From 32e366e6321c73a2a76d019257c3578f20d9e0fc Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 21 Sep 2023 20:27:58 +0000 Subject: [PATCH] import CS shadow-utils-4.9-8.el9 --- ...shadow-4.9-gpasswd-fix-password-leak.patch | 11 + .../shadow-4.9-skip-over-reserved-ids.patch | 214 ++++++++++++++++++ ...-useradd-check-if-subid-range-exists.patch | 38 ++++ SPECS/shadow-utils.spec | 18 +- 4 files changed, 280 insertions(+), 1 deletion(-) create mode 100644 SOURCES/shadow-4.9-gpasswd-fix-password-leak.patch create mode 100644 SOURCES/shadow-4.9-skip-over-reserved-ids.patch create mode 100644 SOURCES/shadow-4.9-useradd-check-if-subid-range-exists.patch diff --git a/SOURCES/shadow-4.9-gpasswd-fix-password-leak.patch b/SOURCES/shadow-4.9-gpasswd-fix-password-leak.patch new file mode 100644 index 0000000..61bf8c0 --- /dev/null +++ b/SOURCES/shadow-4.9-gpasswd-fix-password-leak.patch @@ -0,0 +1,11 @@ +diff -up shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak shadow-4.9/src/gpasswd.c +--- shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak 2023-07-12 09:38:32.062546006 +0200 ++++ shadow-4.9/src/gpasswd.c 2023-07-12 09:42:33.194154548 +0200 +@@ -857,6 +857,7 @@ static void change_passwd (struct group + strzero (cp); + cp = getpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + diff --git a/SOURCES/shadow-4.9-skip-over-reserved-ids.patch b/SOURCES/shadow-4.9-skip-over-reserved-ids.patch new file mode 100644 index 0000000..efce55a --- /dev/null +++ b/SOURCES/shadow-4.9-skip-over-reserved-ids.patch @@ -0,0 +1,214 @@ +From baae5b4a06c905d9f52ed1f922a0d7d0625d11cf Mon Sep 17 00:00:00 2001 +From: Martin Kletzander +Date: Wed, 1 Feb 2023 15:36:41 +0100 +Subject: [PATCH] find_new_[gu]id(): Skip over IDs that are reserved for legacy + reasons + +Some programs don't support `(uint16_t) -1` or `(uint32_t) -1` as user +or group IDs. This is because `-1` is used as an error code or as an +unspecified ID, e.g. in `chown(2)` parameters, and in the past, `gid_t` +and `uid_t` have changed width. For legacy reasons, those values have +been kept reserved in programs today (for example systemd does this; see +the documentation in the link below). + +This should not be confused with catching overflow in the ID values, +since that is already caught by our ERANGE checks. This is about not +using reserved values that have been reserved for legacy reasons. + +Link: +Reviewed-by: Alejandro Colomar +Signed-off-by: Martin Kletzander +--- + libmisc/find_new_gid.c | 38 ++++++++++++++++++++++++++++---------- + libmisc/find_new_uid.c | 38 ++++++++++++++++++++++++++++---------- + 2 files changed, 56 insertions(+), 20 deletions(-) + +diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c +index 70ba95a2..da1d8d55 100644 +--- a/libmisc/find_new_gid.c ++++ b/libmisc/find_new_gid.c +@@ -98,6 +98,7 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id, + * + * On success, return 0 + * If the ID is in use, return EEXIST ++ * If the ID might clash with -1, return EINVAL + * If the ID is outside the range, return ERANGE + * In other cases, return errno from getgrgid() + */ +@@ -111,6 +112,11 @@ static int check_gid (const gid_t gid, + return ERANGE; + } + ++ /* Check for compatibility with 16b and 32b gid_t error codes */ ++ if (gid == UINT16_MAX || gid == UINT32_MAX) { ++ return EINVAL; ++ } ++ + /* + * Check whether we already detected this GID + * using the gr_next() loop +@@ -182,10 +188,10 @@ int find_new_gid (bool sys_group, + * gr_locate_gid() found the GID in an as-yet uncommitted + * entry. We'll proceed below and auto-set a GID. + */ +- } else if (result == EEXIST || result == ERANGE) { ++ } else if (result == EEXIST || result == ERANGE || result == EINVAL) { + /* + * Continue on below. At this time, we won't +- * treat these two cases differently. ++ * treat these three cases differently. + */ + } else { + /* +@@ -296,8 +302,11 @@ int find_new_gid (bool sys_group, + *gid = id; + free (used_gids); + return 0; +- } else if (result == EEXIST) { +- /* This GID is in use, we'll continue to the next */ ++ } else if (result == EEXIST || result == EINVAL) { ++ /* ++ * This GID is in use or unusable, we'll ++ * continue to the next. ++ */ + } else { + /* + * An unexpected error occurred. +@@ -339,8 +348,11 @@ int find_new_gid (bool sys_group, + *gid = id; + free (used_gids); + return 0; +- } else if (result == EEXIST) { +- /* This GID is in use, we'll continue to the next */ ++ } else if (result == EEXIST || result == EINVAL) { ++ /* ++ * This GID is in use or unusable, we'll ++ * continue to the next. ++ */ + } else { + /* + * An unexpected error occurred. +@@ -399,8 +411,11 @@ int find_new_gid (bool sys_group, + *gid = id; + free (used_gids); + return 0; +- } else if (result == EEXIST) { +- /* This GID is in use, we'll continue to the next */ ++ } else if (result == EEXIST || result == EINVAL) { ++ /* ++ * This GID is in use or unusable, we'll ++ * continue to the next. ++ */ + } else { + /* + * An unexpected error occurred. +@@ -442,8 +457,11 @@ int find_new_gid (bool sys_group, + *gid = id; + free (used_gids); + return 0; +- } else if (result == EEXIST) { +- /* This GID is in use, we'll continue to the next */ ++ } else if (result == EEXIST || result == EINVAL) { ++ /* ++ * This GID is in use or unusable, we'll ++ * continue to the next. ++ */ + } else { + /* + * An unexpected error occurred. +diff --git a/libmisc/find_new_uid.c b/libmisc/find_new_uid.c +index 6b71dfe5..09885236 100644 +--- a/libmisc/find_new_uid.c ++++ b/libmisc/find_new_uid.c +@@ -98,6 +98,7 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id, + * + * On success, return 0 + * If the ID is in use, return EEXIST ++ * If the ID might clash with -1, return EINVAL + * If the ID is outside the range, return ERANGE + * In other cases, return errno from getpwuid() + */ +@@ -111,6 +112,11 @@ static int check_uid(const uid_t uid, + return ERANGE; + } + ++ /* Check for compatibility with 16b and 32b uid_t error codes */ ++ if (uid == UINT16_MAX || uid == UINT32_MAX) { ++ return EINVAL; ++ } ++ + /* + * Check whether we already detected this UID + * using the pw_next() loop +@@ -182,10 +188,10 @@ int find_new_uid(bool sys_user, + * pw_locate_uid() found the UID in an as-yet uncommitted + * entry. We'll proceed below and auto-set an UID. + */ +- } else if (result == EEXIST || result == ERANGE) { ++ } else if (result == EEXIST || result == ERANGE || result == EINVAL) { + /* + * Continue on below. At this time, we won't +- * treat these two cases differently. ++ * treat these three cases differently. + */ + } else { + /* +@@ -296,8 +302,11 @@ int find_new_uid(bool sys_user, + *uid = id; + free (used_uids); + return 0; +- } else if (result == EEXIST) { +- /* This UID is in use, we'll continue to the next */ ++ } else if (result == EEXIST || result == EINVAL) { ++ /* ++ * This GID is in use or unusable, we'll ++ * continue to the next. ++ */ + } else { + /* + * An unexpected error occurred. +@@ -339,8 +348,11 @@ int find_new_uid(bool sys_user, + *uid = id; + free (used_uids); + return 0; +- } else if (result == EEXIST) { +- /* This UID is in use, we'll continue to the next */ ++ } else if (result == EEXIST || result == EINVAL) { ++ /* ++ * This GID is in use or unusable, we'll ++ * continue to the next. ++ */ + } else { + /* + * An unexpected error occurred. +@@ -399,8 +411,11 @@ int find_new_uid(bool sys_user, + *uid = id; + free (used_uids); + return 0; +- } else if (result == EEXIST) { +- /* This UID is in use, we'll continue to the next */ ++ } else if (result == EEXIST || result == EINVAL) { ++ /* ++ * This GID is in use or