Multiple fixes.

- unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd
2015-08-27 15:53:13 +02:00 · 2015-08-27 15:53:13 +02:00 · 25899fefb0
parent 283bf24723
commit 25899fefb0
4 changed files with 91 additions and 1 deletions
--- a/shadow-4.2.1-defs-chroot.patch
+++ b/shadow-4.2.1-defs-chroot.patch
@ -0,0 +1,24 @@
+diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c
+--- shadow-4.2.1/src/useradd.c.defs-chroot	2014-12-01 15:14:58.000000000 +0100
+++ shadow-4.2.1/src/useradd.c	2015-08-27 15:46:21.935698862 +0200
+@@ -1938,8 +1938,8 @@ int main (int argc, char **argv)
+ #endif				/* ACCT_TOOLS_SETUID */
+ 
+ 	/* Needed for userns check */
+-	uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+-	uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+	uid_t uid_min;
+	uid_t uid_max;
+ 
+ 	/*
+ 	 * Get my name so that I can use it to report errors.
+@@ -1957,6 +1957,9 @@ int main (int argc, char **argv)
+ 	audit_help_open ();
+ #endif
+ 
+	uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+	uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+
+ 	sys_ngroups = sysconf (_SC_NGROUPS_MAX);
+ 	user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *));
+ 	/*
--- a/shadow-4.2.1-no-lock-dos.patch
+++ b/shadow-4.2.1-no-lock-dos.patch
@ -0,0 +1,15 @@
+diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c
+--- shadow-4.2.1/lib/commonio.c.no-lock-dos	2015-08-27 15:09:17.101537812 +0200
+++ shadow-4.2.1/lib/commonio.c	2015-08-27 15:11:06.643011248 +0200
+@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
+ 	int retval;
+ 	char buf[32];
+ 
+-	fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
+	/* We depend here on the fact, that the file name is pid-specific.
+	 * So no O_EXCL here and no DoS.
+	 */
+	fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
+ 	if (-1 == fd) {
+ 		if (log) {
+ 			(void) fprintf (stderr,
--- a/shadow-4.2.1-usermod-unlock.patch
+++ b/shadow-4.2.1-usermod-unlock.patch
@ -0,0 +1,39 @@
+diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c
+--- shadow-4.2.1/src/usermod.c.unlock	2014-12-01 15:14:58.000000000 +0100
+++ shadow-4.2.1/src/usermod.c	2015-08-27 14:31:50.899712180 +0200
+@@ -455,9 +455,12 @@ static char *new_pw_passwd (char *pw_pas
+ 		strcat (buf, pw_pass);
+ 		pw_pass = buf;
+ 	} else if (Uflg && pw_pass[0] == '!') {
+-		char *s;
+		char *s = pw_pass;
+ 
+-		if (pw_pass[1] == '\0') {
+		while ('!' == *s)
+			++s;
+
+		if (*s == '\0') {
+ 			fprintf (stderr,
+ 			         _("%s: unlocking the user's password would result in a passwordless account.\n"
+ 			           "You should set a password with usermod -p to unlock this user's password.\n"),
+@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
+ 		              user_newname, (unsigned int) user_newid, 1);
+ #endif
+ 		SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
+-		s = pw_pass;
+-		while ('\0' != *s) {
+-			*s = *(s + 1);
+-			s++;
+-		}
+		memmove (pw_pass, s, strlen (s) + 1);
+ 	} else if (pflg) {
+		if (strchr (user_pass, ':') != NULL) {
+			fprintf (stderr,
+			         _("%s: The password field cannot contain a colon character.\n"),
+			         Prog);
+			return pw_pass;
+
+		}
+ #ifdef WITH_AUDIT
+ 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ 		              "updating-password",
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.2.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
@ -30,6 +30,9 @@ Patch19: shadow-4.2.1-date-parsing.patch
 Patch20: shadow-4.1.5.1-ingroup.patch
 Patch21: shadow-4.1.5.1-move-home.patch
 Patch22: shadow-4.2.1-audit-update.patch
+Patch23: shadow-4.2.1-usermod-unlock.patch
+Patch24: shadow-4.2.1-no-lock-dos.patch
+Patch25: shadow-4.2.1-defs-chroot.patch

 License: BSD and GPLv2+
 Group: System Environment/Base
@ -80,6 +83,9 @@ are used for managing group accounts.
 %patch20 -p1 -b .ingroup
 %patch21 -p1 -b .move-home
 %patch22 -p1 -b .audit-update
+%patch23 -p1 -b .unlock
+%patch24 -p1 -b .no-lock-dos
+%patch25 -p1 -b .defs-chroot

 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@ -246,6 +252,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*

 %changelog
+* Thu Aug 27 2015 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-3
+- unlock also passwords locked with passwd -l
+- prevent breaking user entry by entering a password containing colon
+- fix possible DoS when locking the database files for update
+- properly use login.defs from the chroot in useradd
+
 * Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:4.2.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild