From 9717121c15f56e687902e8c00068a9c4596379d4 Mon Sep 17 00:00:00 2001 From: zhangzikang1992 Date: Fri, 6 Sep 2024 11:24:34 +0800 Subject: [PATCH 1/7] libsubid: Dealocate memory on exit (cherry picked from commit e6e10e3d84c90c7cac37b34dcd847e38c262690a) --- ...ow-libsubid-Dealocate-memory-on-exit.patch | 23 +++++++++++++++++++ shadow.spec | 6 ++++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 shadow-libsubid-Dealocate-memory-on-exit.patch diff --git a/shadow-libsubid-Dealocate-memory-on-exit.patch b/shadow-libsubid-Dealocate-memory-on-exit.patch new file mode 100644 index 0000000..587db45 --- /dev/null +++ b/shadow-libsubid-Dealocate-memory-on-exit.patch @@ -0,0 +1,23 @@ +From 18f113cc4609e00c4f95072dbe954174f2c29be1 Mon Sep 17 00:00:00 2001 +From: Daniel Bershatsky +Date: Wed, 12 Jun 2024 19:26:45 +0300 +Subject: [PATCH] libsubid: Dealocate memory on exit + +--- + src/getsubids.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/getsubids.c b/src/getsubids.c +index fb645b19..0753abd7 100644 +--- a/src/getsubids.c ++++ b/src/getsubids.c +@@ -45,5 +45,6 @@ int main(int argc, char *argv[]) + printf("%d: %s %lu %lu\n", i, owner, + ranges[i].start, ranges[i].count); + } ++ free(ranges); + return 0; + } +-- +2.27.0 + diff --git a/shadow.spec b/shadow.spec index 6552942..8659663 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.14.3 -Release: 1 +Release: 2 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -19,6 +19,7 @@ Source7: newusers Patch0: usermod-unlock.patch Patch1: shadow-add-sm3-crypt-support.patch Patch2: shadow-Remove-encrypted-passwd-for-useradd-gr.patch +Patch3: shadow-libsubid-Dealocate-memory-on-exit.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -188,6 +189,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Fri Sep 6 2024 zhangzikang - 2:4.14.3-2 +- libsubid: Dealocate memory on exit + * Thu Feb 1 2024 zhengxiaoxiao - 2:4.14.3-1 - update version to 4.14.3 -Avoid null pointer dereference -- Gitee From b9b4ed8e88877b68bdb19451064bceb6c5a390a6 Mon Sep 17 00:00:00 2001 From: zhangxingrong Date: Tue, 8 Oct 2024 17:51:49 +0800 Subject: [PATCH 2/7] add soma patchs from upstream (cherry picked from commit 037109f63c283a57e8afb41ae69a135dbbbcd328) --- ...ing.c--Use-long-constants-in-prctl-2.patch | 37 +++++++++++++++++++ ...log-remove-wrong-use-of-keyword-term.patch | 30 +++++++++++++++ shadow.spec | 8 +++- 3 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch create mode 100644 backport-man-lastlog-remove-wrong-use-of-keyword-term.patch diff --git a/backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch b/backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch new file mode 100644 index 0000000..2950a89 --- /dev/null +++ b/backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch @@ -0,0 +1,37 @@ +From 80efeebaf296dc4814e15d67977726b3ee93c048 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar +Date: Fri, 31 May 2024 18:30:16 +0200 +Subject: [PATCH] lib/idmapping.c: Use long constants in prctl(2), and remove + 0s + +The prctl(2) system-call wrapper is implemented as a variadic function. +This makes it important to pass arguments to it of the right type (and +more importantly of the right width), to avoid undefined behavior. + +While at it, check errors with ==-1, not <0, which is more explicit. + +Also, PR_SET_KEEPCAPS(2const) doesn't need all arguments, so it can be +called with just two of them; remove unnecessary 0s. + +See-also: prctl(2), PR_SET_KEEPCAPS(2const) +Link: +Cc: Xi Ruoyao +Cc: Lukas Slebodnik +Signed-off-by: Alejandro Colomar +--- + lib/idmapping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/idmapping.c b/lib/idmapping.c +index fe3ccdfe3..5cbb6fefc 100644 +--- a/lib/idmapping.c ++++ b/lib/idmapping.c +@@ -159,7 +159,7 @@ void write_mapping(int