backport patches from upstream
This commit is contained in:
wjiang
parent
400db2e305
commit
5182f4343b
38
backport-lib-encrypt.c-Do-not-exit-in-error-case.patch
Normal file
38
backport-lib-encrypt.c-Do-not-exit-in-error-case.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 6cbce81df97a16363c46cbd1e8202c3b4f0a2205 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Date: Sun, 19 Jan 2025 21:23:54 +0100
|
||||
Subject: [PATCH] lib/encrypt.c: Do not exit in error case
|
||||
|
||||
If crypt fails, pw_encrypt calls exit. This has the consequence that the
|
||||
plaintext password is not cleared.
|
||||
|
||||
A valid password can fail if the underlying library does not support it.
|
||||
One such example is SHA512, for which the password must not be longer
|
||||
than 256 characters on musl. A password longer than this with glibc
|
||||
works, so it is actually possible that a user, running passwd, tries to
|
||||
enter the old password but the musl-based passwd binary simply exits.
|
||||
Let passwd clear the password before exiting.
|
||||
|
||||
Reviewed-by: Alejandro Colomar <alx@kernel.org>
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
lib/encrypt.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/encrypt.c b/lib/encrypt.c
|
||||
index c84a2552..9c1cb406 100644
|
||||
--- a/lib/encrypt.c
|
||||
+++ b/lib/encrypt.c
|
||||
@@ -90,7 +90,8 @@
|
||||
(void) fprintf (shadow_logfd,
|
||||
_("crypt method not supported by libcrypt? (%s)\n"),
|
||||
method);
|
||||
- exit (EXIT_FAILURE);
|
||||
+ errno = EINVAL;
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
if (strlen (cp) != 13) {
|
||||
--
|
||||
2.33.0
|
||||
|
||||
35
backport-src-gpasswd-Clear-password-in-more-cases.patch
Normal file
35
backport-src-gpasswd-Clear-password-in-more-cases.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 6b4bbbeecd676c9423f82658bb3a8f6990218e8d Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Date: Sun, 19 Jan 2025 21:27:50 +0100
|
||||
Subject: [PATCH] src/gpasswd: Clear password in more cases
|
||||
|
||||
If encryption of password fails, clear the memory before exiting.
|
||||
|
||||
Reviewed-by: Alejandro Colomar <alx@kernel.org>
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
src/gpasswd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/gpasswd.c b/src/gpasswd.c
|
||||
index 560b0ea7..e9e111a9 100644
|
||||
--- a/src/gpasswd.c
|
||||
+++ b/src/gpasswd.c
|
||||
@@ -864,13 +864,13 @@ static void change_passwd (struct group *gr)
|
||||
|
||||
salt = crypt_make_salt (NULL, NULL);
|
||||
cp = pw_encrypt (pass, salt);
|
||||
+ memzero (pass, sizeof pass);
|
||||
if (NULL == cp) {
|
||||
fprintf (stderr,
|
||||
_("%s: failed to crypt password with salt '%s': %s\n"),
|
||||
Prog, salt, strerror (errno));
|
||||
exit (1);
|
||||
}
|
||||
- memzero (pass, sizeof pass);
|
||||
#ifdef SHADOWGRP
|
||||
if (is_shadowgrp) {
|
||||
gr->gr_passwd = SHADOW_PASSWD_STRING;
|
||||
--
|
||||
2.33.0
|
||||
|
||||
32
backport-src-useradd.c-get_groups-Fix-memory-leak.patch
Normal file
32
backport-src-useradd.c-get_groups-Fix-memory-leak.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From feead2f639506d49cef9dde385eb56cd3413ecf0 Mon Sep 17 00:00:00 2001
|
||||
From: sgakerru <sulmpx60@yandex.ru>
|
||||
Date: Sat, 19 Oct 2024 13:26:44 +0400
|
||||
Subject: [PATCH] src/useradd.c: get_groups(): Fix memory leak
|
||||
|
||||
---
|
||||
src/useradd.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index 64e7a412..bd3b0624 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -735,6 +735,15 @@ static int get_groups (char *list)
|
||||
int errors = 0;
|
||||
int ngroups = 0;
|
||||
|
||||
+ /*
|
||||
+ * Free previous group list before creating a new one.
|
||||
+ */
|
||||
+ int i = 0;
|
||||
+ while (NULL != user_groups[i]) {
|
||||
+ free(user_groups[i]);
|
||||
+ user_groups[i++] = NULL;
|
||||
+ }
|
||||
+
|
||||
if ('\0' == *list) {
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: shadow
|
||||
Version: 4.9
|
||||
Release: 16
|
||||
Release: 17
|
||||
Epoch: 2
|
||||
License: BSD and GPLv2+
|
||||
Summary: Tools for managing accounts and shadow password files
|
||||
@ -97,6 +97,9 @@ Patch77: backport-lib-btrfs-avoid-NULL-dereference.patch
|
||||
Patch78: backport-src-passwd.c-Switch-to-day-precision.patch
|
||||
Patch79: backport-src-passwd-add-overflow-check.patch
|
||||
Patch80: backport-src-useradd-free-string.patch
|
||||
Patch81: backport-src-useradd.c-get_groups-Fix-memory-leak.patch
|
||||
Patch82: backport-src-gpasswd-Clear-password-in-more-cases.patch
|
||||
Patch83: backport-lib-encrypt.c-Do-not-exit-in-error-case.patch
|
||||
|
||||
BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
|
||||
BuildRequires: libacl-devel, libattr-devel
|
||||
@ -266,6 +269,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
||||
%{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Tue Mar 18 2025 wangjiang <app@cameyan.com> - 2:4.9-17
|
||||
- backport patches from upstream
|
||||
|
||||
* Sat Mar 16 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2:4.9-16
|
||||
- backport some patches
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user