From b978efa000250668b2befa4e2cc96e0afa137611 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 17 Jun 2023 07:43:56 +0100 Subject: gentoo auto-resync : 17:06:2023 - 07:43:56 --- sys-apps/Manifest.gz | Bin 49883 -> 49872 bytes sys-apps/dmidecode/Manifest | 2 +- sys-apps/dmidecode/dmidecode-3.5-r2.ebuild | 2 +- sys-apps/gawk/Manifest | 2 +- sys-apps/gawk/gawk-5.2.2.ebuild | 2 +- sys-apps/hwdata/Manifest | 2 +- sys-apps/hwdata/hwdata-0.371.ebuild | 2 +- sys-apps/less/Manifest | 2 +- sys-apps/less/less-633.ebuild | 2 +- sys-apps/shadow/Manifest | 3 + .../shadow/files/shadow-4.13-password-leak.patch | 135 +++++++++++ .../files/shadow-4.13-usermod-prefix-gid.patch | 33 +++ sys-apps/shadow/shadow-4.13-r4.ebuild | 268 +++++++++++++++++++++ 13 files changed, 447 insertions(+), 8 deletions(-) create mode 100644 sys-apps/shadow/files/shadow-4.13-password-leak.patch create mode 100644 sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch create mode 100644 sys-apps/shadow/shadow-4.13-r4.ebuild (limited to 'sys-apps') diff --git a/sys-apps/Manifest.gz b/sys-apps/Manifest.gz index 2ddd3683c165..b3aac307d84e 100644 Binary files a/sys-apps/Manifest.gz and b/sys-apps/Manifest.gz differ diff --git a/sys-apps/dmidecode/Manifest b/sys-apps/dmidecode/Manifest index e39574b53876..50f9725a054e 100644 --- a/sys-apps/dmidecode/Manifest +++ b/sys-apps/dmidecode/Manifest @@ -3,5 +3,5 @@ DIST dmidecode-3.4.tar.xz 61420 BLAKE2B f9f0429c5128692c2d1d560580552285ea900c1c DIST dmidecode-3.5.tar.xz 65068 BLAKE2B 07cc4c069dc1cba36160de158c4d0390df9b77b4192f5847df0756f9e097a7fbc751cd7b5b073df7661267ab78ea0d9be2831d70ddda8d1981c628f3cfee8802 SHA512 690c9bea391f6bbfc8cd48e8db408a61d5b551a07a2823c29d03a09607fc2043cc1bea44ee9fd27fd0e7bc0b287bf9de9f22a1a66053f5b1e63d77c03d93e1ae EBUILD dmidecode-3.4-r1.ebuild 1254 BLAKE2B 61d66053e0b1ce8067c8a9ea9f2f4bf73adabbd48de1b3681a0e9f5f87688ec91bd968f373a512df710c94c99992a3577804b106d3a730797b5b026c519de4cc SHA512 db523a6849344cd14fd6df62e29ea2f6d5efd57a4b919848da555c88e65d9ddccb2844f036998c1652a2796c978adc24b51397213432ccfa9620c6003268334e EBUILD dmidecode-3.5-r1.ebuild 1254 BLAKE2B 61d66053e0b1ce8067c8a9ea9f2f4bf73adabbd48de1b3681a0e9f5f87688ec91bd968f373a512df710c94c99992a3577804b106d3a730797b5b026c519de4cc SHA512 db523a6849344cd14fd6df62e29ea2f6d5efd57a4b919848da555c88e65d9ddccb2844f036998c1652a2796c978adc24b51397213432ccfa9620c6003268334e -EBUILD dmidecode-3.5-r2.ebuild 1331 BLAKE2B a50dd318b4597a208946b503c7c71d27b5f92f21db33cb0f051014f7c46fe2143d7232c68fd255ddfe9dff963ca9b178710a19f6b5f568ad56944dc90ddf2fba SHA512 6aaf14f225ac57bf9f444daa9529143e17a931d7002b18b42799177f66cd597de677c5a2a007021b87c737e9e8d2afc2d3e82bfe35c6a69981058bb132dc549f +EBUILD dmidecode-3.5-r2.ebuild 1330 BLAKE2B f36092eaed66063a5ba80863ae803adb65c280566884f5f34f1ba8842c014b5c203cd6ce6fddddbd598e3237aa6d708f9441805004062a1036383f9702a6ba7c SHA512 4ec7628a10615f19c7bb5e6f85d07a468e0830bb630544ecc565ee2ae48d5ca979c4523f273d5cfb260c82e7ad94dce080f5c0f84941e0099b9a87febc599f28 MISC metadata.xml 254 BLAKE2B f3a9f843cf94243d1129711770df727fcdc8808bca829ef784819cab6f5410dfa463cfed85182f8228c7de796a674dd602653ad3ef817a62c0c3e7198b23befe SHA512 b9fcd3084a7e197f6138e1ce8b0eff99c4c203c37a7d5c40de207040ba1501ef0e5b2f4e00216a567037bcd6d3394fdec6ff587484c9ba2fca9d04f431733b7c diff --git a/sys-apps/dmidecode/dmidecode-3.5-r2.ebuild b/sys-apps/dmidecode/dmidecode-3.5-r2.ebuild index d7c7e894b84d..b2ffe976bb4b 100644 --- a/sys-apps/dmidecode/dmidecode-3.5-r2.ebuild +++ b/sys-apps/dmidecode/dmidecode-3.5-r2.ebuild @@ -13,7 +13,7 @@ SRC_URI="https://savannah.nongnu.org/download/${PN}/${P}.tar.xz" LICENSE="GPL-2" SLOT="0" -KEYWORDS="-* ~alpha ~amd64 ~arm ~arm64 ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~x86" +KEYWORDS="-* ~alpha ~amd64 ~arm arm64 ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~x86" IUSE="selinux" RDEPEND="selinux? ( sec-policy/selinux-dmidecode )" diff --git a/sys-apps/gawk/Manifest b/sys-apps/gawk/Manifest index 7f8a85ed5510..05bcb58e550d 100644 --- a/sys-apps/gawk/Manifest +++ b/sys-apps/gawk/Manifest @@ -3,5 +3,5 @@ DIST gawk-5.2.1.tar.xz.sig 488 BLAKE2B 5dcdc9ae90d4744a968cc750526a9c1c38915f85c DIST gawk-5.2.2.tar.xz 3402872 BLAKE2B 49dd69d3e2414867d60fe42b74b39bc6858114aeeb9305ade7bfd64f1933b3c93d59d127362b614cb4b73e29279ed3b4ea9fa0da94fce98ca9925980d17b5d0c SHA512 90611e4daba7226d5ce8230843bf479dc71c0101740c005d851ef7c5b935b6cd4c42089b858abc1619adc05ed25fc7234f993690a76d2ea0b8e61bcbb7dc5a58 DIST gawk-5.2.2.tar.xz.sig 488 BLAKE2B ad737580d7eeb556187a3eeb269decb484398ca91b0fbf08da7f78bba92328ca2fb566b00f8e880fb7c5f0f956e49f8ab9fddc73209902c420666d5413e8a467 SHA512 563911c3771feddf64810ef2480705fd470c90380c0e258940cedeef3f15d594ef657ddab267a6d958321333d466b77c9b83be2392549c959245324950fb32ed EBUILD gawk-5.2.1.ebuild 3506 BLAKE2B 1363dfbda07f8249a123c3892dd844ca7427d8f506f7b43a22897b5eebc7202535fc28b7bf75db0ae60296c06f36f3b6ae44dd3b672670628f0d7bff2e5a6d6f SHA512 404bc69c26e5b621b0e069eab6639a901d064947ed447eb77f1a720afc1fe3c6fc5401c985ce102b7b39a15d22613adc41af87d3511ced29d72893474b35a3eb -EBUILD gawk-5.2.2.ebuild 3516 BLAKE2B 92b7450832c583fb7508674c799e3ca467a8a9ba886a0fa3ad5fe1f489cce6f8157b1a771ff473597d95d2b3098dc5e01ab7360a0e0f68e894e749f6ca2ac17e SHA512 2bd928949ce69a5fc77793849749844e3b7420c8fbeeb11a11a693b51f5745d897f84049550cded50f6bfe9b8b0c7e5df9c1996924835444a39c177c3d2762c7 +EBUILD gawk-5.2.2.ebuild 3514 BLAKE2B 2a6c272609c8da33d3bac85cb94484322162b893e4443630210986e01ece7a45b94290a9f9b26f49d770ab468782cbea43e839f6f3303fdb1ad61869746169d3 SHA512 057bc60383001ec95d7046250d27793f91a687e3dacb2758fb1653916679e1ad5ff7c3e19818fa8986fb323e2b100f9563eb6f70750658faa66bca619d6f1fb4 MISC metadata.xml 654 BLAKE2B e04183a376da2006e727296257a18431f2e4f29fdabcee48edebb1c9dbf099c846af6bfe90d9e551ec4536c2dd034a80b47e6a1b8e442a89c1228929bef7d956 SHA512 9bb5a19c4b9a8ff7669c7ae7320a88d64eb68b4897f06d2046f71efe562a4846cb8c611bcc03b0111dfde19b40275f3357a5cd6285d4d5f0b4464a9c8b3eacb2 diff --git a/sys-apps/gawk/gawk-5.2.2.ebuild b/sys-apps/gawk/gawk-5.2.2.ebuild index 8b74b93b6779..93ef4711cb84 100644 --- a/sys-apps/gawk/gawk-5.2.2.ebuild +++ b/sys-apps/gawk/gawk-5.2.2.ebuild @@ -29,7 +29,7 @@ else SRC_URI="mirror://gnu/gawk/${P}.tar.xz" SRC_URI+=" verify-sig? ( mirror://gnu/gawk/${P}.tar.xz.sig )" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi LICENSE="GPL-3+" diff --git a/sys-apps/hwdata/Manifest b/sys-apps/hwdata/Manifest index 63172c9fafde..c9b3612caddd 100644 --- a/sys-apps/hwdata/Manifest +++ b/sys-apps/hwdata/Manifest @@ -5,5 +5,5 @@ DIST hwdata-0.371.tar.gz 2340297 BLAKE2B bb92b6d4f66879eacc1efae13ff1a5fe5801461 EBUILD hwdata-0.367.ebuild 694 BLAKE2B e65d661084c4d61beaf449b8f7b8db5ba3bea6d2ccb93776d93dc077f26f74bcca40e89eafddacac44f67faaa568012c3c01c679bcc5dcb210889356b4d7d81b SHA512 087f7c7157e38023f3f3121237dc930fb69abca7b0523907a01463d011380d0f78d15bb4ace04deb08082af5d03fa7a1371d196ca34e31bc4d14b36e681ea077 EBUILD hwdata-0.369.ebuild 694 BLAKE2B e65d661084c4d61beaf449b8f7b8db5ba3bea6d2ccb93776d93dc077f26f74bcca40e89eafddacac44f67faaa568012c3c01c679bcc5dcb210889356b4d7d81b SHA512 087f7c7157e38023f3f3121237dc930fb69abca7b0523907a01463d011380d0f78d15bb4ace04deb08082af5d03fa7a1371d196ca34e31bc4d14b36e681ea077 EBUILD hwdata-0.370.ebuild 694 BLAKE2B e65d661084c4d61beaf449b8f7b8db5ba3bea6d2ccb93776d93dc077f26f74bcca40e89eafddacac44f67faaa568012c3c01c679bcc5dcb210889356b4d7d81b SHA512 087f7c7157e38023f3f3121237dc930fb69abca7b0523907a01463d011380d0f78d15bb4ace04deb08082af5d03fa7a1371d196ca34e31bc4d14b36e681ea077 -EBUILD hwdata-0.371.ebuild 702 BLAKE2B 8734f2398aa66f05a6f68ace57d21a1cb515babef49888824257eb354da537d84f396c38a216ec071b6caa5b38a841c4049e3108d2ffd99cdfbc3bff8c64c045 SHA512 6dffe93d4582d6bd7c50d0a57bc6d067693c897dbd33c1ffc75b514065b64fad66d805d26f69d6af927813920b9ad5072f5a6eda118cb0942d66ec78c1a76088 +EBUILD hwdata-0.371.ebuild 694 BLAKE2B e65d661084c4d61beaf449b8f7b8db5ba3bea6d2ccb93776d93dc077f26f74bcca40e89eafddacac44f67faaa568012c3c01c679bcc5dcb210889356b4d7d81b SHA512 087f7c7157e38023f3f3121237dc930fb69abca7b0523907a01463d011380d0f78d15bb4ace04deb08082af5d03fa7a1371d196ca34e31bc4d14b36e681ea077 MISC metadata.xml 328 BLAKE2B cf72c9663e944154e41475067b5e89dbfcd50f0c771e17dddfb6042a2ccb10693d7ef6eb7508e9ec7a50cbc59e8e47698030a5c1e18accd79040d4318416eb54 SHA512 f366d006f709fabe624840768aa780982884ba8a74f3ac121e323995e218a577dc5a4d34d9dcbec44571580d388967d78350d4540316444ddaf014b99db804e7 diff --git a/sys-apps/hwdata/hwdata-0.371.ebuild b/sys-apps/hwdata/hwdata-0.371.ebuild index afddd20d2fd1..b5d599c17b39 100644 --- a/sys-apps/hwdata/hwdata-0.371.ebuild +++ b/sys-apps/hwdata/hwdata-0.371.ebuild @@ -11,7 +11,7 @@ SRC_URI="https://github.com/vcrhonek/hwdata/archive/refs/tags/v${PV}.tar.gz -> $ LICENSE="GPL-2+" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux" RESTRICT="test" diff --git a/sys-apps/less/Manifest b/sys-apps/less/Manifest index 27d724d121b0..76afa523971a 100644 --- a/sys-apps/less/Manifest +++ b/sys-apps/less/Manifest @@ -8,6 +8,6 @@ DIST less-633.tar.gz 375733 BLAKE2B e9df180794af365f86734c6b8fde766c1bba42b11171 EBUILD less-608-r1.ebuild 1587 BLAKE2B 68675bd30388ab95aa57d8fc90bcd98fc6b27f26e9bd77d193880726fbcb9b141b8d916164bca303b12f330fa88dd62afb93d9eaff23f8b626bbbfb73d5c2bc5 SHA512 f05b649f662a46232fd2ba93335ff906ed7457b4f3581a48d0d273f1744ca39d1cdd90502a1a6e6770cba17091663107a5071b974217485fd1bc3218dfe55537 EBUILD less-608-r2.ebuild 1634 BLAKE2B 87c9824276ec63f523bef354cdc92a91f6771e43adcf141c8a8e0b6ae20eb2391a15bdd8c37d18527d04135c873fe4330207bcbd331fabf20f7c3e0cbfc03343 SHA512 5f97824ddd3760ddc995d2eff9d915f023e9162a803e1fcc098abc2cd56745b250df1b37646e7cb533c74bbd3436bc4784e70f3cd7cd76716dfe7a32acdc6279 EBUILD less-632.ebuild 2188 BLAKE2B 3157e4c5b111b0f1b8e1ef9a9a437474f5380af2b6bbc7e1011d102b6d6cefd788fe2c60bb7d272f0fcdf69db0fd1692c66a42bb47b648f94dfe3281ecdebdc6 SHA512 299d40de3ac0c4d3a9321dca6efbc44aad50066fabe324c0e0cea407469adf374b26887cd4ca1347cec99eb6c2037d3fff2e8cbc764d44ee509759b27f588b1e -EBUILD less-633.ebuild 2196 BLAKE2B 5029b2a8d8dbaa4b10272dd8327ce8c3447729ebbfdf06ac7783a036e03719fe6707039100054c1a9cd4014317b2a1e0f5d6c1baf9c545e9c62963a6115ee9a6 SHA512 7a41769096ec6a680541f67101781672037f688078e02adefcb36a93db2610298ae456482f63d23dfee4ae696fcb090bf127e75783d038d63cf18f95ba10dcb4 +EBUILD less-633.ebuild 2194 BLAKE2B b7261757e810322aa389f42a15f16154796ed18626dfc5031280f93acd52a9a1ac3cef39f2057fdfe455c6709e5f11fa8b18e6d084a420bdf0274089a4c8933e SHA512 fa24c9d0ce41ca8b8fa1a9f51a5df458e57a9978070eeb70472307915f1e2fefce19f9181f94f8a8edeb358368784f4f93b9a59413f48d31266dde7ec04e4aec