From 334560bfddb61f65fea6befad211d5363bd82e0b Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Wed, 12 Jul 2023 10:17:39 +0200
Subject: [PATCH] gpasswd: fix password leak

Resolves: #2215947

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
 shadow-4.6-gpasswd-fix-password-leak.patch | 11 +++++++++++
 shadow-utils.spec                          |  8 +++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 shadow-4.6-gpasswd-fix-password-leak.patch

diff --git a/shadow-4.6-gpasswd-fix-password-leak.patch b/shadow-4.6-gpasswd-fix-password-leak.patch
new file mode 100644
index 0000000..61bf8c0
--- /dev/null
+++ b/shadow-4.6-gpasswd-fix-password-leak.patch
@@ -0,0 +1,11 @@
+diff -up shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak shadow-4.9/src/gpasswd.c
+--- shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak	2023-07-12 09:38:32.062546006 +0200
++++ shadow-4.9/src/gpasswd.c	2023-07-12 09:42:33.194154548 +0200
+@@ -857,6 +857,7 @@ static void change_passwd (struct group
+ 		strzero (cp);
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 
diff --git a/shadow-utils.spec b/shadow-utils.spec
index d0d8b8b..11c1134 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.6
-Release: 18%{?dist}
+Release: 19%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
@@ -98,6 +98,8 @@ Patch64: shadow-4.9-subordinateio-compare-owner-ID.patch
 Patch65: shadow-4.6-useradd-check-if-subid-range-exists.patch
 # https://github.com/shadow-maint/shadow/commit/baae5b4a06c905d9f52ed1f922a0d7d0625d11cf
 Patch66: shadow-4.6-skip-over-reserved-ids.patch
+# https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
+Patch67: shadow-4.6-gpasswd-fix-password-leak.patch
 
 License: BSD and GPLv2+
 Group: System Environment/Base
@@ -200,6 +202,7 @@ Development files for shadow-utils-subid.
 %patch64 -p1 -b .subordinateio-compare-owner-ID
 %patch65 -p1 -b .useradd-check-if-subid-range-exists
 %patch66 -p1 -b .skip-over-reserved-ids
+%patch67 -p1 -b .gpasswd-fix-password-leak
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -370,6 +373,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so
 
 %changelog
+* Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-19
+- gpasswd: fix password leak. Resolves: #2215947
+
 * Wed May 17 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-18
 - Update patch to close label to reset libselinux state. Resolves: #1984740
 - useradd: check if subid range exists for user. Resolves: #2012929