diff options
Diffstat (limited to 'sys-apps/shadow')
| -rw-r--r-- | sys-apps/shadow/Manifest | 19 | ||||
| -rw-r--r-- | sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch | 100 | ||||
| -rw-r--r-- | sys-apps/shadow/files/shadow-4.13-configure-clang16.patch | 38 | ||||
| -rw-r--r-- | sys-apps/shadow/files/shadow-4.13-password-leak.patch | 135 | ||||
| -rw-r--r-- | sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch | 33 | ||||
| -rw-r--r-- | sys-apps/shadow/metadata.xml | 1 | ||||
| -rw-r--r-- | sys-apps/shadow/shadow-4.13-r4.ebuild | 272 | ||||
| -rw-r--r-- | sys-apps/shadow/shadow-4.14.2.ebuild | 8 | ||||
| -rw-r--r-- | sys-apps/shadow/shadow-4.14.6-r1.ebuild | 8 | ||||
| -rw-r--r-- | sys-apps/shadow/shadow-4.14.8.ebuild (renamed from sys-apps/shadow/shadow-4.14.7.ebuild) | 10 |
10 files changed, 7 insertions, 617 deletions
diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest index 1930db2cbdda..186597bd6e52 100644 --- a/sys-apps/shadow/Manifest +++ b/sys-apps/shadow/Manifest @@ -3,20 +3,13 @@ AUX pam.d-include/chpasswd 42 BLAKE2B e9cb4b84dfba45e258970c4adf923e3384ae0b04b4 AUX pam.d-include/passwd 144 BLAKE2B 95e159c70416218950ad5cdc41c83b52f8d2ec042d35c9908ca400bd57dcb234fb7691aa2a5a7646a379553aa6dee0dd96ee569aa492d7f20774e991a90f8602 SHA512 31611a08d97cd2c129f18d451a555ff6c781f91603c77fc0c66ff406b5fa4a97db19ae4ce104816a6324529d10e131de0d5329646bdab2abc8dc3ee5b82b057f AUX pam.d-include/shadow 152 BLAKE2B 82d1f678abc60586ea873da7e2f4907349d77a64085cc475fa09c47cb008b41a7a00a7de2816b2c5cb2f48452d1b07523be35f8dd29026736ba8fbd3ae3d7c56 SHA512 d07611c350d0d6f3386db5080c80a84e4135cf33e44fd3a390cb1092e034f9bd2a69495fadd4bda6ede9962e9658e77f2c8e12d3189cdcda6c7b3c607336f0c3 AUX pam.d-include/shadow-r1 116 BLAKE2B bc7baa8e224cb90b6ef79762941b3b7505fcf4b8ed8c5da06a33a8a7fefa91098e4ac0c0f915eeca4a19714d60a2bf43e3922805347e3dfe0ccc80f210bf88e4 SHA512 ddecc5cc8f667f9931ddf5d98d89a986712c5a6e44826add1e1d9ead37064758a3879f6afd1fc45c89c216956593852051e2ef3abc52e2ab58a0e191adfe75d1 -AUX shadow-4.13-CVE-2023-29383.patch 3022 BLAKE2B 7ad4eeef9bbaf49b8388b7bbcfd2b814ed8862056242085d7261064f7447e610f3476cb45fb57acbe0b5eb1486389bdf93dcc196853c7fe4555750d2c0dcd1c8 SHA512 dd042d4be4dcbcdf63293598530225454cc7818e7ed6c59ab00fb19517b8ec503f6f82de0d347cc03dfcd1d65a1f65f623181838710db6d4fec84b14d7ffe530 -AUX shadow-4.13-configure-clang16.patch 1129 BLAKE2B 701c7e417c57265d9a7a2ee8eb6620ef6846018de24edacc04d0d4f63ff2e7e0a67382c459003d2bfa11e4dd3a49a227464315a4ef115da58c27889d7bdd7226 SHA512 057ea8a546953bea88ecb0b787b37d24113ea4881a9f86e55318647f85f8b56e204dbf3815811897d0cad2a8e50427c9fa84b6389e332e26c8cacc690835a942 -AUX shadow-4.13-password-leak.patch 5271 BLAKE2B 9f47502e0463e7c00d29c0a42071c49a23e82364d244a9fd61358c605f68bc30beb22fe501f9db19cadfa0c658bd46ddd777cdae058b500d70e9443263ca5f0b SHA512 40a7259467bd63d691e46f59e53348150d4b0f806375144cff9c51a28c95c9bc8c43da76245afb7f4cbfa292e7e19d43458290fe14bd32c985f844de64c76e61 -AUX shadow-4.13-usermod-prefix-gid.patch 1206 BLAKE2B 8efa85ab6c4eee199b5cd21f706d39910393ae9f2bd8af9a2e49d058be6ec41bd37d1624ec85a94b6adb24597bc599f3b0e624286c10aa8b1e0022795cd1b89a SHA512 e38332b073497f53ccafff1d8c31910b3d9b692ac267758536585499f6ce68bed45097558689f3dbda6ddeaf762bf20072de6124ef053fbe807aa3543553142f -DIST shadow-4.13.tar.xz 1762908 BLAKE2B 315ab8a7e598aeefb50c11293e20cfa0982c3c3ae21c35ae243d09a4facf97a13c1d672990876e74ef94f5284402acf14997663743e2aaefa6cfc4369b7d24dc SHA512 2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e -DIST shadow-4.13.tar.xz.asc 488 BLAKE2B de1f8285c5713a772343a2a7c638d1d13429dd4fa867d4f91d4922aa0d083b4a3110d38e8a8ab82137fdf4fecb12ba3677f3fb235401fc6438ae663fbd9bfbd2 SHA512 