From 25899fefb05e983b4403720125a756665943cf13 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 27 Aug 2015 15:53:13 +0200
Subject: [PATCH] Multiple fixes.

- unlock also passwords locked with passwd -l
- prevent breaking user entry by entering a password containing colon
- fix possible DoS when locking the database files for update
- properly use login.defs from the chroot in useradd
---
 shadow-4.2.1-defs-chroot.patch    | 24 +++++++++++++++++++
 shadow-4.2.1-no-lock-dos.patch    | 15 ++++++++++++
 shadow-4.2.1-usermod-unlock.patch | 39 +++++++++++++++++++++++++++++++
 shadow-utils.spec                 | 14 ++++++++++-
 4 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 shadow-4.2.1-defs-chroot.patch
 create mode 100644 shadow-4.2.1-no-lock-dos.patch
 create mode 100644 shadow-4.2.1-usermod-unlock.patch

diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.2.1-defs-chroot.patch
new file mode 100644
index 0000000..827ad40
--- /dev/null
+++ b/shadow-4.2.1-defs-chroot.patch
@@ -0,0 +1,24 @@
+diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c
+--- shadow-4.2.1/src/useradd.c.defs-chroot	2014-12-01 15:14:58.000000000 +0100
++++ shadow-4.2.1/src/useradd.c	2015-08-27 15:46:21.935698862 +0200
+@@ -1938,8 +1938,8 @@ int main (int argc, char **argv)
+ #endif				/* ACCT_TOOLS_SETUID */
+ 
+ 	/* Needed for userns check */
+-	uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+-	uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
++	uid_t uid_min;
++	uid_t uid_max;
+ 
+ 	/*
+ 	 * Get my name so that I can use it to report errors.
+@@ -1957,6 +1957,9 @@ int main (int argc, char **argv)
+ 	audit_help_open ();
+ #endif
+ 
++	uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
++	uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
++
+ 	sys_ngroups = sysconf (_SC_NGROUPS_MAX);
+ 	user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *));
+ 	/*
diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch
new file mode 100644
index 0000000..58fd605
--- /dev/null
+++ b/shadow-4.2.1-no-lock-dos.patch
@@ -0,0 +1,15 @@
+diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c
+--- shadow-4.2.1/lib/commonio.c.no-lock-dos	2015-08-27 15:09:17.101537812 +0200
++++ shadow-4.2.1/lib/commonio.c	2015-08-27 15:11:06.643011248 +0200
+@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
+ 	int retval;
+ 	char buf[32];
+ 
+-	fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
++	/* We depend here on the fact, that the file name is pid-specific.
++	 * So no O_EXCL here and no DoS.
++	 */
++	fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
+ 	if (-1 == fd) {
+ 		if (log) {
+ 			(void) fprintf (stderr,
diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.2.1-usermod-unlock.patch
new file mode 100644
index 0000000..85403cd
--- /dev/null
+++ b/shadow-4.2.1-usermod-unlock.patch
@@ -0,0 +1,39 @@
+diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c
+--- shadow-4.2.1/src/usermod.c.unlock	2014-12-01 15:14:58.000000000 +0100
++++ shadow-4.2.1/src/usermod.c	2015-08-27 14:31:50.899712180 +0200
+@@ -455,9 +455,12 @@ static char *new_pw_passwd (char *pw_pas
+ 		strcat (buf, pw_pass);
+ 		pw_pass = buf;
+ 	} else if (Uflg && pw_pass[0] == '!') {
+-		char *s;
++		char *s = pw_pass;
+ 
+-		if (pw_pass[1] == '\0') {
++		while ('!' == *s)
++			++s;
++
++		if (*s == '\0') {
+ 			fprintf (stderr,
+ 			         _("%s: unlocking the user's password would result in a passwordless account.\n"
+ 			           "You should set a password with usermod -p to unlock this user's password.\n"),
+@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
+ 		              user_newname, (unsigned int) user_newid, 1);
+ #endif
+ 		SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
+-		s = pw_pass;
+-		while ('\0' != *s) {
+-			*s = *(s + 1);
+-			s++;
+-		}
++		memmove (pw_pass, s, strlen (s) + 1);
+ 	} else if (pflg) {
++		if (strchr (user_pass, ':') != NULL) {
++			fprintf (stderr,
++			         _("%s: The password field cannot contain a colon character.\n"),
++			         Prog);
++			return pw_pass;
++
++		}
+ #ifdef WITH_AUDIT
+ 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ 		              "updating-password",
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 26569bb..48d0f8b 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.2.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
@@ -30,6 +30,9 @@ Patch19: shadow-4.2.1-date-parsing.patch
 Patch20: shadow-4.1.5.1-ingroup.patch
 Patch21: shadow-4.1.5.1-move-home.patch
 Patch22: shadow-4.2.1-audit-update.patch
+Patch23: shadow-4.2.1-usermod-unlock.patch
+Patch24: shadow-4.2.1-no-lock-dos.patch
+Patch25: shadow-4.2.1-defs-chroot.patch
 
 License: BSD and GPLv2+
 Group: System Environment/Base
@@ -80,6 +83,9 @@ are used for managing group accounts.
 %patch20 -p1 -b .ingroup
 %patch21 -p1 -b .move-home
 %patch22 -p1 -b .audit-update
+%patch23 -p1 -b .unlock
+%patch24 -p1 -b .no-lock-dos
+%patch25 -p1 -b .defs-chroot
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -246,6 +252,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Thu Aug 27 2015 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-3
+- unlock also passwords locked with passwd -l
+- prevent breaking user entry by entering a password containing colon
+- fix possible DoS when locking the database files for update
+- properly use login.defs from the chroot in useradd
+
 * Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:4.2.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild