5]; +@@ -135,6 +144,9 @@ lu_make_crypted(const char *plain, const char *previous) + { + char salt[2048]; + size_t i, len = 0; ++#if USE_XCRYPT_GENSALT ++ unsigned long rounds = 0; ++#endif + + if (previous == NULL) { + previous = LU_DEFAULT_SALT_TYPE; +@@ -151,6 +163,23 @@ lu_make_crypted(const char *plain, const char *previous) + + if (salt_type_info[i].sha_rounds != FALSE + && strncmp(previous + len, "rounds=", strlen("rounds=")) == 0) { ++#if USE_XCRYPT_GENSALT ++ const char *start; ++ char *end; ++ ++ start = previous + len + strlen("rounds="); ++ rounds = strtoul (start, &end, 10); ++ ++ if (rounds < HASH_ROUNDS_MIN) ++ rounds = HASH_ROUNDS_MIN; ++ else if (rounds > HASH_ROUNDS_MAX) ++ rounds = HASH_ROUNDS_MAX; ++ } ++ ++ g_assert(CRYPT_GENSALT_OUTPUT_SIZE <= sizeof(salt)); ++ ++ crypt_gensalt_rn(previous, rounds, NULL, 0, salt, sizeof(salt)); ++#else + const char *start, *end; + + start = previous + len + strlen("rounds="); +@@ -168,6 +197,7 @@ lu_make_crypted(const char *plain, const char *previous) + return NULL; + strcpy(salt + len + salt_type_info[i].salt_length, + salt_type_info[i].separator); ++#endif + + return crypt(plain, salt); + } +@@ -251,13 +281,18 @@ lu_util_default_salt_specifier(struct lu_context *context) + + found: + if (salt_types[i].sha_rounds != FALSE) { +- unsigned long rounds; ++ unsigned long rounds = 0; + + rounds = select_hash_rounds(context); ++#if USE_XCRYPT_GENSALT ++ return g_strdup(crypt_gensalt(salt_types[i].initializer, ++ rounds, NULL, 0)); ++#else + if (rounds != 0) + return g_strdup_printf("%srounds=%lu$", + salt_types[i].initializer, + rounds); ++#endif + } + return g_strdup(salt_types[i].initializer); + } + +From 2d40503977df3855f1415db995833ae4231e7944 Mon Sep 17 00:00:00 2001 +From: Björn Esser +Date: Jun 17 2021 15:34:02 +0000 +Subject: [PATCH 3/5] lib/util.c: Add yescrypt hashing method for user passwords. + + +The yescrypt hashing method is considered to be much stronger than +sha512crypt and fully supported by libxcrypt >= 4.3. It is based +on NIST-approved primitives and on par with argon2 in strength. + +Signed-off-by: Björn Esser + +--- + +diff --git a/lib/util.c b/lib/util.c +index b6db2af..bba9420 100644 +--- a/lib/util.c ++++ b/lib/util.c +@@ -50,6 +50,14 @@ + #define USE_XCRYPT_GENSALT 0 + #endif + ++#if ((defined XCRYPT_VERSION_NUM && \ ++ XCRYPT_VERSION_NUM >= ((4 << 16) | 3)) && \ ++ USE_XCRYPT_GENSALT) ++#define HAVE_YESCRYPT 1 ++#else ++#define HAVE_YESCRYPT 0 ++#endif ++ + struct lu_lock { + int fd; + struct flock lock; +@@ -136,6 +144,9 @@ static const struct { + {"$2b$", "$", 8, FALSE }, + {"$5$", "$", 16, TRUE }, + {"$6$", "$", 16, TRUE }, ++#if HAVE_YESCRYPT ++ {"$y$", "$", 24, FALSE }, ++#endif + { "", "", 2 }, + }; + +@@ -264,6 +275,9 @@ lu_util_default_salt_specifier(struct lu_context *context) + { "blowfish", "$2b$", FALSE }, + { "sha256", "$5$", TRUE }, + { "sha512", "$6$", TRUE }, ++#if HAVE_YESCRYPT ++ { "yescrypt", "$y$", FALSE }, ++#endif + }; + + const char *salt_type; + +From 71ef71fe1878a321612e1995cb5c59dcb501ff01 Mon Sep 17 00:00:00 2001 +From: Björn Esser +Date: Jun 17 2021 15:34:02 +0000 +Subject: [PATCH 4/5] docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style. + + +Signed-off-by: Björn Esser + +--- + +diff --git a/docs/libuser.conf.5.in b/docs/libuser.conf.5.in +index 2af0828..bd1daa7 100644 +--- a/docs/libuser.conf.5.in ++++ b/docs/libuser.conf.5.in +@@ -69,8 +69,8 @@ The current algorithm may be retained + when changing a password of an existing user, depending on the application. + + Possible values are \fBdes\fR, \fBmd5\fR, \fBblowfish\fR, +-.B sha256 +-and \fBsha512\fR, all case-insensitive. ++.B sha256, ++\fBsha512\fR, and \fByescrypt\fR, all case-insensitive. + Unrecognized values are treated as \fBdes\fR. + Default value is \fBdes\fR. + + +From 