f8549c4e699c65721d53946d61b6127712572f7ad9ee13018ef3a25307002992aa727471c948d1bb22dcddf112715bed387d28f436123f30e153ae6bc0cd3648 DIST shadow-4.14.2.tar.xz 1799548 BLAKE2B 419f0a516753616ef691f71ec9002eef6fd7568c013ac71900d7481eff1bd9165c69d9587b7ca25800543a2eac58cfb7ce4224063e8af7b278f589640485c28f SHA512 b417dbe0fbbeced1022e64efe9dcd8b41d14779c45163e6de63891ac63f837d43f3e559f99f884099aa45282299ceb4dcb9fd29d21c9925687ff8462fe6ead2f DIST shadow-4.14.2.tar.xz.asc 833 BLAKE2B 9e085c79ccd3aa77489eb92e947dd4875dea84be2dbcbd2b8443e70b3dc065d288171ee024f81c6c3bf44d0ebfcabbb69937a906fdb26b6622d5a369aa415e8e SHA512 47a2607fa782a48b0333e353343a32f358115bb40225ea962fab86d4a8dbed1df976eb6231baf5b95f34a13139b99d6b719521626e5d3e9c80fc4c685767d9b7 DIST shadow-4.14.6.tar.xz 1805900 BLAKE2B e910131eab6527c1222afadf02ebd7bd6a3460baf95c23cc9eefa7aa21ddb70c02e58e4f58db2cb24fa8e2996c82b11664420545a8b1af573e4e6a25ceb3f921 SHA512 994a81afbafb19622a1d0f84527f96a84b0955c4ffa5e826682ead82af7940b8e3a091514bd2075622ebdf7638643c9c6b6b7ac3e48d985278db896249d70ae6 DIST shadow-4.14.6.tar.xz.asc 833 BLAKE2B 2fdcbd073687de829006ed9eb3ffd0b5f1312a94fe81b9c6840b25807e1268c58136d378da87f481c3cb53dc262d7afb6d97c77528e14dfbf5d54212fa7f84f2 SHA512 41f8fa92379392d4caa83987f9ea513ec18103dacfc01461f7bfb67ee6738a67e097fe76e7aa1f6004dfe14d5c55973667037c683fdd8ebb082264cb62222d27 -DIST shadow-4.14.7.tar.xz 1805860 BLAKE2B 5cc525292b9ba8fb85ec476a866be0b07a0b113539ad9f11d33eb87a87b95315485900a497c24465ad3b1d40b8f3273b6044a82829444024cc06d656427f3932 SHA512 ec64210b96ca0633683825df076e048ecba8f4794e9ad60125965d1490078c86ad26030bbec2e2ec7b53992d3ca68e4e659d6c460509fc6debb07bb686678885 -DIST shadow-4.14.7.tar.xz.asc 833 BLAKE2B 05c75a1de641cb766860959f1c1ed4788be40a6b0533d73a701b138c1aaf3b70f1e2807b7dafb74e35369091c40edf402abd96c9a5526c18ee644c12c48cd320 SHA512 6d13ddc810f27efd1bb2c9ef61d260b84ba9ce4e5721d844bd1f910fba072ae424360f6d3672b69dfa88c9a0905d93b6de415909791515f8da00d6c17ca79f9a -EBUILD shadow-4.13-r4.ebuild 6834 BLAKE2B da0e190f18aa68350ac8689505c0399252ab54036583ee2b4fa865433406f64469d6a43162f422da5e315cf7378e0accc595c8a2eaccf801353947cc504c3983 SHA512 dc4dad7bd7c4f4206f9cbc83166269dde3b868eca3a5a83f2698795efb7696c438468c8c22293963a52597735888efb8b959bccddb6d19b6eefc3cbeb5564dd7 -EBUILD shadow-4.14.2.ebuild 7230 BLAKE2B 339fbc2f07bf21238b4b606d1a3c5abff09f3521eda90630a3bb3b0d14ac990ea33369cf8d5914f67a2982d3e6b503d90046b5da946c3288691c273426174154 SHA512 15f1a137409709d23a223db1b346f1dc04543870a29fbf28ab9dd6fda7ce290dbb6aaf2e02ad5f38016c90be733b900636e6592d8b0c13a0e66a1034b385aa31 -EBUILD shadow-4.14.6-r1.ebuild 7139 BLAKE2B 2cf98373dffc863ff6866f5b1f5e31efe8132eb7500a345605e72b7b746b6e90eb0f05550e51b12632cbaeab6a9b311b59ebfaf952a44ecb5fbfa0c2128c6ae3 SHA512 fce593403db55462ca87d7efe2f08a1fe2355f85890b781c119030071a701d1e1003ae9bac9f159fb733bc07c090550c2be8124e7e2f456632e63162519425f8 -EBUILD shadow-4.14.7.ebuild 7139 BLAKE2B 2cf98373dffc863ff6866f5b1f5e31efe8132eb7500a345605e72b7b746b6e90eb0f05550e51b12632cbaeab6a9b311b59ebfaf952a44ecb5fbfa0c2128c6ae3 SHA512 fce593403db55462ca87d7efe2f08a1fe2355f85890b781c119030071a701d1e1003ae9bac9f159fb733bc07c090550c2be8124e7e2f456632e63162519425f8 -MISC metadata.xml 606 BLAKE2B 2b14042f4702a908f8250c3fb6499ea33d8a8c44072707aa44881a36e3cc710256a821f8cd82c5214b32e9f5632745db4fdf00dd722f6fb7401e2f6b0bfbb4fd SHA512 694e039ae781982e8cbe6670b4e9c93b43455715ce4b9830a5fa61e6bf3eb91abcc284bf29c64fab055ba9754edaeab5d2da8140dbb2794fc1f534e2ccbb2b16 +DIST shadow-4.14.8.tar.xz 1806352 BLAKE2B a6ed45e44560c68baec97072399c106060be859a0f9514da2e5b0ec373e5b9c9f54b402132f39c20401496a5b3faeaa0bc90e1b9f02dd2e3b3ffc7389d0745bb SHA512 6f98ef412874f91cfa3f08877f3fe058d725636705b07d473aa1ea44cb6864059701bd11513caf692d270a7ed8ab1956e04421e53dfb8c74e925b8ec12ab8634 +DIST shadow-4.14.8.tar.xz.asc 833 BLAKE2B 1b8b8f3f36e06c1dda0a4e0d1508b1ad0ef85f0fa993a92a583831687076ba22d05f47109d56c1e740b60632c3bbeeb6c8cc001e41f46b1a2f9177ce62854f8c SHA512 1db2647babe3f434204c93e7700ff6a0ece078f6c5adb96ae0c0ac9d82a862835c4ab8afb37b0ffc80cf62e9a59f1ba33a92ff454e7ae0ca2aa535b19627615e +EBUILD shadow-4.14.2.ebuild 7004 BLAKE2B 708a70d960b64034abf552cd456e5d48441631f7d8386598baf401e088f57ca6dfee74d1a5a615c422274e12f7a62d0edf07cb2dcac4eec84ab8cc1f5e91f9b7 SHA512 7293386d86111399a14d665e34bca34343aff436a35452682c018c488d36276097e04218d0fd0b0989363cdf6a10059b351081d7358e782fd809d8fcdba7f31b +EBUILD shadow-4.14.6-r1.ebuild 6913 BLAKE2B e646eac275d4c21c970754c674764866e05e9a6dcbfe9b790c13340142e1ea3f730a8705d5cff24f2ec7f3202945e3b50bbf42aea01fef7372cca610b8777490 SHA512 160f31dfc116200589880f72eaa3f013f9a626eb9a70fa9fb52b5985ca9f42800a635d0149f470d94edd1a05af5ecacd652f8e92f96366683c1c08f51f3b2210 +EBUILD shadow-4.14.8.ebuild 6906 BLAKE2B 2b15c60c02dd6b351aeebe438a53b651d1c5025ceb3b23ab8d93add2d4359336705158629a1d25018a63715a679b16c4affea508f082176b86824a0cccceffff SHA512 395f10735a40529a39b867cc0b2d635ec2d3f46474a12c6fac21352d302ed51ae6fe9185601af94dee87f66b2e941c768882e46da59240ccade820a0de8eaab3 +MISC metadata.xml 530 BLAKE2B 079afba35e81749052076dc1098a158eaeefeaed93bb058849f899d489ca4ffd575d14b11fe5e635eef5306c328e031cf672e1e4db7fc98c16744bd6974455f0 SHA512 d1898cb0bfc5b4c7bac8ef8f5b4ed379a11f1dfeb9eb074b055bd0f2d4682f15e6bf9f4c26181e6c394f680a2a3ddf8b83d4f1626bcce9ce4b5460fde92473ca diff --git a/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch b/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch deleted file mode 100644 index 49868ba67c96..000000000000 --- a/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch +++ /dev/null @@ -1,100 +0,0 @@ -From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 -From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> -Date: Thu, 23 Mar 2023 23:39:38 +0000 -Subject: [PATCH] Added control character check - -Added control character check, returning -1 (to "err") if control characters are present. ---- - lib/fields.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/lib/fields.c b/lib/fields.c -index 640be931f..fb51b5829 100644 ---- a/lib/fields.c -+++ b/lib/fields.c -@@ -21,9 +21,9 @@ - * - * The supplied field is scanned for non-printable and other illegal - * characters. -- * + -1 is returned if an illegal character is present. -- * + 1 is returned if no illegal characters are present, but the field -- * contains a non-printable character. -+ * + -1 is returned if an illegal or control character is present. -+ * + 1 is returned if no illegal or control characters are present, -+ * but the field contains a non-printable character. - * + 0 is returned otherwise. - */ - int valid_field (const char *field, const char *illegal) -@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) - } - - if (0 == err) { -- /* Search if there are some non-printable characters */ -+ /* Search if there are non-printable or control characters */ - for (cp = field; '\0' != *cp; cp++) { - if (!isprint (*cp)) { - err = 1; -+ } -+ if (!iscntrl (*cp)) { -+ err = -1; - break; - } - } -From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> -Date: Fri, 31 Mar 2023 14:46:50 +0200 -Subject: [PATCH] Overhaul valid_field() - -e5905c4b ("Added control character check") introduced checking for -control characters but had the logic inverted, so it rejects all -characters that are not control ones. - -Cast the character to `unsigned char` before passing to the character -checking functions to avoid UB. - -Use strpbrk(3) for the illegal character test and return early. ---- - lib/fields.c | 24 ++++++++++-------------- - 1 file changed, 10 insertions(+), 14 deletions(-) - -diff --git a/lib/fields.c b/lib/fields.c -index fb51b5829..539292485 100644 ---- a/lib/fields.c -+++ b/lib/fields.c -@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal) - - /* For each character of field, search if it appears in the list - * of illegal characters. */ -+ if (illegal && NULL != strpbrk (field, illegal)) { -+ return -1; -+ } -+ -+ /* Search if there are non-printable or control characters */ - for (cp = field; '\0' != *cp; cp++) { -- if (strchr (illegal, *cp) != NULL) { -+ unsigned char c = *cp; -+ if (!isprint (c)) { -+ err = 1; -+ } -+ if (iscntrl (c)) { - err = -1; - break; - } - } - -- if (0 == err) { -- /* Search if there are non-printable or control characters */ -- for (cp = field; '\0' != *cp; cp++) { -- if (!isprint (*cp)) { -- err = 1; -- } -- if (!iscntrl (*cp)) { -- err = -1; -- break; -- } -- } -- } -- - return err; - } - diff --git a/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch b/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch deleted file mode 100644 index 4e703db93a6c..000000000000 --- a/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch +++ /dev/null @@ -1,38 +0,0 @@ -https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef -https://github.com/shadow-maint/shadow/pull/595 - -From a281f241b592aec636d1b93a99e764499d68c7ef Mon Sep 17 00:00:00 2001 -From: Florian Weimer <fweimer@redhat.com> -Date: Mon, 21 Nov 2022 11:52:45 +0100 -Subject: [PATCH] Fix HAVE_SHADOWGRP configure check - -The missing #include <gshadow.h> causes the configure check to fail -spuriously, resulting in HAVE_SHADOWGRP not being defined even -on systems that actually have sgetsgent (such as current glibc). ---- a/configure.ac -+++ b/configure.ac -@@ -116,6 +116,10 @@ if test "$ac_cv_header_shadow_h" = "yes"; then - ac_cv_libc_shadowgrp, - AC_RUN_IFELSE([AC_LANG_SOURCE([ - #include <shadow.h> -+ #ifdef HAVE_GSHADOW_H -+ #include <gshadow.h> -+ #endif -+ int - main() - { - struct sgrp *sg = sgetsgent("test:x::"); - ---- a/configure -+++ b/configure -@@ -15684,6 +15684,10 @@ else $as_nop - /* end confdefs.h. */ - - #include <shadow.h> -+ #ifdef HAVE_GSHADOW_H -+ #include <gshadow.h> -+ #endif -+ int - main() - { - struct sgrp *sg = sgetsgent("test:x::"); diff --git a/sys-apps/shadow/files/shadow-4.13-password-leak.patch b/sys-apps/shadow/files/shadow-4.13-password-leak.patch deleted file mode 100644 index 25b5ec39c5f8..000000000000 --- a/sys-apps/shadow/files/shadow-4.13-password-leak.patch +++ /dev/null @@ -1,135 +0,0 @@ -https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904 - -From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001 -From: Alejandro Colomar <alx@kernel.org> -Date: Sat, 10 Jun 2023 16:20:05 +0200 -Subject: [PATCH] gpasswd(1): Fix password leak - -How to trigger this password leak? -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -When gpasswd(1) asks for the new password, it asks twice (as is usual -for confirming the new password). Each of those 2 password prompts -uses agetpass() to get the password. If the second agetpass() fails, -the first password, which has been copied into the 'static' buffer -'pass' via STRFCPY(), wasn't being zeroed. - -agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and -can fail for any of the following reasons: - -- malloc(3) or readpassphrase(3) failure. - - These are going to be difficult to trigger. Maybe getting the system - to the limits of memory utilization at that exact point, so that the - next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. - About readpassphrase(3), ENFILE and EINTR seem the only plausible - ones, and EINTR probably requires privilege or being the same user; - but I wouldn't discard ENFILE so easily, if a process starts opening - files. - -- The password is longer than PASS_MAX. - - The is plausible with physical access. However, at that point, a - keylogger will be a much simpler attack. - -And, the attacker must be able to know when the second password is being -introduced, which is not going to be easy. - -How to read the password after the leak? -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Provoking the leak yourself at the right point by entering a very long -password is easy, and inspecting the process stack at that point should -be doable. Try to find some consistent patterns. - -Then, search for those patterns in free memory, right after the victim -leaks their password. - -Once you get the leak, a program should read all the free memory -searching for patterns that gpasswd(1) leaves nearby the leaked -password. - -On 6/10/23 03:14, Seth Arnold wrote: -> An attacker process wouldn't be able to use malloc(3) for this task. -> There's a handful of tools available for userspace to allocate memory: -> -> - brk / sbrk -> - mmap MAP_ANONYMOUS -> - mmap /dev/zero -> - mmap some other file -> - shm_open -> - shmget -> -> Most of these return only pages of zeros to a process. Using mmap of an -> existing file, you can get some of the contents of the file demand-loaded -> into the memory space on the first use. -> -> The MAP_UNINITIALIZED flag only works if the kernel was compiled with -> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. -> -> malloc(3) doesn't zero memory, to our collective frustration, but all the -> garbage in the allocations is from previous allocations in the current -> process. It isn't leftover from other processes. -> -> The avenues available for reading the memory: -> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) -> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) -> - ptrace (requires ptrace privileges, mediated by YAMA) -> - causing memory to be swapped to disk, and then inspecting the swap -> -> These all require a certain amount of privileges. - -How to fix it? -~~~~~~~~~~~~~ - -memzero(), which internally calls explicit_bzero(3), or whatever -alternative the system provides with a slightly different name, will -make sure that the buffer is zeroed in memory, and optimizations are not -allowed to impede this zeroing. - -This is not really 100% effective, since compilers may place copies of -the string somewhere hidden in the stack. Those copies won't get zeroed -by explicit_bzero(3). However, that's arguably a compiler bug, since -compilers should make everything possible to avoid optimizing strings -that are later passed to explicit_bzero(3). But we all know that -sometimes it's impossible to have perfect knowledge in the compiler, so -this is plausible. Nevertheless, there's nothing we can do against such -issues, except minimizing the time such passwords are stored in plain -text. - -Security concerns -~~~~~~~~~~~~~~~~ - -We believe this isn't easy to exploit. Nevertheless, and since the fix -is trivial, this fix should probably be applied soon, and backported to -all supported distributions, to prevent someone else having more -imagination than us to find a way. - -Affected versions -~~~~~~~~~~~~~~~~ - -All. Bug introduced in shadow 19990709. That's the second commit in -the git history. - -Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") -Reported-by: Alejandro Colomar <alx@kernel.org> -Cc: Serge Hallyn <serge@hallyn.com> -Cc: Iker Pedrosa <ipedrosa@redhat.com> -Cc: Seth Arnold <seth.arnold@canonical.com> -Cc: Christian Brauner <christian@brauner.io> -Cc: Balint Reczey <rbalint@debian.org> -Cc: Sam James <sam@gentoo.org> -Cc: David Runge <dvzrv@archlinux.org> -Cc: Andreas Jaeger <aj@suse.de> -Cc: <~hallyn/shadow@lists.sr.ht> -Signed-off-by: Alejandro Colomar <alx@kernel.org> ---- a/src/gpasswd.c -+++ b/src/gpasswd.c -@@ -898,6 +898,7 @@ static void change_passwd (struct group *gr) - erase_pass (cp); - cp = agetpass (_("Re-enter new password: ")); - if (NULL == cp) { -+ memzero (pass, sizeof pass); - exit (1); - } - diff --git a/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch b/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch deleted file mode 100644 index 50cbe699d15e..000000000000 --- a/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch +++ /dev/null @@ -1,33 +0,0 @@ -https://bugs.gentoo.org/903083 -https://github.com/shadow-maint/shadow/pull/691 -https://github.com/shadow-maint/shadow/commit/bd2d0079c90241f24671a7946a3ad175dc1a3aeb - -From fcb04de38a0ddc263288a1c450b35bfb1503d523 Mon Sep 17 00:00:00 2001 -From: Mike Gilbert <floppym@gentoo.org> -Date: Sat, 25 Mar 2023 21:16:55 -0400 -Subject: [PATCH] usermod: respect --prefix for --gid option - -The --gid option accepts a group name or id. When a name is provided, it -is resolved to an id by looking up the name in the group database -(/etc/group). - -The --prefix option overides the location of the passwd and group -databases. I suspect the --gid option was overlooked when wiring up the ---prefix option. - -useradd --gid already respects --prefix; this change makes usermod -behave the same way. - -Fixes: b6b2c756c91806b1c3e150ea0ee4721c6cdaf9d0 -Signed-off-by: Mike Gilbert <floppym@gentoo.org> ---- a/src/usermod.c -+++ b/src/usermod.c -@@ -1072,7 +1072,7 @@ static void process_flags (int argc, char **argv) - fflg = true; - break; - case 'g': -- grp = getgr_nam_gid (optarg); -+ grp = prefix_getgr_nam_gid (optarg); - if (NULL == grp) { - fprintf (stderr, - _("%s: group '%s' does not exist\n"), diff --git a/sys-apps/shadow/metadata.xml b/sys-apps/shadow/metadata.xml index 732ee860c25d..dcb8aecd00b4 100644 --- a/sys-apps/shadow/metadata.xml +++ b/sys-apps/shadow/metadata.xml @@ -6,7 +6,6 @@ <name>Gentoo Base System</name> </maintainer> <use> - <flag name="bcrypt">build the bcrypt password encryption algorithm</flag> <flag name="su">build the su program</flag> </use> <slots> diff --git a/sys-apps/shadow/shadow-4.13-r4.ebuild b/sys-apps/shadow/shadow-4.13-r4.ebuild deleted file mode 100644 index b2cbba68a664..000000000000 --- a/sys-apps/shadow/shadow-4.13-r4.ebuild +++ /dev/null @@ -1,272 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Upstream sometimes pushes releases as pre-releases before marking them -# official. Don't keyword the pre-releases! -# Check https://github.com/shadow-maint/shadow/releases. - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sergehallyn.asc -inherit libtool pam verify-sig - -DESCRIPTION="Utilities to deal with user accounts" -HOMEPAGE="https://github.com/shadow-maint/shadow" -SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz" -SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz.asc )" - -LICENSE="BSD GPL-2" -# Subslot is for libsubid's SONAME. -SLOT="0/4" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" -IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr" -# Taken from the man/Makefile.am file. -LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) - -REQUIRED_USE="?? ( cracklib pam )" - -COMMON_DEPEND=" - virtual/libcrypt:= - acl? ( sys-apps/acl:= ) - audit? ( >=sys-process/audit-2.6:= ) - cracklib? ( >=sys-libs/cracklib-2.7-r3:= ) - nls? ( virtual/libintl ) - pam? ( sys-libs/pam:= ) - skey? ( sys-auth/skey:= ) - selinux? ( - >=sys-libs/libselinux-1.28:= - sys-libs/libsemanage:= - ) - xattr? ( sys-apps/attr:= ) -" -DEPEND=" - ${COMMON_DEPEND} - >=sys-kernel/linux-headers-4.14 -" -RDEPEND=" - ${COMMON_DEPEND} - !<sys-apps/man-pages-5.11-r1 - !