summaryrefslogtreecommitdiff
path: root/sys-apps/shadow
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2023-04-18 23:56:27 +0100
committerV3n3RiX <venerix@koprulu.sector>2023-04-18 23:56:27 +0100
commit93d0bbd7df69c2081c2b2347ea6c88b8e967d537 (patch)
tree5a3d99a67d4243c300c70a88d52d651c1de4688d /sys-apps/shadow
parentb481b54b8432c46df354eedc3532b0420a38fd5a (diff)
gentoo auto-resync : 18:04:2023 - 23:56:26
Diffstat (limited to 'sys-apps/shadow')
-rw-r--r--sys-apps/shadow/Manifest2
-rw-r--r--sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch100
-rw-r--r--sys-apps/shadow/shadow-4.13-r3.ebuild264
3 files changed, 366 insertions, 0 deletions
diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest
index a741bb6b6cee..da3a64d57095 100644
--- a/sys-apps/shadow/Manifest
+++ b/sys-apps/shadow/Manifest
@@ -4,6 +4,7 @@ AUX pam.d-include/passwd 144 BLAKE2B 95e159c70416218950ad5cdc41c83b52f8d2ec042d3
AUX pam.d-include/shadow 152 BLAKE2B 82d1f678abc60586ea873da7e2f4907349d77a64085cc475fa09c47cb008b41a7a00a7de2816b2c5cb2f48452d1b07523be35f8dd29026736ba8fbd3ae3d7c56 SHA512 d07611c350d0d6f3386db5080c80a84e4135cf33e44fd3a390cb1092e034f9bd2a69495fadd4bda6ede9962e9658e77f2c8e12d3189cdcda6c7b3c607336f0c3
AUX pam.d-include/shadow-r1 116 BLAKE2B bc7baa8e224cb90b6ef79762941b3b7505fcf4b8ed8c5da06a33a8a7fefa91098e4ac0c0f915eeca4a19714d60a2bf43e3922805347e3dfe0ccc80f210bf88e4 SHA512 ddecc5cc8f667f9931ddf5d98d89a986712c5a6e44826add1e1d9ead37064758a3879f6afd1fc45c89c216956593852051e2ef3abc52e2ab58a0e191adfe75d1
AUX shadow-4.1.3-dots-in-usernames.patch 302 BLAKE2B a83f463be9267c3a704997b98d67cd0daddf8ee05debf447d091530517a855078bd53ce28c87045643b2b8c467dd09caad06a4eb0a6568c271e6a42b49a54dcc SHA512 ad20fb3f4f0292f39b5da796e41df71e9e8b1b81dd11a99b2d988440c1b435b0061333a0a5a37a909598d5a840a75946e8c59c74426bae7452de88cf673a5f7d
+AUX shadow-4.13-CVE-2023-29383.patch 3022 BLAKE2B 7ad4eeef9bbaf49b8388b7bbcfd2b814ed8862056242085d7261064f7447e610f3476cb45fb57acbe0b5eb1486389bdf93dcc196853c7fe4555750d2c0dcd1c8 SHA512 dd042d4be4dcbcdf63293598530225454cc7818e7ed6c59ab00fb19517b8ec503f6f82de0d347cc03dfcd1d65a1f65f623181838710db6d4fec84b14d7ffe530
AUX shadow-4.13-configure-clang16.patch 1129 BLAKE2B 701c7e417c57265d9a7a2ee8eb6620ef6846018de24edacc04d0d4f63ff2e7e0a67382c459003d2bfa11e4dd3a49a227464315a4ef115da58c27889d7bdd7226 SHA512 057ea8a546953bea88ecb0b787b37d24113ea4881a9f86e55318647f85f8b56e204dbf3815811897d0cad2a8e50427c9fa84b6389e332e26c8cacc690835a942
DIST shadow-4.12.3.tar.xz 1747620 BLAKE2B 63b10d75a11d419156a996b8acf1bebbfab28999c2ab796e6625c028882073d4021806d8b56224190886c076a1205955e7797cb6f797ef73af3a8a33ac34bf2f SHA512 0529889258f54e7634762dc154aa680d55f8c5f1654afadd1b7431cfbb890a3b1ba27c7ff4b7c45986e4ee2289946db2e420b23ed13e4e5b15800a1fb3a013bc
DIST shadow-4.12.3.tar.xz.asc 488 BLAKE2B b23525c3303f78df9d046c0225ed3ee1715cb000650630daae8b41fb71413daa45b5fe39a98fc640aaafa0f219fbaf9e065afa6b44f051373fb1967358ccc43d SHA512 d3f294d86c0e2174c88809810a801737c01cd01f9cadbe7b1ae382b2745d86e2e30c0718fa6489c2abb65500ed94c8ac1961d05243b5a1800c966384c69281c9
@@ -11,4 +12,5 @@ DIST shadow-4.13.tar.xz 1762908 BLAKE2B 315ab8a7e598aeefb50c11293e20cfa0982c3c3a
DIST shadow-4.13.tar.xz.asc 488 BLAKE2B de1f8285c5713a772343a2a7c638d1d13429dd4fa867d4f91d4922aa0d083b4a3110d38e8a8ab82137fdf4fecb12ba3677f3fb235401fc6438ae663fbd9bfbd2 SHA512 f8549c4e699c65721d53946d61b6127712572f7ad9ee13018ef3a25307002992aa727471c948d1bb22dcddf112715bed387d28f436123f30e153ae6bc0cd3648