EBUILD less-9999.ebuild 2196 BLAKE2B 5029b2a8d8dbaa4b10272dd8327ce8c3447729ebbfdf06ac7783a036e03719fe6707039100054c1a9cd4014317b2a1e0f5d6c1baf9c545e9c62963a6115ee9a6 SHA512 7a41769096ec6a680541f67101781672037f688078e02adefcb36a93db2610298ae456482f63d23dfee4ae696fcb090bf127e75783d038d63cf18f95ba10dcb4 MISC metadata.xml 384 BLAKE2B ab69cbf4d7813bc4c96dc1c18ca35454dc9e9202bc95e3ff3b638c79b6cff4f9914fba1e7a35908aa305567a3874d3ead3a78f5faa83c9fbd3027afe12767eac SHA512 d799332d42f1c3115132216b3ba98a39f662d583aecb06fa2590e3da4c03b0ec07bab1eb0bbd397ef8249a5916ca9b457992c226899f66d4f4bef8bf1a20074f diff --git a/sys-apps/less/less-633.ebuild b/sys-apps/less/less-633.ebuild index 40f831510273..5516c5c8127f 100644 --- a/sys-apps/less/less-633.ebuild +++ b/sys-apps/less/less-633.ebuild @@ -28,7 +28,7 @@ S="${WORKDIR}"/${MY_P/?beta} LICENSE="|| ( GPL-3 BSD-2 )" SLOT="0" if [[ ${PV} != 9999 && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi IUSE="pcre" # As of 623_beta, lesstest is not included in dist tarballs diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest index 147b488b3aff..7d8294ec2b08 100644 --- a/sys-apps/shadow/Manifest +++ b/sys-apps/shadow/Manifest @@ -5,7 +5,10 @@ AUX pam.d-include/shadow 152 BLAKE2B 82d1f678abc60586ea873da7e2f4907349d77a64085 AUX pam.d-include/shadow-r1 116 BLAKE2B bc7baa8e224cb90b6ef79762941b3b7505fcf4b8ed8c5da06a33a8a7fefa91098e4ac0c0f915eeca4a19714d60a2bf43e3922805347e3dfe0ccc80f210bf88e4 SHA512 ddecc5cc8f667f9931ddf5d98d89a986712c5a6e44826add1e1d9ead37064758a3879f6afd1fc45c89c216956593852051e2ef3abc52e2ab58a0e191adfe75d1 AUX shadow-4.13-CVE-2023-29383.patch 3022 BLAKE2B 7ad4eeef9bbaf49b8388b7bbcfd2b814ed8862056242085d7261064f7447e610f3476cb45fb57acbe0b5eb1486389bdf93dcc196853c7fe4555750d2c0dcd1c8 SHA512 dd042d4be4dcbcdf63293598530225454cc7818e7ed6c59ab00fb19517b8ec503f6f82de0d347cc03dfcd1d65a1f65f623181838710db6d4fec84b14d7ffe530 AUX shadow-4.13-configure-clang16.patch 1129 BLAKE2B 701c7e417c57265d9a7a2ee8eb6620ef6846018de24edacc04d0d4f63ff2e7e0a67382c459003d2bfa11e4dd3a49a227464315a4ef115da58c27889d7bdd7226 SHA512 057ea8a546953bea88ecb0b787b37d24113ea4881a9f86e55318647f85f8b56e204dbf3815811897d0cad2a8e50427c9fa84b6389e332e26c8cacc690835a942 +AUX shadow-4.13-password-leak.patch 5271 BLAKE2B 9f47502e0463e7c00d29c0a42071c49a23e82364d244a9fd61358c605f68bc30beb22fe501f9db19cadfa0c658bd46ddd777cdae058b500d70e9443263ca5f0b SHA512 40a7259467bd63d691e46f59e53348150d4b0f806375144cff9c51a28c95c9bc8c43da76245afb7f4cbfa292e7e19d43458290fe14bd32c985f844de64c76e61 +AUX shadow-4.13-usermod-prefix-gid.patch 1206 BLAKE2B 8efa85ab6c4eee199b5cd21f706d39910393ae9f2bd8af9a2e49d058be6ec41bd37d1624ec85a94b6adb24597bc599f3b0e624286c10aa8b1e0022795cd1b89a SHA512 e38332b073497f53ccafff1d8c31910b3d9b692ac267758536585499f6ce68bed45097558689f3dbda6ddeaf762bf20072de6124ef053fbe807aa3543553142f DIST shadow-4.13.tar.xz 1762908 BLAKE2B 315ab8a7e598aeefb50c11293e20cfa0982c3c3ae21c35ae243d09a4facf97a13c1d672990876e74ef94f5284402acf14997663743e2aaefa6cfc4369b7d24dc SHA512 2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e DIST shadow-4.13.tar.xz.asc 488 BLAKE2B de1f8285c5713a772343a2a7c638d1d13429dd4fa867d4f91d4922aa0d083b4a3110d38e8a8ab82137fdf4fecb12ba3677f3fb235401fc6438ae663fbd9bfbd2 SHA512 f8549c4e699c65721d53946d61b6127712572f7ad9ee13018ef3a25307002992aa727471c948d1bb22dcddf112715bed387d28f436123f30e153ae6bc0cd3648 EBUILD shadow-4.13-r3.ebuild 6691 BLAKE2B