[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/

2024-03-05 Thread Petr Vaněk 
commit: e8bb3b84ae490879438504ee21f33275d395ce37
Author: Michael Mair-Keimberger  levelnine  at>
AuthorDate: Mon Mar  4 18:26:57 2024 +
Commit: Petr Vaněk  gentoo  org>
CommitDate: Tue Mar  5 09:17:15 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8bb3b84

sys-apps/shadow: remove unused patch

Signed-off-by: Michael Mair-Keimberger  levelnine.at>
Signed-off-by: Petr Vaněk  gentoo.org>

 .../shadow/files/shadow-4.14.0-bug912446.patch | 1305 
 1 file changed, 1305 deletions(-)

diff --git a/sys-apps/shadow/files/shadow-4.14.0-bug912446.patch 
b/sys-apps/shadow/files/shadow-4.14.0-bug912446.patch
deleted file mode 100644
index 881c8f7f4ad4..
--- a/sys-apps/shadow/files/shadow-4.14.0-bug912446.patch
+++ /dev/null
@@ -1,1305 +0,0 @@
-https://bugs.gentoo.org/912446
-
-From c34c2606cf8f0a52113156d9e22b7a35b391a17e Mon Sep 17 00:00:00 2001
-From: Alejandro Colomar 
-Date: Fri, 25 Aug 2023 11:29:00 +0200
-Subject: [PATCH] lib, libmisc: Move source files to lib (where their headers
- were)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Scripted change:
-
-$ find lib/ -type f \
-| grep '\.h$' \
-| sed 's,lib/,libmisc/,' \
-| sed 's,\.h$,.c,' \
-| xargs find 2>/dev/null \
-| xargs mv -t lib/;
-
-Plus updating the Makefiles.
-
-Closes: 
-Closes: 
-Link: 

-Link: 
-Link: 

-Reported-by: Christian Bricart 
-Reported-by: Robert Marmorstein 
-Cc: Sam James 
-[ jubalh tested the openSUSE package ]
-Tested-by: Michael Vetter 
-Acked-by: Michael Vetter 
-[ Robert F. tested the Gentoo package ]
-Tested-by: Robert Förster 
-Cc: David Seifert 
-Signed-off-by: Alejandro Colomar 

- lib/Makefile.am   | 10 ++
- {libmisc => lib}/alloc.c  |  0
- {libmisc => lib}/bit.c|  0
- {libmisc => lib}/mempcpy.c|  0
- {libmisc => lib}/stpecpy.c|  0
- {libmisc => lib}/stpeprintf.c |  0
- libmisc/Makefile.am   |  9 -
- 7 files changed, 10 insertions(+), 9 deletions(-)
- rename {libmisc => lib}/alloc.c (100%)
- rename {libmisc => lib}/bit.c (100%)
- rename {libmisc => lib}/mempcpy.c (100%)
- rename {libmisc => lib}/stpecpy.c (100%)
- rename {libmisc => lib}/stpeprintf.c (100%)
-
-diff --git a/lib/Makefile.am b/lib/Makefile.am
-index c8d6dd5fb..7f3f7f639 100644
 a/lib/Makefile.am
-+++ b/lib/Makefile.am
-@@ -14,6 +14,10 @@ libshadow_la_CPPFLAGS += -I$(top_srcdir)
- libshadow_la_CFLAGS = $(LIBBSD_CFLAGS)
- 
- libshadow_la_SOURCES = \
-+  alloc.c \
-+  alloc.h \
-+  bit.c \
-+  bit.h \
-   commonio.c \
-   commonio.h \
-   defines.h \
-@@ -34,6 +38,8 @@ libshadow_la_SOURCES = \
-   groupio.h \
-   gshadow.c \
-   lockpw.c \
-+  mempcpy.c \
-+  mempcpy.h \
-   nss.c \
-   nscd.c \
-   nscd.h \
-@@ -67,6 +73,10 @@ libshadow_la_SOURCES = \
-   shadowio.h \
-   shadowmem.c \
-   spawn.c \
-+  stpecpy.c \
-+  stpecpy.h \
-+  stpeprintf.c \
-+  stpeprintf.h \
-   write_full.c
- 
- if WITH_TCB
-diff --git a/libmisc/alloc.c b/lib/alloc.c
-similarity index 100%
-rename from libmisc/alloc.c
-rename to lib/alloc.c
-diff --git a/libmisc/bit.c b/lib/bit.c
-similarity index 100%
-rename from libmisc/bit.c
-rename to lib/bit.c
-diff --git a/libmisc/mempcpy.c b/lib/mempcpy.c
-similarity index 100%
-rename from libmisc/mempcpy.c
-rename to lib/mempcpy.c
-diff --git a/libmisc/stpecpy.c b/lib/stpecpy.c
-similarity index 100%
-rename from libmisc/stpecpy.c
-rename to lib/stpecpy.c
-diff --git a/libmisc/stpeprintf.c b/lib/stpeprintf.c
-similarity index 100%
-rename from libmisc/stpeprintf.c
-rename to lib/stpeprintf.c
-diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
-index 10bf1537f..5eba4650a 100644
 a/libmisc/Makefile.am
-+++ b/libmisc/Makefile.am
-@@ -16,12 +16,8 @@ libmisc_la_SOURCES = \
-   addgrps.c \
-   age.c \
-   agetpass.c \
--  alloc.c \
--  ../lib/alloc.h \
-   audit_help.c \
-   basename.c \
--  bit.c \
--  ../lib/bit.h \
-   chkname.c \
-   chkname.h \
-   chowndir.c \
-@@ -53,7 +49,6 @@ libmisc_la_SOURCES = \
-   list.c \
-   loginprompt.c \
-   mail.c \
--  mempcpy.c \
-   motd.c \
-   myname.c \
-   obscure.c \
-@@ -71,10 +66,6 @@ libmisc_la_SOURCES = \
-   setugid.c \
-   setupenv.c \
-   shell.c \
--  stpecpy.c \
--  ../lib/stpecpy.h \
--  stpeprintf.c \
--  ../lib/stpeprintf.h \
-   strtoday.c \
-   sub.c \
-   sulog.c \
-From 093fb605f9ca0df8310210377b12c0cf2ea5110c Mon Sep 17 00:00:00 2001
-From: Alejandro Colomar 
-Date: Mon, 28 Aug 2023 12:54:22 +0200

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2023-09-18 Thread Mike Gilbert 
commit: 75209a50623aa5538ecbf940c20e69d55b0693f1
Author: Mike Gilbert  gentoo  org>
AuthorDate: Tue Sep 19 00:54:05 2023 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Tue Sep 19 00:55:24 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75209a50

sys-apps/shadow: backport build fixes

Closes: https://bugs.gentoo.org/912446
Signed-off-by: Mike Gilbert  gentoo.org>

 .../shadow/files/shadow-4.14.0-bug912446.patch | 1305 
 ...ow-4.14.0-r2.ebuild => shadow-4.14.0-r3.ebuild} |   12 +-
 2 files changed, 1314 insertions(+), 3 deletions(-)

diff --git a/sys-apps/shadow/files/shadow-4.14.0-bug912446.patch 
b/sys-apps/shadow/files/shadow-4.14.0-bug912446.patch
new file mode 100644
index ..881c8f7f4ad4
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.14.0-bug912446.patch
@@ -0,0 +1,1305 @@
+https://bugs.gentoo.org/912446
+
+From c34c2606cf8f0a52113156d9e22b7a35b391a17e Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar 
+Date: Fri, 25 Aug 2023 11:29:00 +0200
+Subject: [PATCH] lib, libmisc: Move source files to lib (where their headers
+ were)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Scripted change:
+
+$ find lib/ -type f \
+| grep '\.h$' \
+| sed 's,lib/,libmisc/,' \
+| sed 's,\.h$,.c,' \
+| xargs find 2>/dev/null \
+| xargs mv -t lib/;
+
+Plus updating the Makefiles.
+
+Closes: 
+Closes: 
+Link: 