EBUILD shadow-4.12.3-r1.ebuild 6482 BLAKE2B fd4ade28140346a1a708eb0cd2a3f33464011f2163a67cfa1b3d72e0d066a9665a76aed66e3cb6ccd7cf511cf32334cd9e0d5de93a7514af578ea1bf30397e55 SHA512 f945fddc472d49a765048f0222727fe70809af8a948093cba79e98d3fd89a7cea0cba2e5b4c2d19c7905b1efe26cd287bcf2769893d36bf90b43b5c78dab378a
EBUILD shadow-4.13-r2.ebuild 6650 BLAKE2B 3f4a3121cbac224a65ab1351129690216653ee38882cd131cf06de046e5c1a9197a0966fcfe404a24e9bb5d307739862ffc4a89902e22ffe480d385465578bdd SHA512 9ccca926f3c8274be04057562e8566a326a0322ba6e679c825bee054c77c994af0f76cf816cab7be745ef043807c421cdfd341eea1a6b3d9d3f5158250e54579
+EBUILD shadow-4.13-r3.ebuild 6698 BLAKE2B 6dbca084f34b165ab90618eaac8eba1aafa0be567e77e3947a952c44634e8f03fd85193d822f2aed8602bea57e797a1c35cc73e3cf2b335b075310fd92f91388 SHA512 132fb102ec1ef5d0e0df0f4289c595ed04125cfbffcc5a5a3d7b98aafeffee535a356e9db92bc0d559a35f7db90a15b75fc1fab6ccf411aa203daeabb8d65d0f
MISC metadata.xml 606 BLAKE2B 2b14042f4702a908f8250c3fb6499ea33d8a8c44072707aa44881a36e3cc710256a821f8cd82c5214b32e9f5632745db4fdf00dd722f6fb7401e2f6b0bfbb4fd SHA512 694e039ae781982e8cbe6670b4e9c93b43455715ce4b9830a5fa61e6bf3eb91abcc284bf29c64fab055ba9754edaeab5d2da8140dbb2794fc1f534e2ccbb2b16
diff --git a/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch b/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch
new file mode 100644
index 000000000000..49868ba67c96
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch
@@ -0,0 +1,100 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931f..fb51b5829 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -21,9 +21,9 @@
+ *
+ * The supplied field is scanned for non-printable and other illegal
+ * characters.
+- * + -1 is returned if an illegal character is present.
+- * + 1 is returned if no illegal characters are present, but the field
+- * contains a non-printable character.
++ * + -1 is returned if an illegal or control character is present.
++ * + 1 is returned if no illegal or control characters are present,
++ * but the field contains a non-printable character.
+ * + 0 is returned otherwise.
+ */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+ }
+
+ if (0 == err) {
+- /* Search if there are some non-printable characters */
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0' != *cp; cp++) {
+ if (!isprint (*cp)) {
+ err = 1;
++ }
++ if (!iscntrl (*cp)) {
++ err = -1;
+ break;
+ }
+ }
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b5829..539292485 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+
+ /* For each character of field, search if it appears in the list
+ * of illegal characters. */
++ if (illegal && NULL != strpbrk (field, illegal)) {
++ return -1;
++ }
++
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0' != *cp; cp++) {
+- if (strchr (illegal, *cp) != NULL) {
++ unsigned char c = *cp;
++ if (!isprint (c)) {
++ err = 1;
++ }
++ if (iscntrl (c)) {
+ err = -1;
+ break;
+ }
+ }
+
+- if (0 == err) {
+- /* Search if there are non-printable or control characters */
+- for (cp = field; '\0' != *cp; cp++) {
+- if (!isprint (*cp)) {
+- err = 1;
+- }
+- if (!iscntrl (*cp)) {
+- err = -1;
+- break;
+- }
+- }
+- }
+-
+ return err;
+ }
+
diff --git a/sys-apps/shadow/shadow-4.13-r3.ebuild b/sys-apps/shadow/shadow-4.13-r3.ebuild
new file mode 100644
index 000000000000..476f5dbc203f
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.13-r3.ebuild
@@ -0,0 +1,264 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Upstream sometimes pushes releases as pre-releases before marking them
+# official. Don't keyword the pre-releases!