proc_dir_fd, int ranges, const struct map_range *mappings + + /* Align setuid- and fscaps-based new{g,u}idmap behavior. */ + if (geteuid() == 0 && geteuid() != ruid) { +- if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) { ++ if (prctl(PR_SET_KEEPCAPS, 1L) == -1) { + fprintf(log_get_logfd(), _("%s: Could not prctl(PR_SET_KEEPCAPS)\n"), log_get_progname()); + exit(EXIT_FAILURE); + } diff --git a/backport-man-lastlog-remove-wrong-use-of-keyword-term.patch b/backport-man-lastlog-remove-wrong-use-of-keyword-term.patch new file mode 100644 index 0000000..275dd22 --- /dev/null +++ b/backport-man-lastlog-remove-wrong-use-of-keyword-term.patch @@ -0,0 +1,30 @@ +From 9f57beb31ade241aeda412a8ada4912bab83bd40 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Wed, 5 Jun 2024 08:02:27 -0500 +Subject: [PATCH] man/lastlog: remove wrong use of keyword term + +Per https://tdg.docbook.org/tdg/4.5/term, term is a word being +defined in a varlistentry. The 'high uid' description is not a +varlistentry, so and show up in the processed +manpage. See debian Bug#1072297. + +Signed-off-by: Serge Hallyn +--- + man/lastlog.8.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/man/lastlog.8.xml b/man/lastlog.8.xml +index 7a4ba967f..6700791c1 100644 +--- a/man/lastlog.8.xml ++++ b/man/lastlog.8.xml +@@ -211,8 +211,8 @@ + to hang as it processes entries with UIDs 171-799). + + +- Having high UIDs can create problems when handling the +- /var/log/lastlog with external tools. Although the ++ Having high UIDs can create problems when handling the ++ /var/log/lastlog with external tools. Although the + actual file is sparse and does not use too much space, certain + applications are not designed to identify sparse files by default and may + require a specific option to handle them. diff --git a/shadow.spec b/shadow.spec index 8659663..bd9a0d4 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.14.3 -Release: 2 +Release: 3 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -20,6 +20,8 @@ Patch0: usermod-unlock.patch Patch1: shadow-add-sm3-crypt-support.patch Patch2: shadow-Remove-encrypted-passwd-for-useradd-gr.patch Patch3: shadow-libsubid-Dealocate-memory-on-exit.patch +Patch4: backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch +Patch5: backport-man-lastlog-remove-wrong-use-of-keyword-term.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -189,6 +191,10 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Wed Oct 9 2024 zhangxingrong - 2:4.14.3-3 +- lib/idmapping.c: Use long constants in prctl(2) +- man/lastlog: remove wrong use of keyword term + * Fri Sep 6 2024 zhangzikang - 2:4.14.3-2 - libsubid: Dealocate memory on exit -- Gitee From 98d98dc0964c56dcda25ba62a0a74c5ecdb71137 Mon Sep 17 00:00:00 2001 From: beta Date: Wed, 11 Dec 2024 11:54:40 +0800 Subject: [PATCH 3/7] chpasswd fix coredump with s parameter Signed-off-by: beta (cherry picked from commit dd0c07f504b803d557353d4252b4ce550ddd7d1a) --- shadow-add-sm3-crypt-support.patch | 4 ++-- shadow.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/shadow-add-sm3-crypt-support.patch b/shadow-add-sm3-crypt-support.patch index 8b1e98a..b5ee39e 100644 --- a/shadow-add-sm3-crypt-support.patch +++ b/shadow-add-sm3-crypt-support.patch @@ -496,8 +496,8 @@ index 1a1a5d5..a2b6e9e 100644 #endif /* USE_YESCRYPT */ - if (bad_s != 0) { +#if defined(USE_SM3_CRYPT) -+ if (( (0 == strcmp (crypt_method, "SM3")) -+ && (0 == getlong(optarg, &sm3_rounds)))) { ++ if (IS_CRYPT_METHOD("SM3") ++ && (0 == getlong(optarg, &sm3_rounds))) { + bad_s = 1; + } +#endif /* USE_SM3_CRYPT */ diff --git a/shadow.spec b/shadow.spec index bd9a0d4..32913d8 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.14.3 -Release: 3 +Release: 4 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -191,6 +191,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Wed Dec 11 2024 beta - 2:4.14.3-4 +- chpasswd fix coredump with s parameter + * Wed Oct 9 2024 zhangxingrong - 2:4.14.3-3 - lib/idmapping.c: Use long constants in prctl(2) - man/lastlog: remove wrong use of keyword term -- Gitee From 0f1dfe0c9e0bb19413aa39133e07f6218e082601 Mon Sep 17 00:00:00 2001 From: beta Date: Mon, 16 Dec 2024 20:27:35 +0800 Subject: [PATCH 4/7] backport patches from upstream Signed-off-by: beta (cherry picked from commit 8d81a7257a249449e6bf37a1153d8f506d4baf28) --- ...