From c14e44ea2601e513fb18d8098df87f551c86c9fa Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Mar 2024 20:31:08 +0000 Subject: [PATCH] import CS shadow-utils-4.6-22.el8 --- SOURCES/shadow-4.6-salt-remove-rounds.patch | 15 +++++++++++++++ SOURCES/shadow-utils.login.defs | 18 +++++++++++++++++- SPECS/shadow-utils.spec | 10 +++++++++- 3 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 SOURCES/shadow-4.6-salt-remove-rounds.patch diff --git a/SOURCES/shadow-4.6-salt-remove-rounds.patch b/SOURCES/shadow-4.6-salt-remove-rounds.patch new file mode 100644 index 0000000..48439be --- /dev/null +++ b/SOURCES/shadow-4.6-salt-remove-rounds.patch @@ -0,0 +1,15 @@ +diff --git a/libmisc/salt.c b/libmisc/salt.c +index c72447ea..4940d76e 100644 +--- a/libmisc/salt.c ++++ b/libmisc/salt.c +@@ -248,6 +248,10 @@ static /*@observer@*/const char *gensalt (size_t salt_size) + result[0] = '\0'; + } + ++ if (strstr(result, "rounds=") != NULL) { ++ result[3] = '\0'; ++ } ++ + /* + * Concatenate a pseudo random salt. + */ diff --git a/SOURCES/shadow-utils.login.defs b/SOURCES/shadow-utils.login.defs index 12d516c..c50e46e 100644 --- a/SOURCES/shadow-utils.login.defs +++ b/SOURCES/shadow-utils.login.defs @@ -77,6 +77,22 @@ CREATE_HOME yes # USERGROUPS_ENAB yes -# Use SHA512 to encrypt password. +# +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +# ENCRYPT_METHOD SHA512 +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. +# +# The values must be within the 1000-999999999 range. +# +SHA_CRYPT_MAX_ROUNDS 5000 + diff --git a/SPECS/shadow-utils.spec b/SPECS/shadow-utils.spec index 11c1134..c9c1d5a 100644 --- a/SPECS/shadow-utils.spec +++ b/SPECS/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 -Release: 19%{?dist} +Release: 22%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz @@ -100,6 +100,7 @@ Patch65: shadow-4.6-useradd-check-if-subid-range-exists.patch Patch66: shadow-4.6-skip-over-reserved-ids.patch # https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904 Patch67: shadow-4.6-gpasswd-fix-password-leak.patch +Patch68: shadow-4.6-salt-remove-rounds.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -203,6 +204,7 @@ Development files for shadow-utils-subid. %patch65 -p1 -b .useradd-check-if-subid-range-exists %patch66 -p1 -b .skip-over-reserved-ids %patch67 -p1 -b .gpasswd-fix-password-leak +%patch68 -p1 -b .salt-remove-rounds iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -373,6 +375,12 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_libdir}/libsubid.so %changelog +* Tue Nov 21 2023 Iker Pedrosa - 2:4.6-22 +- salt: remove rounds from salt string. Resolves: RHEL-16668 + +* Thu Nov 2 2023 Iker Pedrosa - 2:4.6-21 +- login.defs: include SHA_CRYPT_MAX_ROUNDS. Resolves: RHEL-15024 + * Wed Jul 12 2023 Iker Pedrosa - 2:4.6-19 - gpasswd: fix password leak. Resolves: #2215947