284b3195393688105b112b905069e0225c3046d2 Mon Sep 17 00:00:00 2001 +From: Björn Esser +Date: Jun 17 2021 15:34:02 +0000 +Subject: [PATCH 5/5] libuser.conf: Use yescrypt as default value for crypt_style. + + +Signed-off-by: Björn Esser + +--- + +diff --git a/libuser.conf b/libuser.conf +index 8ff5b2e..cd25eb2 100644 +--- a/libuser.conf ++++ b/libuser.conf +@@ -17,7 +17,7 @@ default_useradd = /etc/default/useradd + # skeleton = /etc/skel + # mailspooldir = /var/mail + +-crypt_style = sha512 ++crypt_style = yescrypt + modules = files shadow + create_modules = files shadow + # modules = files shadow ldap + diff --git a/libuser-0.63-downstream_test_xcrypt.patch b/libuser-0.63-downstream_test_xcrypt.patch new file mode 100644 index 0000000000000000000000000000000000000000..8375740b784bcbea06704cd4006319e27e7f5b34 --- /dev/null +++ b/libuser-0.63-downstream_test_xcrypt.patch @@ -0,0 +1,27 @@ +diff --git a/tests/pwhash_test b/tests/pwhash_test +index ff89d60..525885e 100755 +--- a/tests/pwhash_test ++++ b/tests/pwhash_test +@@ -77,6 +77,22 @@ if [ "x${pw#\$6\$}" = "x$pw" ]; then + exit 1 + fi + ++cp "${LIBUSER_CONF}_" "$LIBUSER_CONF" ++echo 'crypt_style = blowfish' >> "$LIBUSER_CONF" ++pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py) ++if [ "x${pw#\$2b\$}" = "x$pw" ]; then ++ echo "Invalid BLOWFISH hash" >&2 ++ exit 1 ++fi ++ ++cp "${LIBUSER_CONF}_" "$LIBUSER_CONF" ++echo 'crypt_style = yescrypt' >> "$LIBUSER_CONF" ++pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py) ++if [ "x${pw#\$y\$}" = "x$pw" ]; then ++ echo "Invalid YESCRYPT hash" >&2 ++ exit 1 ++fi ++ + cp "${LIBUSER_CONF}_" "$LIBUSER_CONF" + cat >> "$LIBUSER_CONF" <<\EOF + crypt_style = sha256 diff --git a/libuser-0.63.tar.xz b/libuser-0.63.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..c54e7b039ea544bb2d60ddc795ab0d00f504a600 Binary files /dev/null and b/libuser-0.63.tar.xz differ diff --git a/libuser-do-not-use-deprecated-flask.h-and-av_permissions.patch b/libuser-do-not-use-deprecated-flask.h-and-av_permissions.patch deleted file mode 100644 index e5602a9ff22c1f07aaf58ce9505ec02fd941a58a..0000000000000000000000000000000000000000 --- a/libuser-do-not-use-deprecated-flask.h-and-av_permissions.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 29d9996dd200916db888d41196f87609bce329ff Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Apr 07 2020 11:55:38 +0000 -Subject: Do not use deprecated flask.h and av_permissions.h - - -selinux/flask.h and selinux/av_permissions.h will be completely dropped in the -next SELinux release. - -Use string_to_security_class() and string_to_av_perm() to get class and -permission values. The original hardcoded values could be invalid and are -deprecated as the whole flask.h and av_permissions.h header files. - -Fixes: https://pagure.io/libuser/issue/44 - ---- - -diff --git a/apps/apputil.c b/apps/apputil.c -index 1937645..7413ab5 100644 ---- a/apps/apputil.c -+++ b/apps/apputil.c -@@ -26,8 +26,6 @@ - #include - #ifdef WITH_SELINUX - #include --#include --#include - #include - #endif - #include "../lib/error.h" -@@ -57,7 +55,7 @@ check_access(const char *chuser, access_vector_t access) - - retval = security_compute_av(user_context, - user_context, -- SECCLASS_PASSWD, -+ string_to_security_class("passwd"), - access, &avd); - - if (retval == 0 && (avd.allowed & access) == access) -@@ -221,19 +219,25 @@ lu_authenticate_unprivileged(struct lu_context *ctx, const char *user, - #ifdef WITH_SELINUX - if (is_selinux_enabled() > 0) { - /* FIXME: PASSWD_CHSH, PASSWD_PASSWD ? */ -- if (getuid() == 0 && check_access(user, PASSWD__CHFN) != 0) { -- security_context_t user_context; -+ if (getuid() == 0) { -+ security_class_t class; -+ access_vector_t perm; -+ class = string_to_security_class("passwd"); -+ perm = string_to_av_perm(class, "chfn"); -+ if (check_access(user, perm) != 