-the-lower-part-of-the-domain-of-csr.patch | 79 +++++++++++++++++++ shadow.spec | 6 +- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 backport-lib-csrand.c-Fix-the-lower-part-of-the-domain-of-csr.patch diff --git a/backport-lib-csrand.c-Fix-the-lower-part-of-the-domain-of-csr.patch b/backport-lib-csrand.c-Fix-the-lower-part-of-the-domain-of-csr.patch new file mode 100644 index 0000000..36fc9a3 --- /dev/null +++ b/backport-lib-csrand.c-Fix-the-lower-part-of-the-domain-of-csr.patch @@ -0,0 +1,79 @@ +From ad0958b816f28e53d9bda4486e969ec3ca63538a Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar +Date: Wed, 19 Jun 2024 19:54:16 +0200 +Subject: [PATCH] lib/csrand.c: Fix the lower part of the domain of + csrand_uniform() + +I accidentally broke this code during an un-optimization. We need to +start from a random value of the width of the limit, that is, 32 bits. + +Thanks to Jason for pointing to his similar code in the kernel, which +made me see my mistake. + +Fixes: 2a61122b5e8f ("Unoptimize the higher part of the domain of csrand_uniform()") +Closes: +Reported-by: Michael Brunnbauer +Link: +Cc: "Jason A. Donenfeld" +Link: +Link: +Link: +Tested-by: Michael Brunnbauer +Reviewed-by: Michael Brunnbauer +Signed-off-by: Alejandro Colomar +Cherry-picked-from: 4119a2dce564 ("lib/csrand.c: Fix the lower part of the domain of csrand_uniform()") +Cc: "Serge E. Hallyn" +Link: +Signed-off-by: Alejandro Colomar + +Conflict: N/A +Reference: https://github.com/shadow-maint/shadow/commit/ad0958b816f28e53d9bda4486e969ec3ca63538a + +--- + lib/csrand.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/csrand.c b/lib/csrand.c +index e85eaa8a..16bcccf0 100644 +--- a/lib/csrand.c ++++ b/lib/csrand.c +@@ -22,6 +22,7 @@ + #include "shadowlog.h" + + ++static uint32_t csrand32(void); + static uint32_t csrand_uniform32(uint32_t n); + static unsigned long csrand_uniform_slow(unsigned long n); + +@@ -96,6 +97,13 @@ csrand_interval(unsigned long min, unsigned long max) + } + + ++static uint32_t ++csrand32(void) ++{ ++ return csrand(); ++} ++ ++ + /* + * Fast Random Integer Generation in an Interval + * ACM Transactions on Modeling and Computer Simulation 29 (1), 2019 +@@ -108,12 +116,12 @@ csrand_uniform32(uint32_t n) + uint64_t r, mult; + + if (n == 0) +- return csrand(); ++ return csrand32(); + + bound = -n % n; // analogous to `2^32 % n`, since `x % y == (x-y) % y` + + do { +- r = csrand(); ++ r = csrand32(); + mult = r * n; + rem = mult; // analogous to `mult % 2^32` + } while (rem < bound); // p = (2^32 % n) / 2^32; W.C.: n=2^31+1, p=0.5 +-- +2.46.0 + diff --git a/shadow.spec b/shadow.spec index 32913d8..c359c32 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.14.3 -Release: 4 +Release: 5 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -22,6 +22,7 @@ Patch2: shadow-Remove-encrypted-passwd-for-useradd-gr.patch Patch3: shadow-libsubid-Dealocate-memory-on-exit.patch Patch4: backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch Patch5: backport-man-lastlog-remove-wrong-use-of-keyword-term.patch +Patch6: backport-lib-csrand.c-Fix-the-lower-part-of-the-domain-of-csr.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -191,6 +192,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Mon Dec 16 2024 beta - 2:4.14.3-5 +- backport patches from upstream + * Wed Dec 11 2024 beta - 2:4.14.3-4 - chpasswd fix coredump with s parameter -- Gitee From aa4895b6f0b4df1188c36a9aad9e73b94736bced Mon Sep 17 00:00:00 2001 From: hugel <2712504175@qq.com> Date: Sat, 8 Feb 2025 10:08:34 +0800 Subject: [PATCH 5/7] limit username length to 32 (cherry picked from commit 430589ba91cf502f377b2743886f421dbe49b11a) --- limit-username-length-to-32.patch | 41 +++++++++++++++++++++++++++++++ shadow.spec | 6 ++++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 limit-username-length-to-32.patch diff --git a/limit-username-length-to-32.patch b/limit-username-length-to-32.patch new file mode 100644 index 0000000..23e9f3a --- /dev/null +++ b/limit-username-length-to-32.patch @@ -0,0 +1,41 @@ +From cb569337f22de160d61df0bdb7c06f17517835ab Mon Sep 17 00:00:00 2001 +From: zhangshaoning +Date: Thu, 16 Jan 2025 16:30:09 +0800 +Subject: [PATCH] limit username length to 32 + +--- + lib/chkname.c | 4 ++-- + lib/chkname.h | 4 ++++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/chkname.c b/lib/chkname.c +index 2b83361..ae6180f 100644 +--- a/lib/chkname.c ++++ b/lib/chkname.c +@@ -75,9 +75,9 @@ static bool is_valid_name (const char *name) + bool is_valid_user_name (const char *name) + { + /* +- * User names length are limited by the kernel ++ * User names length are limited by USER_NAME_MAX_LENGTH + */ +- if (strlen (name) > sysconf(_SC_LOGIN_NAME_MAX)) { ++ if (strlen (name) > USER_NAME_MAX_LENGTH) { + return false; + } + +diff --git a/lib/chkname.h b/lib/chkname.h +index 0771347..4af8f32 100644 +--- a/lib/chkname.h ++++ b/lib/chkname.h +@@ -25,3 +25,7 @@ extern bool is_valid_user_name (const char *name); + extern bool is_valid_group_name (const char *name); + + #endif ++ ++#ifndef USER_NAME_MAX_LENGTH ++#define USER_NAME_MAX_LENGTH 32 ++#endif +-- +2.18.2 + diff --git a/shadow.spec b/shadow.spec index c359c32..33068b7 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.14.3 -Release: 5 +Release: 6 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -23,6 +23,7 @@ Patch3: shadow-libsubid-Dealocate-memory-on-exit.patch Patch4: backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch Patch5: backport-man-lastlog-remove-wrong-use-of-keyword-term.patch Patch6: backport-lib-csrand.c-Fix-the-lower-part-of-the-domain-of-csr.patch +Patch7: limit-username-length-to-32.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -192,6 +193,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Sat Feb 8 2025 hugel - 2:4.14.3-6 +- limit username length to 32 + * Mon Dec 16 2024 beta - 2:4.14.3-5 - backport patches from upstream -- Gitee From 05a6a754e645ca1dfccc348a3ad696b2309126c4 Mon Sep 17 00:00:00 2001 From: yixiangzhike Date: Tue, 11 Mar 2025 15:10:16 +0800 Subject: [PATCH 6/7] Backport patches from upstream (cherry picked from commit d17aaba7b3ca21109a31dd3c28cff326adc7d5bf) --- ...-encrypt.c-Do-not-exit-in-error-case.patch | 38 +++++++++++++++++++ ...gpasswd-Clear-password-in-more-cases.patch | 35 +++++++++++++++++ ...useradd.c-get_groups-Fix-memory-leak.patch | 32 ++++++++++++++++ shadow.spec | 8 +++- 4 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 backport-lib-encrypt.c-Do-not-exit-in-error-case.patch create mode 100644 backport-src-gpasswd-Clear-password-in-more-cases.patch create mode 100644 backport-src-useradd.c-get_groups-Fix-memory-leak.patch diff --git a/backport-lib-encrypt.c-Do-not-exit-in-error-case.patch b/backport-lib-encrypt.c-Do-not-exit-in-error-case.patch new file mode 100644 index 0000000..2230291 --- /dev/null +++ b/backport-lib-encrypt.c-Do-not-exit-in-error-case.patch @@ -0,0 +1,38 @@ +From 6cbce81df97a16363c46cbd1e8202c3b4f0a2205 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 19 Jan 2025 21:23:54 +0100 +Subject: [PATCH] lib/encrypt.c: Do not exit in error case + +If crypt fails, pw_encrypt calls exit. This has the consequence that the +plaintext password is not cleared. + +A valid password can fail if the underlying library does not support it. +One such example is SHA512, for which the password must not be longer +than 256 characters on musl. A password longer than this with glibc +works, so it is actually possible that a user, running passwd, tries to +enter the old password but the musl-based passwd binary simply exits. +Let passwd clear the password before exiting. + +Reviewed-by: Alejandro Colomar +Signed-off-by: Tobias Stoeckmann +--- + lib/encrypt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/encrypt.c b/lib/encrypt.c +index c84a2552..9c1cb406 100644 +--- a/lib/encrypt.c ++++ b/lib/encrypt.c +@@ -65,7 +65,8 @@ + (void) fprintf (shadow_logfd, + _("crypt method not supported by libcrypt? (%s)\n"), + method); +- exit (EXIT_FAILURE); ++ errno = EINVAL; ++ return NULL; + } + + if (strlen (cp) != 13) { +-- +2.33.0 + diff --git a/backport-src-gpasswd-Clear-password-in-more-cases.patch b/backport-src-gpasswd-Clear-password-in-more-cases.patch new file mode 100644 index 0000000..94f8ce9 --- /dev/null +++ b/backport-src-gpasswd-Clear-password-in-more-cases.patch @@ -0,0 +1,35 @@ +From 6b4bbbeecd676c9423f82658bb3a8f6990218e8d Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 19 Jan 2025 21:27:50 +0100 +Subject: [PATCH] src/gpasswd: Clear password in more cases + +If encryption of password fails, clear the memory before exiting. + +Reviewed-by: Alejandro Colomar +Signed-off-by: Tobias Stoeckmann +--- + src/gpasswd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index 560b0ea7..e9e111a9 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -864,13 +864,13 @@ static void change_passwd (struct group *gr) + + salt = crypt_make_salt (NULL, NULL); + cp = pw_encrypt (pass, salt); ++ memzero (pass, sizeof pass); + if (NULL == cp) { + fprintf (stderr, + _("%s: failed to crypt password with salt '%s': %s\n"), + Prog, salt, strerror (errno)); + exit (1); + } +- memzero (pass, sizeof pass); + #ifdef SHADOWGRP + if (is_shadowgrp) { + gr->gr_passwd = SHADOW_PASSWD_STRING; +-- +2.33.0 + diff --git a/backport-src-useradd.c-get_groups-Fix-memory-leak.patch b/backport-src-useradd.c-get_groups-Fix-memory-leak.patch new file mode 100644 index 0000000..c411118 --- /dev/null +++ b/backport-src-useradd.c-get_groups-Fix-memory-leak.patch @@ -0,0 +1,32 @@ +From feead2f639506d49cef9dde385eb56cd3413ecf0 Mon Sep 17 00:00:00 2001 +From: sgakerru +Date: Sat, 19 Oct 2024 13:26:44 +0400 +Subject: [PATCH] src/useradd.c: get_groups(): Fix memory leak + +--- + src/useradd.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/useradd.c b/src/useradd.c +index 64e7a412..bd3b0624 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -760,6 +760,15 @@ static int get_groups (char *list) + int errors = 0; + int ngroups = 0; + ++ /* ++ * Free previous group list before creating a new one. ++ */ ++ int i = 0; ++ while (NULL != user_groups[i]) { ++ free(user_groups[i]); ++ user_groups[i++] = NULL; ++ } ++ + if ('\0' == *list) { + return 0; + } +-- +2.33.0 + diff --git a/shadow.spec b/shadow.spec index 33068b7..719678a 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.14.3 -Release: 6 +Release: 7 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -24,6 +24,9 @@ Patch4: backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch Patch5: backport-man-lastlog-remove-wrong-use-of-keyword-term.patch Patch6: backport-lib-csrand.c-Fix-the-lower-part-of-the-domain-of-csr.patch Patch7: limit-username-length-to-32.patch +Patch8: backport-src-useradd.c-get_groups-Fix-memory-leak.patch +Patch9: backport-src-gpasswd-Clear-password-in-more-cases.patch +Patch10: backport-lib-encrypt.c-Do-not-exit-in-error-case.