+# Check https://github.com/shadow-maint/shadow/releases.
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sergehallyn.asc
+inherit libtool pam verify-sig
+
+DESCRIPTION="Utilities to deal with user accounts"
+HOMEPAGE="https://github.com/shadow-maint/shadow"
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz"
+SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz.asc )"
+
+LICENSE="BSD GPL-2"
+# Subslot is for libsubid's SONAME.
+SLOT="0/4"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr"
+# Taken from the man/Makefile.am file.
+LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
+
+REQUIRED_USE="?? ( cracklib pam )"
+
+COMMON_DEPEND="
+ virtual/libcrypt:=
+ acl? ( sys-apps/acl:0= )
+ audit? ( >=sys-process/audit-2.6:0= )
+ cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )
+ nls? ( virtual/libintl )
+ pam? ( sys-libs/pam:0= )
+ skey? ( sys-auth/skey:0= )
+ selinux? (
+ >=sys-libs/libselinux-1.28:0=
+ sys-libs/libsemanage:0=
+ )
+ xattr? ( sys-apps/attr:0= )
+"
+DEPEND="${COMMON_DEPEND}
+ >=sys-kernel/linux-headers-4.14
+"
+RDEPEND="${COMMON_DEPEND}
+ !<sys-apps/man-pages-5.11-r1
+ !=sys-apps/man-pages-5.12-r0
+ !=sys-apps/man-pages-5.12-r1
+ nls? (
+ !<app-i18n/man-pages-it-5.06-r1
+ !<app-i18n/man-pages-ja-20180315-r1
+ !<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1
+ )
+ pam? ( >=sys-auth/pambase-20150213 )
+ su? ( !sys-apps/util-linux[su(-)] )
+"
+BDEPEND="
+ app-arch/xz-utils
+ sys-devel/gettext
+ verify-sig? ( sec-keys/openpgp-keys-sergehallyn )
+"
+
+PATCHES=(
+ "${FILESDIR}"/${P}-configure-clang16.patch
+ "${FILESDIR}"/${P}-CVE-2023-29383.patch
+)
+
+src_prepare() {
+ default
+
+ elibtoolize
+}
+
+src_configure() {
+ local myeconfargs=(
+ --disable-account-tools-setuid
+ --disable-static
+ --with-btrfs
+ --without-group-name-max-length
+ --without-tcb
+ $(use_enable nls)
+ $(use_with acl)
+ $(use_with audit)
+ $(use_with bcrypt)
+ $(use_with cracklib libcrack)
+ $(use_with elibc_glibc nscd)
+ $(use_with pam libpam)
+ $(use_with selinux)
+ $(use_with skey)
+ $(use_with su)
+ $(use_with xattr attr)
+ )
+
+ econf "${myeconfargs[@]}"
+
+ if use nls ; then
+ local l langs="po" # These are the pot files.