+Link: 
+Link: 

+Reported-by: Christian Bricart 
+Reported-by: Robert Marmorstein 
+Cc: Sam James 
+[ jubalh tested the openSUSE package ]
+Tested-by: Michael Vetter 
+Acked-by: Michael Vetter 
+[ Robert F. tested the Gentoo package ]
+Tested-by: Robert Förster 
+Cc: David Seifert 
+Signed-off-by: Alejandro Colomar 
+---
+ lib/Makefile.am   | 10 ++
+ {libmisc => lib}/alloc.c  |  0
+ {libmisc => lib}/bit.c|  0
+ {libmisc => lib}/mempcpy.c|  0
+ {libmisc => lib}/stpecpy.c|  0
+ {libmisc => lib}/stpeprintf.c |  0
+ libmisc/Makefile.am   |  9 -
+ 7 files changed, 10 insertions(+), 9 deletions(-)
+ rename {libmisc => lib}/alloc.c (100%)
+ rename {libmisc => lib}/bit.c (100%)
+ rename {libmisc => lib}/mempcpy.c (100%)
+ rename {libmisc => lib}/stpecpy.c (100%)
+ rename {libmisc => lib}/stpeprintf.c (100%)
+
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index c8d6dd5fb..7f3f7f639 100644
+--- a/lib/Makefile.am
 b/lib/Makefile.am
+@@ -14,6 +14,10 @@ libshadow_la_CPPFLAGS += -I$(top_srcdir)
+ libshadow_la_CFLAGS = $(LIBBSD_CFLAGS)
+ 
+ libshadow_la_SOURCES = \
++  alloc.c \
++  alloc.h \
++  bit.c \
++  bit.h \
+   commonio.c \
+   commonio.h \
+   defines.h \
+@@ -34,6 +38,8 @@ libshadow_la_SOURCES = \
+   groupio.h \
+   gshadow.c \
+   lockpw.c \
++  mempcpy.c \
++  mempcpy.h \
+   nss.c \
+   nscd.c \
+   nscd.h \
+@@ -67,6 +73,10 @@ libshadow_la_SOURCES = \
+   shadowio.h \
+   shadowmem.c \
+   spawn.c \
++  stpecpy.c \
++  stpecpy.h \
++  stpeprintf.c \
++  stpeprintf.h \
+   write_full.c
+ 
+ if WITH_TCB
+diff --git a/libmisc/alloc.c b/lib/alloc.c
+similarity index 100%
+rename from libmisc/alloc.c
+rename to lib/alloc.c
+diff --git a/libmisc/bit.c b/lib/bit.c
+similarity index 100%
+rename from libmisc/bit.c
+rename to lib/bit.c
+diff --git a/libmisc/mempcpy.c b/lib/mempcpy.c
+similarity index 100%
+rename from libmisc/mempcpy.c
+rename to lib/mempcpy.c
+diff --git a/libmisc/stpecpy.c b/lib/stpecpy.c
+similarity index 100%
+rename from libmisc/stpecpy.c
+rename to lib/stpecpy.c
+diff --git a/libmisc/stpeprintf.c b/lib/stpeprintf.c
+similarity index 100%
+rename from libmisc/stpeprintf.c
+rename to lib/stpeprintf.c
+diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
+index 10bf1537f..5eba4650a 100644
+--- a/libmisc/Makefile.am
 b/libmisc/Makefile.am
+@@ -16,12 +16,8 @@ libmisc_la_SOURCES = \
+   addgrps.c \
+   age.c \
+   agetpass.c \
+-  alloc.c \
+-  ../lib/alloc.h \
+   audit_help.c \
+   basename.c \
+-  bit.c \
+-  ../lib/bit.h \
+   chkname.c \
+   chkname.h \
+   chowndir.c \
+@@ -53,7 +49,6 @@ libmisc_la_SOURCES = \
+   list.c \
+   loginprompt.c \
+   mail.c \
+-  mempcpy.c \
+   motd.c \
+   myname.c \
+   obscure.c \
+@@ -71,10 +66,6 @@ libmisc_la_SOURCES = \
+   setugid.c \
+   setupenv.c \
+   shell.c \
+-  stpecpy.c \
+-  ../lib/stpecpy.h \
+-  stpeprintf.c \
+-  ../lib/stpeprintf.h \
+   strtoday.c \
+   sub.c \
+   sulog.c \
+From 093fb605f9ca0df8310210377b12c0cf2ea5110c Mon Sep 17 00:00:00 2001
+From:

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2023-06-16 Thread Sam James 
commit: 16921604a6bd3ec292570577a472d18aebe60389
Author: Sam James  gentoo  org>
AuthorDate: Sat Jun 17 02:29:25 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Sat Jun 17 02:32:11 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16921604

sys-apps/shadow: backport password leak fix, backport usermod gid --prefix fix

Bug: https://bugs.gentoo.org/908613
Closes: https://bugs.gentoo.org/894754
Signed-off-by: Sam James  gentoo.org>

 .../shadow/files/shadow-4.13-password-leak.patch   | 135 +++
 .../files/shadow-4.13-usermod-prefix-gid.patch |  33 +++
 sys-apps/shadow/shadow-4.13-r4.ebuild  | 268 +
 3 files changed, 436 insertions(+)

diff --git a/sys-apps/shadow/files/shadow-4.13-password-leak.patch 
b/sys-apps/shadow/files/shadow-4.13-password-leak.patch
new file mode 100644
index ..25b5ec39c5f8
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.13-password-leak.patch
@@ -0,0 +1,135 @@
+https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
+
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar 
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/

2023-05-02 Thread Mike Gilbert 
commit: 0f58b1b7e1f67288b7ccac5719ae9992181cc69b
Author: Michael Mair-Keimberger  levelnine  at>
AuthorDate: Tue May  2 18:54:03 2023 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Tue May  2 20:07:36 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f58b1b7

sys-apps/shadow: remove unused patch

Signed-off-by: Michael Mair-Keimberger  levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/30843
Signed-off-by: Mike Gilbert  gentoo.org>

 sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch | 10 --
 1 file changed, 10 deletions(-)

diff --git a/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch 
b/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch
deleted file mode 100644
index efcb33dbd9ef..
--- a/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch
+++ /dev/null
@@ -1,10 +0,0 @@
 shadow-4.1.3/libmisc/chkname.c
-+++ shadow-4.1.3/libmisc/chkname.c
-@@ -66,6 +66,7 @@
- ( ('0' <= *name) && ('9' >= *name) ) ||
- ('_' == *name) ||
- ('-' == *name) ||
-+('.' == *name) ||
- ( ('$' == *name) && ('\0' == *(name + 1)) )
-)) {
-   return false;