=sys-apps/man-pages-5.12-r0 - !=sys-apps/man-pages-5.12-r1 - nls? ( - !<app-i18n/man-pages-it-5.06-r1 - !<app-i18n/man-pages-ja-20180315-r1 - !<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1 - ) - pam? ( >=sys-auth/pambase-20150213 ) - su? ( !sys-apps/util-linux[su(-)] ) -" -BDEPEND=" - app-arch/xz-utils - sys-devel/gettext - verify-sig? ( sec-keys/openpgp-keys-sergehallyn ) -" - -PATCHES=( - "${FILESDIR}"/${P}-configure-clang16.patch - "${FILESDIR}"/${P}-CVE-2023-29383.patch - "${FILESDIR}"/${P}-usermod-prefix-gid.patch - "${FILESDIR}"/${P}-password-leak.patch -) - -src_prepare() { - default - - elibtoolize -} - -src_configure() { - local myeconfargs=( - --disable-account-tools-setuid - --disable-static - --with-btrfs - --without-group-name-max-length - --without-tcb - $(use_enable nls) - $(use_with acl) - $(use_with audit) - $(use_with bcrypt) - $(use_with cracklib libcrack) - $(use_with elibc_glibc nscd) - $(use_with pam libpam) - $(use_with selinux) - $(use_with skey) - $(use_with su) - $(use_with xattr attr) - ) - - econf "${myeconfargs[@]}" - - if use nls ; then - local l langs="po" # These are the pot files. - for l in ${LANGS[*]} ; do - has ${l} ${LINGUAS-${l}} && langs+=" ${l}" - done - sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die - fi -} - -set_login_opt() { - local comment="" opt=${1} val=${2} - if [[ -z ${val} ]]; then - comment="#" - sed -i \ - -e "/^${opt}\>/s:^:#:" \ - "${ED}"/etc/login.defs || die - else - sed -i -r \ - -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ - "${ED}"/etc/login.defs - fi - local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) - einfo "${res:-Unable to find ${opt} in /etc/login.defs}" -} - -src_install() { - emake DESTDIR="${D}" suidperms=4711 install - - # 4.9 regression: https://github.com/shadow-maint/shadow/issues/389 - emake DESTDIR="${D}" -C man install - - find "${ED}" -name '*.la' -type f -delete || die - - insinto /etc - if ! use pam ; then - insopts -m0600 - doins etc/login.access etc/limits - fi - - # needed for 'useradd -D' - insinto /etc/default - insopts -m0600 - doins "${FILESDIR}"/default/useradd - - if use split-usr ; then - # move passwd to / to help recover broke systems #64441 - # We cannot simply remove this or else net-misc/scponly - # and other tools will break because of hardcoded passwd - # location - dodir /bin - mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die - dosym ../../bin/passwd /usr/bin/passwd - fi - - cd "${S}" || die - insinto /etc - insopts -m0644 - newins etc/login.defs login.defs - - set_login_opt CREATE_HOME yes - if ! use pam ; then - set_login_opt MAIL_CHECK_ENAB no - set_login_opt SU_WHEEL_ONLY yes - set_login_opt CRACKLIB_DICTPATH /usr/lib/cracklib_dict - set_login_opt LOGIN_RETRIES 3 - set_login_opt ENCRYPT_METHOD SHA512 - set_login_opt CONSOLE - else - dopamd "${FILESDIR}"/pam.d-include/shadow - - for x in chsh chfn ; do - newpamd "${FILESDIR}"/pam.d-include/passwd ${x} - done - - for x in chpasswd newusers ; do - newpamd "${FILESDIR}"/pam.d-include/chpasswd ${x} - done - - newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems - - # Comment out login.defs options that pam hates - local opt sed_args=() - for opt in \ - CHFN_AUTH \ - CONSOLE \ - CRACKLIB_DICTPATH \ - ENV_HZ \ - ENVIRON_FILE \ - FAILLOG_ENAB \ - FTMP_FILE \ - LASTLOG_ENAB \ - MAIL_CHECK_ENAB \ - MOTD_FILE \ - NOLOGINS_FILE \ - OBSCURE_CHECKS_ENAB \ - PASS_ALWAYS_WARN \ - PASS_CHANGE_TRIES \ - PASS_MIN_LEN \ - PORTTIME_CHECKS_ENAB \ - QUOTAS_ENAB \ - SU_WHEEL_ONLY - do - set_login_opt ${opt} - sed_args+=( -e "/^#${opt}\>/b pamnote" ) - done - sed -i "${sed_args[@]}" \ - -e 'b exit' \ - -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ - -e ': exit' \ - "${ED}"/etc/login.defs || die - - # Remove