+ for l in ${LANGS[*]} ; do
+ has ${l} ${LINGUAS-${l}} && langs+=" ${l}"
+ done
+ sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die
+ fi
+}
+
+set_login_opt() {
+ local comment="" opt=${1} val=${2}
+ if [[ -z ${val} ]]; then
+ comment="#"
+ sed -i \
+ -e "/^${opt}\>/s:^:#:" \
+ "${ED}"/etc/login.defs || die
+ else
+ sed -i -r \
+ -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
+ "${ED}"/etc/login.defs
+ fi
+ local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
+ einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
+}
+
+src_install() {
+ emake DESTDIR="${D}" suidperms=4711 install
+
+ # 4.9 regression: https://github.com/shadow-maint/shadow/issues/389
+ emake DESTDIR="${D}" -C man install
+
+ find "${ED}" -name '*.la' -type f -delete || die
+
+ insinto /etc
+ if ! use pam ; then
+ insopts -m0600
+ doins etc/login.access etc/limits
+ fi
+
+ # needed for 'useradd -D'
+ insinto /etc/default
+ insopts -m0600
+ doins "${FILESDIR}"/default/useradd
+
+ if use split-usr ; then
+ # move passwd to / to help recover broke systems #64441
+ # We cannot simply remove this or else net-misc/scponly
+ # and other tools will break because of hardcoded passwd
+ # location
+ dodir /bin
+ mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
+ dosym ../../bin/passwd /usr/bin/passwd
+ fi
+
+ cd "${S}" || die
+ insinto /etc
+ insopts -m0644
+ newins etc/login.defs login.defs
+
+ set_login_opt CREATE_HOME yes
+ if ! use pam ; then
+ set_login_opt MAIL_CHECK_ENAB no
+ set_login_opt SU_WHEEL_ONLY yes
+ set_login_opt CRACKLIB_DICTPATH /usr/lib/cracklib_dict
+ set_login_opt LOGIN_RETRIES 3
+ set_login_opt ENCRYPT_METHOD SHA512
+ set_login_opt CONSOLE
+ else
+ dopamd "${FILESDIR}"/pam.d-include/shadow
+
+ for x in chsh chfn ; do
+ newpamd "${FILESDIR}"/pam.d-include/passwd ${x}
+ done
+
+ for x in chpasswd newusers ; do
+ newpamd "${FILESDIR}"/pam.d-include/chpasswd ${x}
+ done
+
+ newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems
+
+ # Comment out login.defs options that pam hates
+ local opt sed_args=()
+ for opt in \
+ CHFN_AUTH \
+ CONSOLE \
+ CRACKLIB_DICTPATH \
+ ENV_HZ \
+ ENVIRON_FILE \
+ FAILLOG_ENAB \
+ FTMP_FILE \
+ LASTLOG_ENAB \
+ MAIL_CHECK_ENAB \
+ MOTD_FILE \
+ NOLOGINS_FILE \
+ OBSCURE_CHECKS_ENAB \
+ PASS_ALWAYS_WARN \
+ PASS_CHANGE_TRIES \
+ PASS_MIN_LEN \
+ PORTTIME_CHECKS_ENAB \
+ QUOTAS_ENAB \
+ SU_WHEEL_ONLY
+ do
+ set_login_opt ${opt}
+ sed_args+=( -e "/^#${opt}\>/b pamnote" )
+ done
+ sed -i "${sed_args[@]}" \
+ -e 'b exit' \
+ -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
+ -e ': exit' \
+ "${ED}"/etc/login.defs || die
+
+ # Remove manpages that pam will install for us
+ # and/or don't apply when using pam
+ find "${ED}"/usr/share/man -type f \
+ '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \
+ -delete
+
+ # Remove pam.d files provided by pambase.
+ rm "${ED}"/etc/pam.d/{login,passwd} || die
+ if use su ; then
+ rm "${ED}"/etc/pam.d/su || die
+ fi
+ fi
+
+ # Remove manpages that are handled by other packages
+ find "${ED}"/usr/share/man -type f \
+ '(' -name id.1 -o -name getspnam.3 ')' \
+ -delete || die
+
+ if ! use su ; then
+ find "${ED}"/usr/share/man -type f -name su.1 -delete || die
+ fi
+
+ cd "${S}" || die
+ dodoc ChangeLog NEWS TODO
+ newdoc README README.download
+ cd doc || die
+ dodoc HOWTO README* WISHLIST *.txt
+}
+
+pkg_preinst() {
+ rm -f "${EROOT}"/etc/pam.d/system-auth.new \
+ "${EROOT}/etc/login.defs.new"
+}
+
+pkg_postinst() {
+ # Missing entries from /etc/passwd can cause odd system blips.
+ # See bug #829872.
+ if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then
+ ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors."
+ fi
+
+ # Enable shadow groups.
+ if [[ ! -f "${EROOT}"/etc/gshadow ]] ; then
+ if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then
+ grpconv -R "${EROOT:-/}"
+ else
+ ewarn "Running 'grpck' returned errors. Please run it by hand, and then"
+ ewarn "run 'grpconv' afterwards!"
+ fi
+ fi
+
+ [[ ! -f "${EROOT}"/etc/subgid ]] &&
+ touch "${EROOT}"/etc/subgid
+ [[ ! -f "${EROOT}"/etc/subuid ]] &&
+ touch "${EROOT}"/etc/subuid
+
+ einfo "The 'adduser' symlink to 'useradd' has been dropped."
+}