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2023-04-18 Thread Mike Gilbert 
commit: f00fc3d1955bec0b229a0a4e5affc3080f4554fd
Author: Michael Vetter  iodoru  org>
AuthorDate: Tue Apr 18 16:01:40 2023 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Tue Apr 18 16:33:34 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f00fc3d1

sys-apps/shadow: fix CVE-2023-29383

See: https://nvd.nist.gov/vuln/detail/CVE-2023-29383
Bug: https://bugs.gentoo.org/904518
Signed-off-by: Michael Vetter  iodoru.org>
Closes: https://github.com/gentoo/gentoo/pull/30644
Signed-off-by: Mike Gilbert  gentoo.org>

 .../shadow/files/shadow-4.13-CVE-2023-29383.patch  | 100 
 sys-apps/shadow/shadow-4.13-r3.ebuild  | 264 +
 2 files changed, 364 insertions(+)

diff --git a/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch 
b/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch
new file mode 100644
index ..49868ba67c96
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch
@@ -0,0 +1,100 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderl...@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters 
are present.
+---
+ lib/fields.c | 11 +++
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931f..fb51b5829 100644
+--- a/lib/fields.c
 b/lib/fields.c
+@@ -21,9 +21,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *   contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *   but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+   }
+ 
+   if (0 == err) {
+-  /* Search if there are some non-printable characters */
++  /* Search if there are non-printable or control characters */
+   for (cp = field; '\0' != *cp; cp++) {
+   if (!isprint (*cp)) {
+   err = 1;
++  }
++  if (!iscntrl (*cp)) {
++  err = -1;
+   break;
+   }
+   }
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= 
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++--
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b5829..539292485 100644
+--- a/lib/fields.c
 b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+   /* For each character of field, search if it appears in the list
+* of illegal characters. */
++  if (illegal && NULL != strpbrk (field, illegal)) {
++  return -1;
++  }
++
++  /* Search if there are non-printable or control characters */
+   for (cp = field; '\0' != *cp; cp++) {
+-  if (strchr (illegal, *cp) != NULL) {
++  unsigned char c = *cp;
++  if (!isprint (c)) {
++  err = 1;
++  }
++  if (iscntrl (c)) {
+   err = -1;
+   break;
+   }
+   }
+ 
+-  if (0 == err) {
+-  /* Search if there are non-printable or control characters */
+-  for (cp = field; '\0' != *cp; cp++) {
+-  if (!isprint (*cp)) {
+-  err = 1;
+-  }
+-  if (!iscntrl (*cp)) {
+-  err = -1;
+-  break;
+-  }
+-  }
+-  }
+-
+   return err;
+ }
+ 

diff --git a/sys-apps/shadow/shadow-4.13-r3.ebuild 
b/sys-apps/shadow/shadow-4.13-r3.ebuild
new file mode 100644
index ..7d0460c2c41e
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.13-r3.ebuild
@@ -0,0 +1,264 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2021-12-19 Thread Sam James 
commit: 019a7e4cea7b1a827ea4e1b5ef64dc528173d324
Author: Sam James  gentoo  org>
AuthorDate: Mon Dec 20 01:40:38 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Dec 20 01:40:51 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=019a7e4c

sys-apps/shadow: update libsubid patch to match upstream-submitted version

Signed-off-by: Sam James  gentoo.org>

 sys-apps/shadow/files/shadow-4.10-libsubid-soname.patch | 13 -
 sys-apps/shadow/shadow-4.10-r2.ebuild   |  1 -
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/sys-apps/shadow/files/shadow-4.10-libsubid-soname.patch 
b/sys-apps/shadow/files/shadow-4.10-libsubid-soname.patch
index db9c917b..e2f8ddf466d9 100644
--- a/sys-apps/shadow/files/shadow-4.10-libsubid-soname.patch
+++ b/sys-apps/shadow/files/shadow-4.10-libsubid-soname.patch
@@ -1,7 +1,7 @@
 https://github.com/shadow-maint/shadow/pull/463
 
 From: Sam James 
-Date: Mon, 20 Dec 2021 01:24:16 +
+Date: Mon, 20 Dec 2021 01:37:23 +
 Subject: [PATCH] libsubid: fix defining SONAME version
 
 We were overriding this when --enable-shared was passed. We can actually
@@ -11,6 +11,17 @@ us here anyway.
 Without this patch, libsubid is installed as .0.
 
 Signed-off-by: Sam James 
+--- a/configure.ac
 b/configure.ac
+@@ -321,8 +321,6 @@ if test "$with_sha_crypt" = "yes"; then
+   AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 
password encryption algorithms])
+ fi
+ 
+-AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
+-
+ AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
+ if test "$with_bcrypt" = "yes"; then
+   AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password 
encryption algorithm])
 --- a/libsubid/Makefile.am
 +++ b/libsubid/Makefile.am
 @@ -1,10 +1,6 @@

diff --git a/sys-apps/shadow/shadow-4.10-r2.ebuild 
b/sys-apps/shadow/shadow-4.10-r2.ebuild
index 888a5dd2db52..6f651117a693 100644
--- a/sys-apps/shadow/shadow-4.10-r2.ebuild
+++ b/sys-apps/shadow/shadow-4.10-r2.ebuild
@@ -68,7 +68,6 @@ src_prepare() {
 src_configure() {
local myeconfargs=(
--disable-account-tools-setuid
-   --enable-shared
--disable-static
--with-btrfs
--without-group-name-max-length

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2021-12-19 Thread Sam James 
commit: ca1bb8531416b974b09efde5028ea46829e3c2c0
Author: Sam James  gentoo  org>
AuthorDate: Mon Dec 20 01:27:07 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Dec 20 01:27:22 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca1bb853

sys-apps/shadow: fix libsubid SONAME, add subslot for libsubid

Signed-off-by: Sam James  gentoo.org>

 .../shadow/files/shadow-4.10-libsubid-soname.patch | 27 ++
 sys-apps/shadow/metadata.xml   |  4 +++-
 ...shadow-4.10-r1.ebuild => shadow-4.10-r2.ebuild} |  9 +---
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/sys-apps/shadow/files/shadow-4.10-libsubid-soname.patch 
b/sys-apps/shadow/files/shadow-4.10-libsubid-soname.patch
new file mode 100644
index ..db9c917b
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.10-libsubid-soname.patch
@@ -0,0 +1,27 @@
+https://github.com/shadow-maint/shadow/pull/463
+
+From: Sam James 
+Date: Mon, 20 Dec 2021 01:24:16 +
+Subject: [PATCH] libsubid: fix defining SONAME version
+
+We were overriding this when --enable-shared was passed. We can actually
+just dump the conditional logic as libtool will do the right thing for
+us here anyway.
+
+Without this patch, libsubid is installed as .0.
+
+Signed-off-by: Sam James 
+--- a/libsubid/Makefile.am
 b/libsubid/Makefile.am
+@@ -1,10 +1,6 @@
+ lib_LTLIBRARIES = libsubid.la
+-if ENABLE_SHARED
+-libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
+-  -shared -version-info @LIBSUBID_ABI_MAJOR@
+-endif
+ libsubid_la_SOURCES = api.c
+-libsubid_la_LDFLAGS = -export-symbols-regex '^subid_'
++libsubid_la_LDFLAGS = -version-info @LIBSUBID_ABI_MAJOR@ 
-export-symbols-regex '^subid_'
+ 
+ pkginclude_HEADERS = subid.h
+ 

diff --git a/sys-apps/shadow/metadata.xml b/sys-apps/shadow/metadata.xml
index 980dcbed0ddb..9c7dcc5444cf 100644
--- a/sys-apps/shadow/metadata.xml
+++ b/sys-apps/shadow/metadata.xml
@@ -9,7 +9,9 @@
build the bcrypt password encryption 
algorithm
build the su program