0) { -+ security_context_t user_context; - -- if (getprevcon(&user_context) < 0) -- user_context = NULL; -- /* FIXME: "change the finger info?" */ -- fprintf(stderr, -- _("%s is not authorized to change the finger " -- "info of %s\n"), user_context ? user_context -- : _("Unknown user context"), user); -- if (user_context != NULL) -- freecon(user_context); -- goto err; -+ if (getprevcon(&user_context) < 0) -+ user_context = NULL; -+ /* FIXME: "change the finger info?" */ -+ fprintf(stderr, -+ _("%s is not authorized to change the finger " -+ "info of %s\n"), user_context ? user_context -+ : _("Unknown user context"), user); -+ if (user_context != NULL) -+ freecon(user_context); -+ goto err; -+ } - } - /* FIXME: is this right for lpasswd? */ - if (!lu_util_fscreate_from_file("/etc/passwd", NULL)) { - diff --git a/libuser.spec b/libuser.spec index 5d8424d922b8461aa3874cc1af1f0b8783e5b863..927a1f5a581972928629efc524c985b8e16515c5 100644 --- a/libuser.spec +++ b/libuser.spec @@ -1,22 +1,19 @@ Name: libuser -Version: 0.62 -Release: 23 +Version: 0.63 +Release: 1 Summary: A user and group account administration library License: LGPLv2+ URL: https://pagure.io/libuser Source: http://releases.pagure.org/libuser/libuser-%{version}.tar.xz -# Patch0 : this patch is from fedora. -Patch0: 0001-Fix-errors-with-Werror-format-security.patch -Patch1: 0009-Check-negative-return-of-PyList_Size.patch -Patch2: 0010-files.c-Init-char-name-to-NULL.patch -Patch3: 0011-merge_ent_array_duplicates-Only-use-values-if-valid.patch -Patch4: 0012-editing_open-close-fd-after-we-ve-established-its-va.patch -Patch5: libuser-do-not-use-deprecated-flask.h-and-av_permissions.patch +Patch0: libuser-0.63-PR49_add_yescrypt.patch +Patch1: libuser-0.63-downstream_test_xcrypt.patch +Patch2: fix-ldap-test-because-openldap-was-upgraded.patch BuildRequires: cyrus-sasl-devel, nscd, linuxdoc-tools, pam-devel, popt-devel, gcc BuildRequires: libselinux-devel, openldap-devel, python3-devel, glib2-devel -BuildRequires: fakeroot, openldap-clients, openldap-servers, openssl +BuildRequires: openldap-clients, openldap-servers, openssl +BuildRequires: bison, make, libtool, gettext-devel, gtk-doc, audit-libs-devel %description The libuser library implements a standardized interface for manipulating @@ -50,15 +47,10 @@ Requires: man, info Man pages and other related documents for %{name} %prep -%setup -qn libuser-%{version} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +%autosetup -n libuser-%{version} -p1 %build +./autogen.sh %configure --with-ldap --with-selinux --with-html-dir=%{_prefix}/share/gtk-doc/html \ PYTHON=%{_bindir}/python3 make @@ -69,16 +61,12 @@ make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p' || : %find_lang %{name} %check +%make_build check || { cat test-suite.log; false; } -#make -C python2 check || { cat python2/test-suite.log; false; } -#LC_ALL=C.UTF-8 make -C python3 check \ -# || { cat python3/test-suite.log; false; } -#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_prefix}/%{_lib}:${LD_LIBRARY_PATH} -#export LD_LIBRARY_PATH -#cd $RPM_BUILD_ROOT/%{python2_sitearch} -#python2 -c "import libuser" -#cd $RPM_BUILD_ROOT/%{python3_sitearch} -#LC_ALL=C.UTF-8 python3 -c "import libuser" +LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_prefix}/%{_lib}:${LD_LIBRARY_PATH} +export LD_LIBRARY_PATH +cd $RPM_BUILD_ROOT/%{python3_sitearch} +python3 -c "import libuser" %post /sbin/ldconfig @@ -108,13 +96,15 @@ make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p' || : %{_exec_prefix}/%{_lib}/*.so %{_exec_prefix}/%{_lib}/pkgconfig/* %{_includedir}/libuser -%{_prefix}/share/gtk-doc/html/* %files help %{_mandir}/man1/* %{_mandir}/man5/* %changelog +* Tue Dec 28 2021 fuanan - 0.63-1 +- update version to 0.63 + * Tue Jul 20 2021 fuanan - 0.62-23 - Remove redundant gdb from BuildRequires