manpages that pam will install for us - # and/or don't apply when using pam - find "${ED}"/usr/share/man -type f \ - '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ - -delete - - # Remove pam.d files provided by pambase. - rm "${ED}"/etc/pam.d/{login,passwd} || die - if use su ; then - rm "${ED}"/etc/pam.d/su || die - fi - fi - - # Remove manpages that are handled by other packages - find "${ED}"/usr/share/man -type f \ - '(' -name id.1 -o -name getspnam.3 ')' \ - -delete || die - - if ! use su ; then - find "${ED}"/usr/share/man -type f -name su.1 -delete || die - fi - - cd "${S}" || die - dodoc ChangeLog NEWS TODO - newdoc README README.download - cd doc || die - dodoc HOWTO README* WISHLIST *.txt - - if use elibc_musl; then - QA_CONFIG_IMPL_DECL_SKIP+=( sgetsgent ) - fi -} - -pkg_preinst() { - rm -f "${EROOT}"/etc/pam.d/system-auth.new \ - "${EROOT}/etc/login.defs.new" -} - -pkg_postinst() { - # Missing entries from /etc/passwd can cause odd system blips. - # See bug #829872. - if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then - ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors." - fi - - # Enable shadow groups. - if [[ ! -f "${EROOT}"/etc/gshadow ]] ; then - if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then - grpconv -R "${EROOT:-/}" - else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" - ewarn "run 'grpconv' afterwards!" - fi - fi - - [[ ! -f "${EROOT}"/etc/subgid ]] && - touch "${EROOT}"/etc/subgid - [[ ! -f "${EROOT}"/etc/subuid ]] && - touch "${EROOT}"/etc/subuid - - einfo "The 'adduser' symlink to 'useradd' has been dropped." -} diff --git a/sys-apps/shadow/shadow-4.14.2.ebuild b/sys-apps/shadow/shadow-4.14.2.ebuild index 25b40053cf39..6beec9dc65c5 100644 --- a/sys-apps/shadow/shadow-4.14.2.ebuild +++ b/sys-apps/shadow/shadow-4.14.2.ebuild @@ -47,14 +47,6 @@ DEPEND=" " RDEPEND=" ${COMMON_DEPEND} - !<sys-apps/man-pages-5.11-r1 - !=sys-apps/man-pages-5.12-r0 - !=sys-apps/man-pages-5.12-r1 - nls? ( - !<app-i18n/man-pages-it-5.06-r1 - !<app-i18n/man-pages-ja-20180315-r1 - !<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1 - ) pam? ( >=sys-auth/pambase-20150213 ) su? ( !sys-apps/util-linux[su(-)] ) " diff --git a/sys-apps/shadow/shadow-4.14.6-r1.ebuild b/sys-apps/shadow/shadow-4.14.6-r1.ebuild index 2cfb43e405bd..d5851b0c5875 100644 --- a/sys-apps/shadow/shadow-4.14.6-r1.ebuild +++ b/sys-apps/shadow/shadow-4.14.6-r1.ebuild @@ -45,14 +45,6 @@ DEPEND=" " RDEPEND=" ${COMMON_DEPEND} - !<sys-apps/man-pages-5.11-r1 - !=sys-apps/man-pages-5.12-r0 - !=sys-apps/man-pages-5.12-r1 - nls? ( - !<app-i18n/man-pages-it-5.06-r1 - !<app-i18n/man-pages-ja-20180315-r1 - !<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1 - ) pam? ( >=sys-auth/pambase-20150213 ) su? ( !sys-apps/util-linux[su(-)] ) " diff --git a/sys-apps/shadow/shadow-4.14.7.ebuild b/sys-apps/shadow/shadow-4.14.8.ebuild index 2cfb43e405bd..d43ce3e1a7f8 100644 --- a/sys-apps/shadow/shadow-4.14.7.ebuild +++ b/sys-apps/shadow/shadow-4.14.8.ebuild @@ -17,7 +17,7 @@ SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/downloa LICENSE="BSD GPL-2" # Subslot is for libsubid's SONAME. SLOT="0/4" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" IUSE="acl audit cracklib nls pam selinux skey split-usr su systemd xattr" # Taken from the man/Makefile.am file. LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) @@ -45,14 +45,6 @@ DEPEND=" " RDEPEND=" ${COMMON_DEPEND} - !<sys-apps/man-pages-5.11-r1 - !=sys-apps/man-pages-5.12-r0 - !=sys-apps/man-pages-5.12-r1 - nls? ( - !<app-i18n/man-pages-it-5.06-r1 - !<app-i18n/man-pages-ja-20180315-r1 - !<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1 - ) pam? ( >=sys-auth/pambase-20150213 ) su? ( !sys-apps/util-linux[su(-)] ) " |