unusable, we'll ++ * continue to the next. ++ */ + } else { + /* + * An unexpected error occurred. +@@ -442,8 +457,11 @@ int find_new_uid(bool sys_user, + *uid = id; + free (used_uids); + return 0; +- } else if (result == EEXIST) { +- /* This UID is in use, we'll continue to the next */ ++ } else if (result == EEXIST || result == EINVAL) { ++ /* ++ * This GID is in use or unusable, we'll ++ * continue to the next. ++ */ + } else { + /* + * An unexpected error occurred. +-- +2.40.1 + diff --git a/SOURCES/shadow-4.9-useradd-check-if-subid-range-exists.patch b/SOURCES/shadow-4.9-useradd-check-if-subid-range-exists.patch new file mode 100644 index 0000000..8f49316 --- /dev/null +++ b/SOURCES/shadow-4.9-useradd-check-if-subid-range-exists.patch @@ -0,0 +1,38 @@ +From e0524e813a3bae2891b33a66f35876841c11cee7 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Mon, 24 Oct 2022 10:46:36 +0200 +Subject: [PATCH] useradd: check if subid range exists for user + +Check if a user already has a subid range before assigning one. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012929 + +Signed-off-by: Iker Pedrosa +--- + src/useradd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/useradd.c b/src/useradd.c +index 7ea0a9c4..e784d602 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -2188,14 +2188,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count) + fail_exit (E_PW_UPDATE); + } + #ifdef ENABLE_SUBIDS +- if (is_sub_uid && ++ if (is_sub_uid && !local_sub_uid_assigned(user_name) && + (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry\n"), + Prog, sub_uid_dbname ()); + fail_exit (E_SUB_UID_UPDATE); + } +- if (is_sub_gid && ++ if (is_sub_gid && !local_sub_gid_assigned(user_name) && + (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry\n"), +-- +2.40.1 + diff --git a/SPECS/shadow-utils.spec b/SPECS/shadow-utils.spec index be0fc8b..aba5b0b 100644 --- a/SPECS/shadow-utils.spec +++ b/SPECS/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.9 -Release: 6%{?dist} +Release: 8%{?dist} Epoch: 2 License: BSD and GPLv2+ URL: https://github.com/shadow-maint/shadow @@ -74,6 +74,12 @@ Patch26: shadow-4.9-subordinateio-compare-owner-ID.patch # https://github.com/shadow-maint/shadow/commit/0593b330d8413e9694b5d6783bb90974c9b141c5 # https://github.com/shadow-maint/shadow/commit/45d674621918664c8736f94f862e86bddf4c3fd4 Patch27: shadow-4.9-badname-special-characters.patch +# https://github.com/shadow-maint/shadow/commit/e0524e813a3bae2891b33a66f35876841c11cee7 +Patch28: shadow-4.9-useradd-check-if-subid-range-exists.patch +# https://github.com/shadow-maint/shadow/commit/baae5b4a06c905d9f52ed1f922a0d7d0625d11cf +Patch29: shadow-4.9-skip-over-reserved-ids.patch +# https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904 +Patch30: shadow-4.9-gpasswd-fix-password-leak.patch ### Dependencies ### Requires: audit-libs >= 1.6.5 @@ -162,6 +168,9 @@ Development files for shadow-utils-subid. %patch25 -p1 -b .useradd-modify-check-ID-range-for-system-users %patch26 -p1 -b .subordinateio-compare-owner-ID %patch27 -p1 -b .badname-special-characters +%patch28 -p1 -b .useradd-check-if-subid-range-exists +%patch29 -p1 -b .skip-over-reserved-ids +%patch30 -p1 -b .gpasswd-fix-password-leak iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -332,6 +341,13 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_libdir}/libsubid.so %changelog +* Wed Jul 12 2023 Iker Pedrosa - 2:4.9-8 +- gpasswd: fix password leak. Resolves: #2215948 + +* Tue May 16 2023 Iker Pedrosa - 2:4.9-7 +- useradd: check if subid range exists for user. Resolves: #2179987 +- find_new_[gu]id: Skip over IDs that are reserved for legacy reasons. Resolves: #2179988 + * Wed Sep 28 2022 Iker Pedrosa - 2:4.9-6 - Change "badnames" to "badname" as this is the accepted option name. Resolves: #2076819