-   
+
+   Reflect ABI of libsubids.so
+   

cpe:/a:debian:shadow
shadow-maint/shadow

diff --git a/sys-apps/shadow/shadow-4.10-r1.ebuild 
b/sys-apps/shadow/shadow-4.10-r2.ebuild
similarity index 97%
rename from sys-apps/shadow/shadow-4.10-r1.ebuild
rename to sys-apps/shadow/shadow-4.10-r2.ebuild
index a213030fec37..888a5dd2db52 100644
--- a/sys-apps/shadow/shadow-4.10-r1.ebuild
+++ b/sys-apps/shadow/shadow-4.10-r2.ebuild
@@ -3,14 +3,15 @@
 
 EAPI=7
 
-inherit libtool pam
+inherit autotools pam
 
 DESCRIPTION="Utilities to deal with user accounts"
 HOMEPAGE="https://github.com/shadow-maint/shadow;
 
SRC_URI="https://github.com/shadow-maint/shadow/releases/download/v${PV}/${P}.tar.xz;
 
 LICENSE="BSD GPL-2"
-SLOT="0"
+# Subslot is for libsubid's SONAME.
+SLOT="0/4"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv 
~s390 ~sparc ~x86"
 IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr"
 # Taken from the man/Makefile.am file.
@@ -54,12 +55,14 @@ RDEPEND="${COMMON_DEPEND}
 
 PATCHES=(
"${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch"
+   "${FILESDIR}/${PN}-4.10-libsubid-soname.patch"
 )
 
 src_prepare() {
default
 
-   elibtoolize
+   eautoreconf
+   #elibtoolize
 }
 
 src_configure() {

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2021-08-14 Thread Mike Gilbert 
commit: facfcc2e69ac04433cb0b9b31b755d9e9fb20b2b
Author: Mike Gilbert  gentoo  org>
AuthorDate: Sun Aug 15 00:46:26 2021 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Sun Aug 15 00:46:26 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=facfcc2e

sys-apps/shadow: fix SHA hash behavior with USE=-pam

Closes: https://bugs.gentoo.org/808195
Signed-off-by: Mike Gilbert  gentoo.org>

 sys-apps/shadow/files/shadow-4.9-SHA-rounds.patch  | 57 ++
 .../{shadow-4.9-r1.ebuild => shadow-4.9-r2.ebuild} |  1 +
 2 files changed, 58 insertions(+)

diff --git a/sys-apps/shadow/files/shadow-4.9-SHA-rounds.patch 
b/sys-apps/shadow/files/shadow-4.9-SHA-rounds.patch
new file mode 100644
index 000..05be7adc1b1
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.9-SHA-rounds.patch
@@ -0,0 +1,57 @@
+From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert 
+Date: Sat, 14 Aug 2021 13:24:34 -0400
+Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()
+
+If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
+use SHA_ROUNDS_DEFAULT.
+
+Previously, the code fell through, calling shadow_random(-1, -1). This
+ultimately set rounds = (unsigned long) -1, which ends up being a very
+large number! This then got capped to SHA_ROUNDS_MAX later in the
+function.
+
+The new behavior matches BCRYPT_get_salt_rounds().
+
+Bug: https://bugs.gentoo.org/808195
+Fixes: https://github.com/shadow-maint/shadow/issues/393
+---
+ libmisc/salt.c | 21 +++--
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/libmisc/salt.c b/libmisc/salt.c
+index 91d528fd..30eefb9c 100644
+--- a/libmisc/salt.c
 b/libmisc/salt.c
+@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long 
SHA_get_salt_rounds (/*@null@*/int *pre
+   if ((-1 == min_rounds) && (-1 == max_rounds)) {
+   rounds = SHA_ROUNDS_DEFAULT;
+   }
++  else {
++  if (-1 == min_rounds) {
++  min_rounds = max_rounds;
++  }
+ 
+-  if (-1 == min_rounds) {
+-  min_rounds = max_rounds;
+-  }
++  if (-1 == max_rounds) {
++  max_rounds = min_rounds;
++  }
+ 
+-  if (-1 == max_rounds) {
+-  max_rounds = min_rounds;
+-  }
++  if (min_rounds > max_rounds) {
++  max_rounds = min_rounds;
++  }
+ 
+-  if (min_rounds > max_rounds) {
+-  max_rounds = min_rounds;
++  rounds = (unsigned long) shadow_random (min_rounds, 
max_rounds);
+   }
+-
+-  rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
+   } else if (0 == *prefered_rounds) {
+   rounds = SHA_ROUNDS_DEFAULT;
+   } else {

diff --git a/sys-apps/shadow/shadow-4.9-r1.ebuild 
b/sys-apps/shadow/shadow-4.9-r2.ebuild
similarity index 99%
rename from sys-apps/shadow/shadow-4.9-r1.ebuild
rename to sys-apps/shadow/shadow-4.9-r2.ebuild
index 545c8cb652b..8ce94660aad 100644
--- a/sys-apps/shadow/shadow-4.9-r1.ebuild
+++ b/sys-apps/shadow/shadow-4.9-r2.ebuild
@@ -57,6 +57,7 @@ PATCHES=(
"${FILESDIR}/${P}-libsubid_pam_linking.patch"
"${FILESDIR}/${P}-libsubid_oot_build.patch"
"${FILESDIR}/shadow-4.9-libcrack.patch"
+   "${FILESDIR}/shadow-4.9-SHA-rounds.patch"
 )
 
 src_prepare() {

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2021-07-25 Thread Lars Wendler 
commit: 094b04485ed2967a788dc20912de0cc76d2f47ab
Author: Lars Wendler  gentoo  org>
AuthorDate: Sun Jul 25 14:02:03 2021 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Sun Jul 25 14:02:03 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=094b0448

sys-apps/shadow: Bump to version 4.9

Signed-off-by: Lars Wendler  gentoo.org>

 sys-apps/shadow/Manifest   |   1 +
 .../files/shadow-4.9-libsubid_oot_build.patch  | 109 +
 .../files/shadow-4.9-libsubid_pam_linking.patch|  28 +++
 sys-apps/shadow/shadow-4.9.ebuild  | 249 +
 4 files changed, 387 insertions(+)

diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest
index 5d1b8fe26cb..19bec0338d0 100644
--- a/sys-apps/shadow/Manifest
+++ b/sys-apps/shadow/Manifest
@@ -1 +1,2 @@
 DIST shadow-4.8.1.tar.xz 1611196 BLAKE2B 
952707cdd55dc6c00dcbc60dbc3bf84ac618dbe916b36d993802b3ce42594de332a9bc22933a28881af3d317a340eab017ada55511b4e4fbc3ca6b422c4bc254
 SHA512 
780a983483d847ed3c91c82064a0fa902b6f4185225978241bc3bc03fcc3aa143975b46aee43151c6ba43efcfdb1819516b76ba7ad3d1d3c34fcc38ea42e917b
+DIST shadow-4.9.tar.xz 1627008 BLAKE2B 
7a9a6a489115c7a20520cfec61f008fc0f70f7f50aaf539e94dfdcb20035d2de88ab3198e76812a4e3eb944b92c76c0ca2e85e35f4342537711c2c033248a72b
 SHA512 
254cda49bb14505a7604821e7fa898bf4bf317d648e9ddc881ab80a6860d52053dfffacad6feab87c7d16608c35ed6b6cee99e7757eac930da3a7b31cdcd4b95

diff --git a/sys-apps/shadow/files/shadow-4.9-libsubid_oot_build.patch 
b/sys-apps/shadow/files/shadow-4.9-libsubid_oot_build.patch
new file mode 100644
index 000..6609ccd6d3a
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.9-libsubid_oot_build.patch
@@ -0,0 +1,109 @@
+From 537b8cd90be7b47b45c45cfd27765ef85eb0ebf1 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn 
+Date: Fri, 23 Jul 2021 17:51:13 -0500
+Subject: [PATCH] Fix out of tree builds with respect to libsubid includes
+
+There's a better way to do this, and I hope to clean that up,
+but this fixes out of tree builds for me right now.
+
+Closes #386
+
+Signed-off-by: Serge Hallyn 
+---
+ lib/Makefile.am  | 2 ++
+ libmisc/Makefile.am  | 2 +-
+ libsubid/Makefile.am | 4 ++--
+ src/Makefile.am  | 6 ++
+ 4 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index ecf3ee25..5ac2e111 100644
+--- a/lib/Makefile.am
 b/lib/Makefile.am
+@@ -10,6 +10,8 @@ if HAVE_VENDORDIR
+ libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
+ endif
+ 
++libshadow_la_CPPFLAGS += -I$(top_srcdir)
++
+ libshadow_la_SOURCES = \
+   commonio.c \
+   commonio.h \
+diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
+index 9766a7ec..9f237e0d 100644
+--- a/libmisc/Makefile.am
 b/libmisc/Makefile.am
+@@ -1,7 +1,7 @@
+ 
+ EXTRA_DIST = .indent.pro xgetXXbyYY.c
+ 
+-AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
++AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
+ 
+ noinst_LTLIBRARIES = libmisc.la
+ 
+diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
+index 83051560..99308c1f 100644
+--- a/libsubid/Makefile.am
 b/libsubid/Makefile.am
+@@ -20,8 +20,8 @@ MISCLIBS = \
+   $(LIBPAM)
+ 
+ libsubid_la_LIBADD = \
+-  $(top_srcdir)/lib/libshadow.la \
+-  $(top_srcdir)/libmisc/libmisc.la \
++  $(top_builddir)/lib/libshadow.la \
++  $(top_builddir)/libmisc/libmisc.la \
+   $(MISCLIBS) -ldl
+ 
+ AM_CPPFLAGS = \
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 35027013..7c1a3491 100644
+--- a/src/Makefile.am
 b/src/Makefile.am
+@@ -10,6 +10,7 @@ sgidperms = 2755
+ AM_CPPFLAGS = \
+   -I${top_srcdir}/lib \
+   -I$(top_srcdir)/libmisc \
++  -I$(top_srcdir) \
+   -DLOCALEDIR=\"$(datadir)/locale\"
+ 
+ # XXX why are login and su in /bin anyway (other than for
+@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \
+ list_subid_ranges_CPPFLAGS = \
+   -I$(top_srcdir)/lib \
+   -I$(top_srcdir)/libmisc \
++  -I$(top_srcdir) \
+   -I$(top_srcdir)/libsubid
+ 
+ get_subid_owners_LDADD = \
+@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \
+ get_subid_owners_CPPFLAGS = \
+   -I$(top_srcdir)/lib \
+   -I$(top_srcdir)/libmisc \
++  -I$(top_srcdir) \
+   -I$(top_srcdir)/libsubid
+ 
+ new_subid_range_CPPFLAGS = \
+   -I$(top_srcdir)/lib \
+   -I$(top_srcdir)/libmisc \
++  -I$(top_srcdir) \
+   -I$(top_srcdir)/libsubid
+ 
+ new_subid_range_LDADD = \
+@@ -210,6 +214,7 @@ new_subid_range_LDADD = \
+ free_subid_range_CPPFLAGS = \
+   -I$(top_srcdir)/lib \
+   -I$(top_srcdir)/libmisc \
++  -I$(top_srcdir) \
+   -I$(top_srcdir)/libsubid
+ 
+ free_subid_range_LDADD = \
+@@ -220,6 +225,7 @@ free_subid_range_LDADD = \
+ 
+ check_subid_range_CPPFLAGS = \
+   -I$(top_srcdir)/lib \
++  -I$(top_srcdir) \
+   -I$(top_srcdir)/libmisc
+ 
+ check_subid_range_LDADD = \

diff --git a/sys-apps/shadow/files/shadow-4.9-libsubid_pam_linking.patch

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/

2021-07-10 Thread Conrad Kostecki 
commit: 2aa994b5c808df07ac6b128ee82b422134a842da
Author: Michael Mair-Keimberger  levelnine  at>
AuthorDate: Tue May 18 17:53:03 2021 +
Commit: Conrad Kostecki  gentoo  org>
CommitDate: Sat Jul 10 21:06:22 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2aa994b5

sys-apps/shadow: remove unused patch

Closes: https://github.com/gentoo/gentoo/pull/20873
Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Michael Mair-Keimberger  levelnine.at>
Signed-off-by: Conrad Kostecki  gentoo.org>

 sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch | 15 ---
 1 file changed, 15 deletions(-)

diff --git a/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch 
b/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch
deleted file mode 100644
index 08382fcb950..000
--- a/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 97839741..ff153d92 100644
 a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -2,8 +2,8 @@
- EXTRA_DIST = \
-   .indent.pro
- 
--ubindir = ${bindir}
--usbindir = ${sbindir}
-+ubindir = ${prefix}/bin
-+usbindir = ${prefix}/sbin
- suidperms = 4755
- sgidperms = 2755
-

