shadow-utils/shadow-4.5-usermod-unlock.patch

Index: shadow-4.5/src/usermod.c
===================================================================
--- shadow-4.5.orig/src/usermod.c
+++ shadow-4.5/src/usermod.c
@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas
 		strcat (buf, pw_pass);
 		pw_pass = buf;
 	} else if (Uflg && pw_pass[0] == '!') {
-		char *s;
+		char *s = pw_pass;
 
-		if (pw_pass[1] == '\0') {
+		while ('!' == *s)
+			++s;
+
+		if (*s == '\0') {
 			fprintf (stderr,
 			         _("%s: unlocking the user's password would result in a passwordless account.\n"
 			           "You should set a password with usermod -p to unlock this user's password.\n"),
 			         Prog);
-			return pw_pass;
+			return NULL;
 		}
 
 #ifdef WITH_AUDIT
@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
 		              user_newname, (unsigned int) user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
-		s = pw_pass;
-		while ('\0' != *s) {
-			*s = *(s + 1);
-			s++;
-		}
+		memmove (pw_pass, s, strlen (s) + 1);
 	} else if (pflg) {
+		if (strchr (user_pass, ':') != NULL) {
+			fprintf (stderr,
+			         _("%s: The password field cannot contain a colon character.\n"),
+			         Prog);
+			return NULL;
+
+		}
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
 		              "updating-password",
@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw
 	if (   (!is_shadow_pwd)
 	    || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
 		pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
+		if (pwent->pw_passwd == NULL)
+			fail_exit (E_PW_UPDATE);
 	}
 
 	if (uflg) {
@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen
 	 *  + aging has been requested
 	 */
 	spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
+	if (spent->sp_pwdp == NULL)
+		fail_exit(E_PW_UPDATE);
 
 	if (pflg) {
 		spent->sp_lstchg = (long) gettime () / SCALE;
Add patch to include crypt.h, if present Use %%make_{build,install} macros Refresh other patches for proper alignment 2018-02-06 10:33:37 +00:00			`Index: shadow-4.5/src/usermod.c`
			`===================================================================`
			`--- shadow-4.5.orig/src/usermod.c`
			`+++ shadow-4.5/src/usermod.c`
usermod: properly return error during password manipulation 2016-02-09 10:54:02 +00:00			`@@ -455,14 +455,17 @@ static char new_pw_passwd (char pw_pas`
Multiple fixes. - unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd 2015-08-27 13:53:13 +00:00			`strcat (buf, pw_pass);`
			`pw_pass = buf;`
			`} else if (Uflg && pw_pass[0] == '!') {`
			`- char *s;`
			`+ char *s = pw_pass;`

			`- if (pw_pass[1] == '\0') {`
			`+ while ('!' == *s)`
			`+ ++s;`
			`+`
			`+ if (*s == '\0') {`
			`fprintf (stderr,`
			`_("%s: unlocking the user's password would result in a passwordless account.\n"`
			`"You should set a password with usermod -p to unlock this user's password.\n"),`
usermod: properly return error during password manipulation 2016-02-09 10:54:02 +00:00			`Prog);`
			`- return pw_pass;`
			`+ return NULL;`
			`}`

			`#ifdef WITH_AUDIT`
Multiple fixes. - unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd 2015-08-27 13:53:13 +00:00			`@@ -471,12 +474,15 @@ static char new_pw_passwd (char pw_pas`
			`user_newname, (unsigned int) user_newid, 1);`
			`#endif`
			`SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));`
			`- s = pw_pass;`
			`- while ('\0' != *s) {`
			`- s = (s + 1);`
			`- s++;`
			`- }`
			`+ memmove (pw_pass, s, strlen (s) + 1);`
			`} else if (pflg) {`
			`+ if (strchr (user_pass, ':') != NULL) {`
			`+ fprintf (stderr,`
			`+ _("%s: The password field cannot contain a colon character.\n"),`
			`+ Prog);`
usermod: properly return error during password manipulation 2016-02-09 10:54:02 +00:00			`+ return NULL;`
Multiple fixes. - unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd 2015-08-27 13:53:13 +00:00			`+`
			`+ }`
			`#ifdef WITH_AUDIT`
			`audit_logger (AUDIT_USER_CHAUTHTOK, Prog,`
			`"updating-password",`
usermod: properly return error during password manipulation 2016-02-09 10:54:02 +00:00			`@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw`
			`if ( (!is_shadow_pwd)`
			`\|\| (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {`
			`pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);`
			`+ if (pwent->pw_passwd == NULL)`
			`+ fail_exit (E_PW_UPDATE);`
			`}`

			`if (uflg) {`
			`@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen`
			`* + aging has been requested`
			`*/`
			`spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);`
			`+ if (spent->sp_pwdp == NULL)`
			`+ fail_exit(E_PW_UPDATE);`

			`if (pflg) {`
update to current upstream release 4.5 2017-07-21 12:04:11 +00:00			`spent->sp_lstchg = (long) gettime () / SCALE;`