d0c7fc3f67abff01e1d4e837e48070f7e2ffb9d1c207ddfa0473fce913f5696dad249392a86d4c0e7f4d2d549544b2496707d5070138eee3a2921c102b385197 SHA512 933cf33c7134e40bd1d3f8802590605a2df5c0c6943358098b9e7cb62a97e7f89e4aa8a903a92c64182f92aca888dbbd2c326b8ea4eb5501f2805c36f70c74ef +EBUILD shadow-4.13-r4.ebuild 6780 BLAKE2B d2b3959e69149603a2d6463e079518f015391dd68516f7ebd6cfb896011b9aaf5396f46f62a2a605ca61e76dcc1f2253804d03f8c6aee8b463ab288e655d7674 SHA512 60976e91c3bd9bf5dae03ddd32cdbd713139cb1abfe784e29ce9e15e24ea1b1a899d78604667268e85fadd86143fca8a055f68b60de648ea49d3641a78af5dc7 MISC metadata.xml 606 BLAKE2B 2b14042f4702a908f8250c3fb6499ea33d8a8c44072707aa44881a36e3cc710256a821f8cd82c5214b32e9f5632745db4fdf00dd722f6fb7401e2f6b0bfbb4fd SHA512 694e039ae781982e8cbe6670b4e9c93b43455715ce4b9830a5fa61e6bf3eb91abcc284bf29c64fab055ba9754edaeab5d2da8140dbb2794fc1f534e2ccbb2b16 diff --git a/sys-apps/shadow/files/shadow-4.13-password-leak.patch b/sys-apps/shadow/files/shadow-4.13-password-leak.patch new file mode 100644 index 000000000000..25b5ec39c5f8 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.13-password-leak.patch @@ -0,0 +1,135 @@ +https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904 + +From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar +Date: Sat, 10 Jun 2023 16:20:05 +0200 +Subject: [PATCH] gpasswd(1): Fix password leak + +How to trigger this password leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When gpasswd(1) asks for the new password, it asks twice (as is usual +for confirming the new password). Each of those 2 password prompts +uses agetpass() to get the password. If the second agetpass() fails, +the first password, which has been copied into the 'static' buffer +'pass' via STRFCPY(), wasn't being zeroed. + +agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and +can fail for any of the following reasons: + +- malloc(3) or readpassphrase(3) failure. + + These are going to be difficult to trigger. Maybe getting the system + to the limits of memory utilization at that exact point, so that the + next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. + About readpassphrase(3), ENFILE and EINTR seem the only plausible + ones, and EINTR probably requires privilege or being the same user; + but I wouldn't discard ENFILE so easily, if a process starts opening + files. + +- The password is longer than PASS_MAX. + + The is plausible with physical access. However, at that point, a + keylogger will be a much simpler attack. + +And, the attacker must be able to know when the second password is being +introduced, which is not going to be easy. + +How to read the password after the leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Provoking the leak yourself at the right point by entering a very long +password is easy, and inspecting the process stack at that point should +be doable. Try to find some consistent patterns. + +Then, search for those patterns in free memory, right after the victim +leaks their password. + +Once you get the leak, a program should read all the free memory +searching for patterns that gpasswd(1) leaves nearby the leaked +password. + +On 6/10/23 03:14, Seth Arnold wrote: +> An attacker process wouldn't be able to use malloc(3) for this task. +> There's a handful of tools available for userspace to allocate memory: +> +> - brk / sbrk +> - mmap MAP_ANONYMOUS +> - mmap /dev/zero +> - mmap some other file +> - shm_open +> - shmget +> +> Most of these return only pages of zeros to a process. Using mmap of an +> existing file, you can get some