- Update to 4.12.3:

Revert removal of subid_init, which should have bumped soname.
  So note that 4.12 through 4.12.2 were broken for subid users.

- Update to 4.12.2:
  * Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
- Refresh useradd-userkeleton.patch:
  LSTAT() was removed with https://github.com/shadow-maint/shadow/pull/545
  Let's use fstatat() now.

OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=124
This commit is contained in:
2022-08-22 14:01:13 +00:00
committed by Git OBS Bridge
parent c714985a2e
commit b7b2971a9a
7 changed files with 57 additions and 41 deletions

View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e7102c7cc423bfb76532a8590c85db610e28555e2e29d00ae1330097569c1dc8
size 1745968

View File

@@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmL6gNkACgkQNXDaFycK
ziQIkggAw7OANqSfYO/5ZrU4dkjjhqwZBvMQh3kKNQZ9fBst2+6eVvkWNyQTorMX
YUnvEgCFJA1wj2o4gltfaYWEVIkDgpwkexKEzPx02n70oe+sbAukXUcXo4v/8piP
D6Q1qLpW1z1vZFp4ZaIj4CP/aa4mTzMNeCWwRn+bCeDLR8jwhwmDN54hEZJ83psB
6RhJXxtUyb6fOI0EK8yRlctuPt39LVAXBO3Q265fmFxP/THEBCseNr6G/+dvR0eQ
ntLGJsBuAE647WN0CYynJl6Jq8ehGaNnmlQOU0reRnxvT+Mx0dkP9Vk2AoENGDL2
D6C+/9v3fpyuyIxWotBK4SenyqKVHA==
=AJ3H
-----END PGP SIGNATURE-----

3
shadow-4.12.3.tar.xz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3d3ec447cfdd11ab5f0486ebc47d15718349d13fea41fc8584568bc118083ccd
size 1747620

11
shadow-4.12.3.tar.xz.asc Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmMDfQYACgkQNXDaFycK
ziQvPQf9HGXVezTAIW+tqa3T/Fpc1q8JPVXJO/GzNQPuyoqZCtHZihqgvc3gkdcB
ZXIYXy1pB5lX6SEpSJjIeugXiUDBS465Q+Is1C76HqGh8dH7ws8tn4/ypA0S8/pv
rkFT+sSjEqJLGCRpoRNoH2r++WkzUlags9aPabhZgJKHny31rSRAre0bsva7IGPs
6iq1r4apKl8YssybAus3jmstxKj6y9S2Cmv+iEN0jY/+Oagrbl45p+NuHf/E0TSp
sCnZCLtzUBb5LTeIfz15P+MfG+hDhFLPedWlLVTr7YZSWJVwf4gwttUWUOmSkkuF
PEy7hhvMAd7X5Rtz/GVtfas+UUfekA==
=WZd1
-----END PGP SIGNATURE-----

View File

@@ -1,3 +1,19 @@
-------------------------------------------------------------------
Mon Aug 22 13:59:35 UTC 2022 - Michael Vetter <mvetter@suse.com>
- Update to 4.12.3:
Revert removal of subid_init, which should have bumped soname.
So note that 4.12 through 4.12.2 were broken for subid users.
-------------------------------------------------------------------
Fri Aug 19 06:32:28 UTC 2022 - Michael Vetter <mvetter@suse.com>
- Update to 4.12.2:
* Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
- Refresh useradd-userkeleton.patch:
LSTAT() was removed with https://github.com/shadow-maint/shadow/pull/545
Let's use fstatat() now.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 15 17:42:01 UTC 2022 - Michael Vetter <mvetter@suse.com> Mon Aug 15 17:42:01 UTC 2022 - Michael Vetter <mvetter@suse.com>

View File

@@ -22,7 +22,7 @@
%define no_config 1 %define no_config 1
%endif %endif
Name: shadow Name: shadow
Version: 4.12.1 Version: 4.12.3
Release: 0 Release: 0
Summary: Utilities to Manage User and Group Accounts Summary: Utilities to Manage User and Group Accounts
License: BSD-3-Clause AND GPL-2.0-or-later License: BSD-3-Clause AND GPL-2.0-or-later

View File

@@ -27,7 +27,7 @@ Index: src/useradd.c
static const char *def_create_mail_spool = "yes"; static const char *def_create_mail_spool = "yes";
static const char *def_log_init = "yes"; static const char *def_log_init = "yes";
@@ -185,6 +189,7 @@ static bool home_added = false; @@ -188,6 +192,7 @@ static bool home_added = false;
#define DINACT "INACTIVE=" #define DINACT "INACTIVE="
#define DEXPIRE "EXPIRE=" #define DEXPIRE "EXPIRE="
#define DSKEL "SKEL=" #define DSKEL "SKEL="
@@ -35,7 +35,7 @@ Index: src/useradd.c
#define DCREATE_MAIL_SPOOL "CREATE_MAIL_SPOOL=" #define DCREATE_MAIL_SPOOL "CREATE_MAIL_SPOOL="
#define DLOG_INIT "LOG_INIT=" #define DLOG_INIT "LOG_INIT="
@@ -458,6 +463,29 @@ static void get_defaults (void) @@ -461,6 +466,29 @@ static void get_defaults (void)
} }
/* /*
@@ -45,7 +45,7 @@ Index: src/useradd.c
+ if ('\0' == *cp) { + if ('\0' == *cp) {
+ cp = USRSKELDIR; /* XXX warning: const */ + cp = USRSKELDIR; /* XXX warning: const */
+ } + }
+ +
+ if(prefix[0]) { + if(prefix[0]) {
+ size_t len; + size_t len;
+ int wlen; + int wlen;
@@ -65,7 +65,7 @@ Index: src/useradd.c
* Create by default user mail spool or not ? * Create by default user mail spool or not ?
*/ */
else if (MATCH (buf, DCREATE_MAIL_SPOOL)) { else if (MATCH (buf, DCREATE_MAIL_SPOOL)) {
@@ -499,6 +527,7 @@ static void show_defaults (void) @@ -502,6 +530,7 @@ static void show_defaults (void)
printf ("EXPIRE=%s\n", def_expire); printf ("EXPIRE=%s\n", def_expire);
printf ("SHELL=%s\n", def_shell); printf ("SHELL=%s\n", def_shell);
printf ("SKEL=%s\n", def_template); printf ("SKEL=%s\n", def_template);
@@ -73,7 +73,7 @@ Index: src/useradd.c
printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool); printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool);
printf ("LOG_INIT=%s\n", def_log_init); printf ("LOG_INIT=%s\n", def_log_init);
} }
@@ -527,6 +556,7 @@ static int set_defaults (void) @@ -530,6 +559,7 @@ static int set_defaults (void)
bool out_expire = false; bool out_expire = false;
bool out_shell = false; bool out_shell = false;
bool out_skel = false; bool out_skel = false;
@@ -81,7 +81,7 @@ Index: src/useradd.c
bool out_create_mail_spool = false; bool out_create_mail_spool = false;
bool out_log_init = false; bool out_log_init = false;
size_t len; size_t len;
@@ -640,6 +670,9 @@ static int set_defaults (void) @@ -643,6 +673,9 @@ static int set_defaults (void)
} else if (!out_skel && MATCH (buf, DSKEL)) { } else if (!out_skel && MATCH (buf, DSKEL)) {
fprintf (ofp, DSKEL "%s\n", def_template); fprintf (ofp, DSKEL "%s\n", def_template);
out_skel = true; out_skel = true;
@@ -91,7 +91,7 @@ Index: src/useradd.c
} else if (!out_create_mail_spool } else if (!out_create_mail_spool
&& MATCH (buf, DCREATE_MAIL_SPOOL)) { && MATCH (buf, DCREATE_MAIL_SPOOL)) {
fprintf (ofp, fprintf (ofp,
@@ -675,6 +708,8 @@ static int set_defaults (void) @@ -678,6 +711,8 @@ static int set_defaults (void)
fprintf (ofp, DSHELL "%s\n", def_shell); fprintf (ofp, DSHELL "%s\n", def_shell);
if (!out_skel) if (!out_skel)
fprintf (ofp, DSKEL "%s\n", def_template); fprintf (ofp, DSKEL "%s\n", def_template);
@@ -100,7 +100,7 @@ Index: src/useradd.c
if (!out_create_mail_spool) if (!out_create_mail_spool)
fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool); fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool);
@@ -2739,6 +2774,8 @@ int main (int argc, char **argv) @@ -2756,6 +2791,8 @@ int main (int argc, char **argv)
if (home_added) { if (home_added) {
copy_tree (def_template, prefix_user_home, false, true, copy_tree (def_template, prefix_user_home, false, true,
(uid_t)-1, user_id, (gid_t)-1, user_gid); (uid_t)-1, user_id, (gid_t)-1, user_gid);
@@ -113,22 +113,22 @@ Index: libmisc/copydir.c
=================================================================== ===================================================================
--- libmisc/copydir.c.orig --- libmisc/copydir.c.orig
+++ libmisc/copydir.c +++ libmisc/copydir.c
@@ -395,6 +395,14 @@ static int copy_entry (const char *src, @@ -453,6 +453,14 @@ static int copy_entry (const struct path
old_uid, new_uid, old_gid, new_gid);
} }
+ /* /*
+ * If the destination already exists do nothing. + * If the destination already exists do nothing.
+ * This is after the copy_dir above to still iterate into subdirectories. + * This is after the copy_dir above to still iterate into subdirectories.
+ */ + */
+ if (LSTAT (dst, &sb) != -1) { + if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
+ return 0; + return 0;
+ } + }
+ +
#ifdef S_IFLNK + /*
/*
* Copy any symbolic links * Copy any symbolic links
@@ -456,6 +464,7 @@ static int copy_dir (const char *src, co */
@@ -511,6 +519,7 @@ static int copy_dir (const struct path_i
gid_t old_gid, gid_t new_gid) gid_t old_gid, gid_t new_gid)
{ {
int err = 0; int err = 0;
@@ -136,20 +136,20 @@ Index: libmisc/copydir.c
/* /*
* Create a new target directory, make it owned by * Create a new target directory, make it owned by
@@ -467,6 +476,16 @@ static int copy_dir (const char *src, co @@ -522,6 +531,16 @@ static int copy_dir (const struct path_i
return -1; return -1;
} }
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
+ +
+ /* + /*
+ * If the destination is already a directory, don't change it + * If the destination is already a directory, don't change it
+ * but copy into it (recursively). + * but copy into it (recursively).
+ */ + */
+ if (LSTAT (dst, &dst_sb) == 0 && S_ISDIR(dst_sb.st_mode)) { + if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) {
+ return (copy_tree (src, dst, false, reset_selinux, + return (copy_tree (src, dst, false, reset_selinux,
+ old_uid, new_uid, old_gid, new_gid) != 0); + old_uid, new_uid, old_gid, new_gid) != 0);
+ } + }
+ +
if ( (mkdir (dst, statp->st_mode) != 0) if ( (mkdirat (dst->dirfd, dst->name, statp->st_mode) != 0)
|| (chown_if_needed (dst, statp, || (chownat_if_needed (dst, statp,
old_uid, new_uid, old_gid, new_gid) != 0) old_uid, new_uid, old_gid, new_gid) != 0)