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -193,6 +196,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Tue Mar 11 2025 yixiangzhike - 2:4.14.3-7 +- backport patches from upstream + * Sat Feb 8 2025 hugel - 2:4.14.3-6 - limit username length to 32 -- Gitee From 1c0d4e622d5e21c9fd5f5252cb51244bf94f9e62 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Tue, 27 May 2025 13:10:46 +0800 Subject: [PATCH 7/7] fix upstream bug#1013: src/groupmod.c: bug; possibly use-after-free (cherry picked from commit ec7198f9a634e87fa390e3de2f2ba777277bed81) --- ...elete-gr_free_members-grp-to-avoid-d.patch | 54 +++++++++++++++++++ shadow.spec | 6 ++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch diff --git a/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch b/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch new file mode 100644 index 0000000..6a1a2d9 --- /dev/null +++ b/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch @@ -0,0 +1,54 @@ +From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001 +From: lixinyun +Date: Wed, 29 May 2024 06:53:02 +0800 +Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double + free + +Groupmod -U may cause crashes because of double free. If without -a, the first free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update without -n or gr_remove with -n. +Considering the minimal impact of modifications on existing code, delete gr_free_members(&grp) to avoid double free.Although this may seem reckless, the second free in two different positions will definitely be triggered, and the following two test cases can be used to illustrate the situation : + +[root@localhost src]# ./useradd u1 +[root@localhost src]# ./useradd u2 +[root@localhost src]# ./useradd u3 +[root@localhost src]# ./groupadd -U u1,u2,u3 g1 +[root@localhost src]# ./groupmod -n g2 -U u1,u2 g1 +Segmentation fault + +This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)), which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again. + +[root@localhost src]# ./useradd u1 +[root@localhost src]# ./useradd u2 +[root@localhost src]# ./useradd u3 +[root@localhost src]# ./groupadd -U u1,u2,u3 g1 +[root@localhost src]# ./groupmod -U u1,u2 g1 +Segmentation fault + +The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to free (*ogrp).gr_mem again. + +So the first free is unnecessary, maybe we can drop it. + +Fixes: 342c934a3590 ("add -U option to groupadd and groupmod") +Closes: +Link: +Link: +Link: +Cc: "Serge E. Hallyn" +Reviewed-by: Alejandro Colomar +Signed-off-by: lixinyun +--- + src/groupmod.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/groupmod.c b/src/groupmod.c +index a29cf73f6..989d7ea34 100644 +--- a/src/groupmod.c ++++ b/src/groupmod.c +@@ -250,8 +250,6 @@ static void grp_update (void) + + if (!aflg) { + // requested to replace the existing groups +- if (NULL != grp.gr_mem[0]) +- gr_free_members(&grp); + grp.gr_mem = XMALLOC(1, char *); + grp.gr_mem[0] = NULL; + } else { diff --git a/shadow.spec b/shadow.spec index 719678a..ce5c6a4 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.14.3 -Release: 7 +Release: 8 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -27,6 +27,7 @@ Patch7: limit-username-length-to-32.patch Patch8: backport-src-useradd.c-get_groups-Fix-memory-leak.patch Patch9: backport-src-gpasswd-Clear-password-in-more-cases.patch Patch10: backport-lib-encrypt.c-Do-not-exit-in-error-case.patch +Patch11: backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -196,6 +197,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Tue May 27 2025 Funda Wang - 2:4.14.3-8 +- fix upstream bug#1013: src/groupmod.c: bug; possibly use-after-free + * Tue Mar 11 2025 yixiangzhike - 2:4.14.3-7 - backport patches from upstream -- Gitee