of the contents of the file demand-loaded +> into the memory space on the first use. +> +> The MAP_UNINITIALIZED flag only works if the kernel was compiled with +> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. +> +> malloc(3) doesn't zero memory, to our collective frustration, but all the +> garbage in the allocations is from previous allocations in the current +> process. It isn't leftover from other processes. +> +> The avenues available for reading the memory: +> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) +> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) +> - ptrace (requires ptrace privileges, mediated by YAMA) +> - causing memory to be swapped to disk, and then inspecting the swap +> +> These all require a certain amount of privileges. + +How to fix it? +~~~~~~~~~~~~~ + +memzero(), which internally calls explicit_bzero(3), or whatever +alternative the system provides with a slightly different name, will +make sure that the buffer is zeroed in memory, and optimizations are not +allowed to impede this zeroing. + +This is not really 100% effective, since compilers may place copies of +the string somewhere hidden in the stack. Those copies won't get zeroed +by explicit_bzero(3). However, that's arguably a compiler bug, since +compilers should make everything possible to avoid optimizing strings +that are later passed to explicit_bzero(3). But we all know that +sometimes it's impossible to have perfect knowledge in the compiler, so +this is plausible. Nevertheless, there's nothing we can do against such +issues, except minimizing the time such passwords are stored in plain +text. + +Security concerns +~~~~~~~~~~~~~~~~ + +We believe this isn't easy to exploit. Nevertheless, and since the fix +is trivial, this fix should probably be applied soon, and backported to +all supported distributions, to prevent someone else having more +imagination than us to find a way. + +Affected versions +~~~~~~~~~~~~~~~~ + +All. Bug introduced in shadow 19990709. That's the second commit in +the git history. + +Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") +Reported-by: Alejandro Colomar +Cc: Serge Hallyn +Cc: Iker Pedrosa +Cc: Seth Arnold +Cc: Christian Brauner +Cc: Balint Reczey +Cc: Sam James +Cc: David Runge +Cc: Andreas Jaeger +Cc: <~hallyn/shadow@lists.sr.ht> +Signed-off-by: Alejandro Colomar +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -898,6 +898,7 @@ static void change_passwd (struct group *gr) + erase_pass (cp); + cp = agetpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + diff --git a/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch b/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch new file mode 100644 index 000000000000..50cbe699d15e --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch @@ -0,0 +1,33 @@ +https://bugs.gentoo.org/903083 +https://github.com/shadow-maint/shadow/pull/691 +https://github.com/shadow-maint/shadow/commit/bd2d0079c90241f24671a7946a3ad175dc1a3aeb + +From fcb04de38a0ddc263288a1c450b35bfb1503d523 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Sat, 25 Mar 2023 21:16:55 -0400 +Subject: [PATCH] usermod: respect --prefix for --gid option + +The --gid option accepts a group name or id. When a name is provided, it +is resolved to an id by looking up the name in the group database +(/etc/group). + +The --prefix option overides the location of the passwd and group +databases. I suspect the --gid option was overlooked when wiring up the +--prefix option. + +useradd --gid already respects --prefix; this change makes usermod +behave the same way. + +Fixes: b6b2c756c91806b1c3e150ea0ee4721c6cdaf9d0 +Signed-off-by: Mike Gilbert +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -1072,7 +1072,7 @@ static void process_flags (int argc, char **argv) + fflg = true; + break; + case 'g': +- grp = getgr_nam_gid (optarg); ++ grp = prefix_getgr_nam_gid (optarg); + if (NULL == grp) { + fprintf (stderr, + _("%s: group '%s' does not exist\n"), diff --git a/sys-apps/shadow/shadow-4.13-r4.ebuild b/sys-apps/shadow/shadow-4.13-r4.ebuild new file mode 100644 index 000000000000..aa20387a875e --- /dev/null +++ b/sys-apps/shadow/shadow-4.13-r4.ebuild @@ -0,0 +1,268 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Upstream sometimes pushes releases as pre-releases before marking them +# official. Don't keyword the pre-releases! +# Check https://github.com/shadow-maint/shadow/releases. + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sergehallyn.asc +inherit libtool pam verify-sig + +DESCRIPTION="Utilities to deal with user accounts" +HOMEPAGE="https://github.com/shadow-maint/shadow" +SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz" +SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz.asc )" + +LICENSE="BSD GPL-2" +# Subslot is for libsubid's SONAME. +SLOT="0/4" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr" +# Taken from the man/Makefile.am file. +LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) + +REQUIRED_USE="?? ( cracklib pam )" + +COMMON_DEPEND=" + virtual/libcrypt:= + acl? ( sys-apps/acl:= ) + audit? ( >=sys-process/audit-2.6:= ) + cracklib? ( >=sys-libs/cracklib-2.7-r3:= ) + nls? ( virtual/libintl ) + pam? ( sys-libs/pam:= ) + skey? ( sys-auth/skey:= ) + selinux? ( + >=sys-libs/libselinux-1.28:= + sys-libs/libsemanage:= + ) + xattr? ( sys-apps/attr:= ) +" +DEPEND=" + ${COMMON_DEPEND} + >=sys-kernel/linux-headers-4.14 +" +RDEPEND=" + ${COMMON_DEPEND} + !=sys-auth/pambase-20150213 ) + su? ( !sys-apps/util-linux[su(-)] ) +" +BDEPEND=" + app-arch/xz-utils + sys-devel/gettext + verify-sig? ( sec-keys/openpgp-keys-sergehallyn ) +" + +PATCHES=( + "${FILESDIR}"/${P}-configure-clang16.patch + "${FILESDIR}"/${P}-CVE-2023-29383.patch + "${FILESDIR}"/${P}-usermod-prefix-gid.patch + "${FILESDIR}"/${P}-password-leak.patch +) + +src_prepare() { + default + + elibtoolize +} + +src_configure() { + local myeconfargs=( + --disable-account-tools-setuid + --disable-static + --with-btrfs + --without-group-name-max-length + --without-tcb + $(use_enable nls) + $(use_with acl) + $(use_with audit) + $(use_with bcrypt) + $(use_with cracklib libcrack) + $(use_with elibc_glibc nscd) + $(use_with pam libpam) + $(use_with selinux) + $(use_with skey) + $(use_with su) + $(use_with xattr attr) + ) + + econf "${myeconfargs[@]}" + + if use nls ; then + local l langs="po" # These are the pot files. + for l in ${LANGS[*]} ; do + has ${l} ${LINGUAS-${l}} && langs+=" ${l}" + done + sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die + fi +} + +set_login_opt() { + local comment="" opt=${1} val=${2} + if [[ -z ${val} ]]; then + comment="#" + sed -i \ + -e "/^${opt}\>/s:^:#:" \ + "${ED}"/etc/login.defs || die + else + sed -i -r \ + -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ + "${ED}"/etc/login.defs + fi + local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) + einfo "${res:-Unable to find ${opt} in /etc/login.defs}" +} + +src_install() { + emake DESTDIR="${D}" suidperms=4711 install + + # 4.9 regression: https://github.com/shadow-maint/shadow/issues/389 + emake DESTDIR="${D}" -C man install + + find "${ED}" -name '*.la' -type f -delete || die + + insinto /etc + if ! use pam ; then + insopts -m0600 + doins etc/login.access etc/limits + fi + + # needed for 'useradd -D' + insinto /etc/default + insopts -m0600 + doins "${FILESDIR}"/default/useradd + + if use split-usr ; then + # move passwd to / to help recover broke systems #64441 + # We cannot simply remove this or else net-misc/scponly + # and other tools will break because of hardcoded passwd + # location + dodir /bin + mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die + dosym ../../bin/passwd /usr/bin/passwd + fi + + cd "${S}" || die + insinto /etc + insopts -m0644 + newins etc/login.defs login.defs + + set_login_opt CREATE_HOME yes + if ! use pam ; then + set_login_opt MAIL_CHECK_ENAB no + set_login_opt SU_WHEEL_ONLY yes + set_login_opt CRACKLIB_DICTPATH /usr/lib/cracklib_dict + set_login_opt LOGIN_RETRIES 3 + set_login_opt ENCRYPT_METHOD SHA512 + set_login_opt CONSOLE + else + dopamd "${FILESDIR}"/pam.d-include/shadow + + for x in chsh chfn ; do + newpamd "${FILESDIR}"/pam.d-include/passwd ${x} + done + + for x in chpasswd newusers ; do + newpamd "${FILESDIR}"/pam.d-include/chpasswd ${x} + done + + newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems + + # Comment out login.defs options that pam hates + local opt sed_args=() + for opt in \ + CHFN_AUTH \ + CONSOLE \ + CRACKLIB_DICTPATH \ + ENV_HZ \ + ENVIRON_FILE \ + FAILLOG_ENAB \ + FTMP_FILE \ + LASTLOG_ENAB \ + MAIL_CHECK_ENAB \ + MOTD_FILE \ + NOLOGINS_FILE \ + OBSCURE_CHECKS_ENAB \ + PASS_ALWAYS_WARN \ + PASS_CHANGE_TRIES \ + PASS_MIN_LEN \ + PORTTIME_CHECKS_ENAB \ + QUOTAS_ENAB \ + SU_WHEEL_ONLY + do + set_login_opt ${opt} + sed_args+=( -e "/^#${opt}\>/b pamnote" ) + done + sed -i "${sed_args[@]}" \ + -e 'b exit' \ + -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ + -e ': exit' \ + "${ED}"/etc/login.defs || die + + # Remove manpages that pam will install for us + # and/or don't apply when using pam + find "${ED}"/usr/share/man -type f \ + '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ + -delete + + # Remove pam.d files provided by pambase. + rm "${ED}"/etc/pam.d/{login,passwd} || die + if use su ; then + rm "${ED}"/etc/pam.d/su || die + fi + fi + + # Remove manpages that are handled by other packages + find "${ED}"/usr/share/man -type f \ + '(' -name id.1 -o -name getspnam.3 ')' \ + -delete || die + + if ! use su ; then + find "${ED}"/usr/share/man -type f -name su.1 -delete || die + fi + + cd "${S}" || die + dodoc ChangeLog NEWS TODO + newdoc README README.download + cd doc || die + dodoc HOWTO README* WISHLIST *.txt +} + +pkg_preinst() { + rm -f "${EROOT}"/etc/pam.d/system-auth.new \ + "${EROOT}/etc/login.defs.new" +} + +pkg_postinst() { + # Missing entries from /etc/passwd can cause odd system blips. + # See bug #829872. + if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then + ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors." + fi + + # Enable shadow groups. + if [[ ! -f "${EROOT}"/etc/gshadow ]] ; then + if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then + grpconv -R "${EROOT:-/}" + else + ewarn "Running 'grpck' returned errors. Please run it by hand, and then" + ewarn "run 'grpconv' afterwards!" + fi + fi + + [[ ! -f "${EROOT}"/etc/subgid ]] && + touch "${EROOT}"/etc/subgid + [[ ! -f "${EROOT}"/etc/subuid ]] && + touch "${EROOT}"/etc/subuid + + einfo "The 'adduser' symlink to 'useradd' has been dropped." +} -- cgit v1.2.3