From fbc8eba072226a39bbe8dc9008e43428ce595900 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Tue, 17 Aug 2021 09:49:01 +0200 Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds() Signed-off-by: Iker Pedrosa --- ...default-value-in-SHA_get_salt_rounds.patch | 60 +++++++++++++++++++ shadow-utils.spec | 10 +++- 2 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch diff --git a/shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch b/shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch new file mode 100644 index 0000000..5eaaec9 --- /dev/null +++ b/shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch @@ -0,0 +1,60 @@ +From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Sat, 14 Aug 2021 13:24:34 -0400 +Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds() + +If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified, +use SHA_ROUNDS_DEFAULT. + +Previously, the code fell through, calling shadow_random(-1, -1). This +ultimately set rounds = (unsigned long) -1, which ends up being a very +large number! This then got capped to SHA_ROUNDS_MAX later in the +function. + +The new behavior matches BCRYPT_get_salt_rounds(). + +Bug: https://bugs.gentoo.org/808195 +Fixes: https://github.com/shadow-maint/shadow/issues/393 +--- + libmisc/salt.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/libmisc/salt.c b/libmisc/salt.c +index 91d528fd..30eefb9c 100644 +--- a/libmisc/salt.c ++++ b/libmisc/salt.c +@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre + if ((-1 == min_rounds) && (-1 == max_rounds)) { + rounds = SHA_ROUNDS_DEFAULT; + } ++ else { ++ if (-1 == min_rounds) { ++ min_rounds = max_rounds; ++ } + +- if (-1 == min_rounds) { +- min_rounds = max_rounds; +- } ++ if (-1 == max_rounds) { ++ max_rounds = min_rounds; ++ } + +- if (-1 == max_rounds) { +- max_rounds = min_rounds; +- } ++ if (min_rounds > max_rounds) { ++ max_rounds = min_rounds; ++ } + +- if (min_rounds > max_rounds) { +- max_rounds = min_rounds; ++ rounds = (unsigned long) shadow_random (min_rounds, max_rounds); + } +- +- rounds = (unsigned long) shadow_random (min_rounds, max_rounds); + } else if (0 == *prefered_rounds) { + rounds = SHA_ROUNDS_DEFAULT; + } else { +-- +2.31.1 + diff --git a/shadow-utils.spec b/shadow-utils.spec index 47d61e0..f753ae7 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.9 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: https://github.com/shadow-maint/shadow Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -48,8 +48,10 @@ Patch13: shadow-4.8-ignore-login-prompt.patch Patch14: shadow-4.9-newuidmap-libeconf-dependency.patch # https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991 Patch15: shadow-4.9-usermod-allow-all-group-types.patch -# https://github.com/shadow-maint/shadow/pull/399 +# https://github.com/shadow-maint/shadow/commit/9dd720a28578eef5be8171697aae0906e4c53249 Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch +# https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62 +Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch License: BSD and GPLv2+ BuildRequires: make @@ -114,6 +116,7 @@ Development files for shadow-utils-subid. %patch14 -p1 -b .newuidmap-libeconf-dependency %patch15 -p1 -b .usermod-allow-all-group-types %patch16 -p1 -b .useradd-avoid-generating-empty-subid-range +%patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -284,6 +287,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_libdir}/libsubid.so %changelog +* Tue Aug 17 2021 Iker Pedrosa - 2:4.9-3 +- libmisc: fix default value in SHA_get_salt_rounds() + * Mon Aug 9 2021 Iker Pedrosa - 2:4.9-2 - useradd: avoid generating an empty subid range (#1990653)