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2020-04-21 Thread Lars Wendler 
commit: 56a1b1be9d9b3661cc4f2ab036312d47892c4118
Author: Lars Wendler  gentoo  org>
AuthorDate: Tue Apr 21 08:13:36 2020 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Tue Apr 21 08:24:39 2020 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56a1b1be

sys-apps/shadow: Security cleanup

Bug: https://bugs.gentoo.org/702252
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Lars Wendler  gentoo.org>

 sys-apps/shadow/Manifest   |   2 -
 sys-apps/shadow/files/shadow-4.7-optional_su.patch | 130 
 sys-apps/shadow/shadow-4.6.ebuild  | 214 ---
 sys-apps/shadow/shadow-4.7-r2.ebuild   | 236 -
 4 files changed, 582 deletions(-)

diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest
index 37a6f8d7768..c224c0d1a24 100644
--- a/sys-apps/shadow/Manifest
+++ b/sys-apps/shadow/Manifest
@@ -1,4 +1,2 @@
-DIST shadow-4.6.tar.gz 3804282 BLAKE2B 
268c90e7daba138827aec6039f428f52cdcf7929743fa1f49f801cc669de7456ec5a69531194cdb29f051ce7d0b2f1e966fdf2513a9fc8f7fbdeb29d786a509f
 SHA512 
36358333e7f03ef558772f3361bc5851a7d7fd3d85c993a6b732e37304b8068b2893d55607b9bfe8b8eed616a687264f947ff66cefc74ea1a48ba9396d464714
-DIST shadow-4.7.tar.gz 385 BLAKE2B 
8e030d3dcc5eb76332ff76aad8e9141edb4ae660f56dd3b420968c538d3022a72ab620710b9274b9afb44f497399f5c4ceef339b7d2c52106b9b8368ff127654
 SHA512 
9b134dc90d8fb39bc72db69ddb78cef6263921c8a2f00abc00ac796bf468ac18393399920eec14bd2a78b814a06fc18eb6f5685ede13fe222fc66b2e411cbb01
 DIST shadow-4.8.1.tar.xz 1611196 BLAKE2B 
952707cdd55dc6c00dcbc60dbc3bf84ac618dbe916b36d993802b3ce42594de332a9bc22933a28881af3d317a340eab017ada55511b4e4fbc3ca6b422c4bc254
 SHA512 
780a983483d847ed3c91c82064a0fa902b6f4185225978241bc3bc03fcc3aa143975b46aee43151c6ba43efcfdb1819516b76ba7ad3d1d3c34fcc38ea42e917b
 DIST shadow-4.8.tar.xz 1609060 BLAKE2B 
9d0b515e40f45c0baf420ef7ffaf5b6dd7989b26c93fc6dd610876263ac22e61fbc2821649d347c28055ae84f64cd5ab5c2435450c55339c80b4ae5062ccc44f
 SHA512 
1c607aec541400fc179d6cbbac7511289c618ab2ce6ee9d7c18a8bfda00421c62d4b9e58aff52b5f82d485468e7db955c186ea0faad9a08003ffc01bdf2ccece

diff --git a/sys-apps/shadow/files/shadow-4.7-optional_su.patch 
b/sys-apps/shadow/files/shadow-4.7-optional_su.patch
deleted file mode 100644
index 47284646077..000
--- a/sys-apps/shadow/files/shadow-4.7-optional_su.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From ddb0553b2e559fd431fe8b460c37cb7fef8c06ee Mon Sep 17 00:00:00 2001
-From: Lars Wendler 
-Date: Tue, 19 Nov 2019 10:57:06 +0100
-Subject: [PATCH] build: Make build/installation of su and its support files
- optional
-
-Enabled by default
-This is necessary because coreutils and util-linux can also provide su
-
-Signed-off-by: Lars Wendler 

- configure.ac  |  7 +++
- etc/pam.d/Makefile.am |  7 +--
- man/Makefile.am   |  5 -
- src/Makefile.am   | 10 --
- 4 files changed, 24 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 67625564..5629df98 100644
 a/configure.ac
-+++ b/configure.ac
-@@ -286,6 +286,9 @@ AC_ARG_WITH(sssd,
- AC_ARG_WITH(group-name-max-length,
-   [AC_HELP_STRING([--with-group-name-max-length], [set max group name 
length @<:@default=16@:>@])],
-   [with_group_name_max_length=$withval], [with_group_name_max_length=yes])
-+AC_ARG_WITH(su,
-+  [AC_HELP_STRING([--with-su], [build and install su program and man page 
@<:@default=yes@:>@])],
-+  [with_su=$withval], [with_su=yes])
- 
- if test "$with_group_name_max_length" = "no" ; then
-   with_group_name_max_length=0
-@@ -313,6 +316,9 @@ if test "$with_sssd" = "yes"; then
- [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
- fi
- 
-+AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])])
-+AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"])
-+
- dnl Check for some functions in libc first, only if not found check for
- dnl other libraries.  This should prevent linking libnsl if not really
- dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
-@@ -719,4 +725,5 @@ echo " nscd support:   $with_nscd"
- echo "sssd support:   $with_sssd"
- echo "subordinate IDs support:$enable_subids"
- echo "use file caps:  $with_fcaps"
-+echo "install su: $with_su"
- echo
-diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am
-index d967eb95..38ff26ae 100644
 a/etc/pam.d/Makefile.am
-+++ b/etc/pam.d/Makefile.am
-@@ -6,8 +6,7 @@ pamd_files = \
-   chsh \
-   groupmems \
-   login \
--  passwd \
--  su
-+  passwd
- 
- pamd_acct_tools_files = \
-   chage \
-@@ -29,4 +28,8 @@ pamd_DATA += $(pamd_acct_tools_files)
- endif
- endif
- 
-+if WITH_SU
-+pamd_files += su
-+endif
-+
- EXTRA_DIST = $(pamd_files) $(pamd_acct_tools_files)
-diff --git

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/pam.d-include/, sys-apps/shadow/

2020-01-18 Thread Lars Wendler 
commit: c7da130a443ab9811b242ae2cbf8259cb85d43b1
Author: Michael Weiser  gmx  de>
AuthorDate: Tue Dec 17 19:02:40 2019 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Sun Jan 19 01:00:17 2020 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a

sys-apps/shadow: Revbump to fix up PAM configuration

shadow includes a number of administrative account management binaries
like useradd, chage and chpasswd, traditionally only useable by root.
In shadow they can be compiled with PAM support and installed setuid.
PAM configuration can then be used to delegate account management to
users other than root.

The previous config contained the pam_rootok module to provide default
behaviour of allowing account management when called as root. But it
also contained pam_permit which would allow everyone else to also do
account management without any authentication.

To close this loophole we remove pam_permit from the config. Also,
chpasswd, chgpasswd and newusers are batch-mode mass-change tools meant
for scripting. They only contain PAM support if configure flag
--enable-account-tools-setuid is in effect and are then installed setuid
root. They should use the same restrictive PAM configuration as their
siblings.  But with setuid user management tools and PAM support within
them disabled by commit f569e607 we can stop installing the
configuration files as well.

chfn and chsh are intended to be called by the user as self-service
tools. For this reason they're always installed setuid root and contain
PAM support. They should be allowed to work but maybe not without some
prior authentication to avoid attacks such as someone finding an
unlocked session and using chfn to redirect phone calls intended for the
user to himself. The existing passwd config seems perfect for that and
is aptly named in that both tools change user information normally
stored in /etc/passwd.

groupmems is another user self-service tool. It allows the user to add
people to their user-private group, allowing them trusted access to
normally private files. It is not installed setuid like chfn and chsh
but always contains PAM support. Upstream installs a locked down PAM
config by default.

Since default shell profiles on Gentoo do not change umask to 0002 when
a private user group is in use, impact will only be to allow read access
to those additional users by default.

Since the idea of adding more users to the user *private* group is
questionable, go with upstream's default of locking the PAM config down
so that an admin not only needs to make the binary suid but also adjust
the PAM config, in the process hopefully considering what they're doing.

Bug: https://bugs.gentoo.org/702252
Closes: https://github.com/gentoo/gentoo/pull/14032
Reviewed-by: Mikle Kolyada  gentoo.org>
Signed-off-by: Lars Wendler  gentoo.org>

 sys-apps/shadow/files/pam.d-include/shadow-r1 |   7 +
 sys-apps/shadow/shadow-4.8-r3.ebuild  | 233 ++
 2 files changed, 240 insertions(+)

diff --git a/sys-apps/shadow/files/pam.d-include/shadow-r1 
b/sys-apps/shadow/files/pam.d-include/shadow-r1
new file mode 100644
index 000..e42e8493ffe
--- /dev/null
+++ b/sys-apps/shadow/files/pam.d-include/shadow-r1
@@ -0,0 +1,7 @@
+#%PAM-1.0
+
+auth   sufficient  pam_rootok.so
+
+accountinclude system-auth
+
+password   requiredpam_permit.so

diff --git a/sys-apps/shadow/shadow-4.8-r3.ebuild 
b/sys-apps/shadow/shadow-4.8-r3.ebuild
new file mode 100644
index 000..ce51a62e4d9
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.8-r3.ebuild
@@ -0,0 +1,233 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools libtool pam
+
+DESCRIPTION="Utilities to deal with user accounts"
+HOMEPAGE="https://github.com/shadow-maint/shadow;
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz;
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv 
~s390 ~sh ~sparc ~x86"
+IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr"
+# Taken from the man/Makefile.am file.
+LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
+
+DEPEND="
+   acl? ( sys-apps/acl:0= )
+   audit? ( >=sys-process/audit-2.6:0= )
+   cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )
+   nls? ( virtual/libintl )
+   pam? ( sys-libs/pam:0= )
+   skey? ( sys-auth/skey:0= )
+   selinux? (
+   >=sys-libs/libselinux-1.28:0=
+   sys-libs/libsemanage:0=
+   )
+   su? ( !sys-apps/util-linux[su] )
+   xattr? ( sys-apps/attr:0= )
+"
+BDEPEND="
+   app-arch/xz-utils
+   sys-devel/gettext
+"
+RDEPEND="
+   ${DEPEND}
+   pam? ( >=sys-auth/pambase-20150213 )
+"
+
+PATCHES=(
+   "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch"
+

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2019-12-01 Thread Patrick McLean 
commit: e3c042d5752bdab78fbf5caa05307a100483026d
Author: Patrick McLean  gentoo  org>
AuthorDate: Sun Dec  1 21:49:42 2019 +
Commit: Patrick McLean  gentoo  org>
CommitDate: Sun Dec  1 21:49:42 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3c042d5

sys-apps/shadow-4.8-r1: Revbump, install in /usr as well as /

Package-Manager: Portage-2.3.80, Repoman-2.3.19
Signed-off-by: Patrick McLean  gentoo.org>

 sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch   | 15 +++
 .../shadow/{shadow-4.8.ebuild => shadow-4.8-r1.ebuild}| 13 ++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch 
b/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch
new file mode 100644
index 000..08382fcb950
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch
@@ -0,0 +1,15 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 97839741..ff153d92 100644
+--- a/src/Makefile.am
 b/src/Makefile.am
+@@ -2,8 +2,8 @@
+ EXTRA_DIST = \
+   .indent.pro
+ 
+-ubindir = ${bindir}
+-usbindir = ${sbindir}
++ubindir = ${prefix}/bin
++usbindir = ${prefix}/sbin
+ suidperms = 4755
+ sgidperms = 2755
+ 

diff --git a/sys-apps/shadow/shadow-4.8.ebuild 
b/sys-apps/shadow/shadow-4.8-r1.ebuild
similarity index 93%
rename from sys-apps/shadow/shadow-4.8.ebuild
rename to sys-apps/shadow/shadow-4.8-r1.ebuild
index 11bb45bfd04..615a53c7676 100644
--- a/sys-apps/shadow/shadow-4.8.ebuild
+++ b/sys-apps/shadow/shadow-4.8-r1.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=7
 
-inherit libtool pam
+inherit autotools libtool pam
 
 DESCRIPTION="Utilities to deal with user accounts"
 HOMEPAGE="https://github.com/shadow-maint/shadow;
@@ -41,12 +41,13 @@ RDEPEND="
 
 PATCHES=(
"${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch"
+   "${FILESDIR}/shadow-4.8-revert-bin-merge.patch"
 )
 
 src_prepare() {
default
-   #eautoreconf
-   elibtoolize
+   eautoreconf
+   #elibtoolize
 }
 
 src_configure() {
@@ -119,6 +120,12 @@ src_install() {
doins "${FILESDIR}"/default/useradd
 
if use split-usr ; then
+   # move passwd to / to help recover broke systems #64441
+   # We cannot simply remove this or else net-misc/scponly
+   # and other tools will break because of hardcoded passwd
+   # location
+   dodir /bin
+   mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
dosym ../../bin/passwd /usr/bin/passwd
fi

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2019-11-19 Thread Lars Wendler 
commit: 30c4a8ad9c4fc913b0fc0b2530d9d03ded040852
Author: Lars Wendler  gentoo  org>
AuthorDate: Tue Nov 19 10:36:19 2019 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Tue Nov 19 10:37:04 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30c4a8ad

sys-apps/shadow: Introduced "su" USE flag

Moved passwd from /usr/bin to /bin (again) as it breaks at least
one package that has passwd path hardcoded (net-misc/scponly)

Thanks-to: fling  member.fsf.org>
Bug: https://bugs.gentoo.org/699930
Package-Manager: Portage-2.3.79, Repoman-2.3.18
Signed-off-by: Lars Wendler  gentoo.org>

 sys-apps/shadow/files/shadow-4.7-optional_su.patch | 130 
 sys-apps/shadow/metadata.xml   |   3 +
 sys-apps/shadow/shadow-4.7-r2.ebuild   | 234 +
 3 files changed, 367 insertions(+)

diff --git a/sys-apps/shadow/files/shadow-4.7-optional_su.patch 
b/sys-apps/shadow/files/shadow-4.7-optional_su.patch
new file mode 100644
index 000..47284646077
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.7-optional_su.patch
@@ -0,0 +1,130 @@
+From ddb0553b2e559fd431fe8b460c37cb7fef8c06ee Mon Sep 17 00:00:00 2001
+From: Lars Wendler 
+Date: Tue, 19 Nov 2019 10:57:06 +0100
+Subject: [PATCH] build: Make build/installation of su and its support files
+ optional
+
+Enabled by default
+This is necessary because coreutils and util-linux can also provide su
+
+Signed-off-by: Lars Wendler 
+---
+ configure.ac  |  7 +++
+ etc/pam.d/Makefile.am |  7 +--
+ man/Makefile.am   |  5 -
+ src/Makefile.am   | 10 --
+ 4 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 67625564..5629df98 100644
+--- a/configure.ac
 b/configure.ac
+@@ -286,6 +286,9 @@ AC_ARG_WITH(sssd,
+ AC_ARG_WITH(group-name-max-length,
+   [AC_HELP_STRING([--with-group-name-max-length], [set max group name 
length @<:@default=16@:>@])],
+   [with_group_name_max_length=$withval], [with_group_name_max_length=yes])
++AC_ARG_WITH(su,
++  [AC_HELP_STRING([--with-su], [build and install su program and man page 
@<:@default=yes@:>@])],
++  [with_su=$withval], [with_su=yes])
+ 
+ if test "$with_group_name_max_length" = "no" ; then
+   with_group_name_max_length=0
+@@ -313,6 +316,9 @@ if test "$with_sssd" = "yes"; then
+ [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
+ fi
+ 
++AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])])
++AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"])
++
+ dnl Check for some functions in libc first, only if not found check for
+ dnl other libraries.  This should prevent linking libnsl if not really
+ dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
+@@ -719,4 +725,5 @@ echo " nscd support:   $with_nscd"
+ echo "sssd support:   $with_sssd"
+ echo "subordinate IDs support:$enable_subids"
+ echo "use file caps:  $with_fcaps"
++echo "install su: $with_su"
+ echo
+diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am
+index d967eb95..38ff26ae 100644
+--- a/etc/pam.d/Makefile.am
 b/etc/pam.d/Makefile.am
+@@ -6,8 +6,7 @@ pamd_files = \
+   chsh \
+   groupmems \
+   login \
+-  passwd \
+-  su
++  passwd
+ 
+ pamd_acct_tools_files = \
+   chage \
+@@ -29,4 +28,8 @@ pamd_DATA += $(pamd_acct_tools_files)
+ endif
+ endif
+ 
++if WITH_SU
++pamd_files += su
++endif
++
+ EXTRA_DIST = $(pamd_files) $(pamd_acct_tools_files)
+diff --git a/man/Makefile.am b/man/Makefile.am
+index 3f040e05..8b64feba 100644
+--- a/man/Makefile.am
 b/man/Makefile.am
+@@ -41,7 +41,6 @@ man_MANS = \
+   man1/sg.1 \
+   man3/shadow.3 \
+   man5/shadow.5 \
+-  man1/su.1 \
+   man5/suauth.5 \
+   man8/useradd.8 \
+   man8/userdel.8 \
+@@ -54,6 +53,10 @@ man_nopam = \
+   man5/login.access.5 \
+   man5/porttime.5
+ 
++if WITH_SU
++man_MANS += man1/su.1
++endif
++
+ if !USE_PAM
+ man_MANS += $(man_nopam)
+ endif
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 34690ced..06ee9545 100644
+--- a/src/Makefile.am
 b/src/Makefile.am
+@@ -23,12 +23,15 @@ AM_CPPFLAGS = \
+ # and installation would be much simpler (just two directories,
+ # $prefix/bin and $prefix/sbin, no install-data hacks...)
+ 
+-bin_PROGRAMS   = groups login su
++bin_PROGRAMS   = groups login
+ sbin_PROGRAMS  = nologin
+ ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
+ if ENABLE_SUBIDS
+ ubin_PROGRAMS += newgidmap newuidmap
+ endif
++if WITH_SU
++bin_PROGRAMS  += su
++endif
+ usbin_PROGRAMS = \
+   chgpasswd \
+   chpasswd \
+@@ -52,8 +55,11 @@ usbin_PROGRAMS = \
+ # id and groups are from gnu, sulogin from sysvinit
+ noinst_PROGRAMS = id sulogin
+ 
+-suidbins   = su
++suidbins   =
+ suidubins  = chage chfn chsh

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/

2018-05-24 Thread Aaron Bauman 
commit: 95aadd20d54fedc76c9d3ae02e1e23ec85838aeb
Author: Michael Mair-Keimberger  gmail  com>
AuthorDate: Thu May 24 17:31:22 2018 +
Commit: Aaron Bauman  gentoo  org>
CommitDate: Thu May 24 20:34:32 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95aadd20

sys-apps/shadow: remove unused patch

 .../shadow/files/shadow-4.5-CVE-2018-7169.patch| 180 -
 1 file changed, 180 deletions(-)

diff --git a/sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch 
b/sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch
deleted file mode 100644
index 30ad9e61406..000
--- a/sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai 
-Date: Thu, 15 Feb 2018 23:49:40 +1100
-Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
-
-This is necessary to match the kernel-side policy of "self-mapping in a
-user namespace is fine, but you cannot drop groups" -- a policy that was
-created in order to stop user namespaces from allowing trivial privilege
-escalation by dropping supplementary groups that were "blacklisted" from
-certain paths.
-
-This is the simplest fix for the underlying issue, and effectively makes
-it so that unless a user has a valid mapping set in /etc/subgid (which
-only administrators can modify) -- and they are currently trying to use
-that mapping -- then /proc/$pid/setgroups will be set to deny. This
-workaround is only partial, because ideally it should be possible to set
-an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
-administrators to further restrict newgidmap(1).
-
-We also don't write anything in the "allow" case because "allow" is the
-default, and users may have already written "deny" even if they
-technically are allowed to use setgroups. And we don't write anything if
-the setgroups policy is already "deny".
-
-Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
-Fixes: CVE-2018-7169
-Reported-by: Craig Furman 
-Signed-off-by: Aleksa Sarai 

- src/newgidmap.c | 89 +++--
- 1 file changed, 80 insertions(+), 9 deletions(-)
-
-diff --git a/src/newgidmap.c b/src/newgidmap.c
-index b1e33513..59a2e75c 100644
 a/src/newgidmap.c
-+++ b/src/newgidmap.c
-@@ -46,32 +46,37 @@
-  */
- const char *Prog;
- 
--static bool verify_range(struct passwd *pw, struct map_range *range)
-+
-+static bool verify_range(struct passwd *pw, struct map_range *range, bool 
*allow_setgroups)
- {
-   /* An empty range is invalid */
-   if (range->count == 0)
-   return false;
- 
--  /* Test /etc/subgid */
--  if (have_sub_gids(pw->pw_name, range->lower, range->count))
-+  /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
-+  if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
-+  *allow_setgroups = true;
-   return true;
-+  }
- 
--  /* Allow a process to map its own gid */
--  if ((range->count == 1) && (pw->pw_gid == range->lower))
-+  /* Allow a process to map its own gid. */
-+  if ((range->count == 1) && (pw->pw_gid == range->lower)) {
-+  /* noop -- if setgroups is enabled already we won't disable it. 
*/
-   return true;
-+  }
- 
-   return false;
- }
- 
- static void verify_ranges(struct passwd *pw, int ranges,
--  struct map_range *mappings)
-+  struct map_range *mappings, bool *allow_setgroups)
- {
-   struct map_range *mapping;
-   int idx;
- 
-   mapping = mappings;
-   for (idx = 0; idx < ranges; idx++, mapping++) {
--  if (!verify_range(pw, mapping)) {
-+  if (!verify_range(pw, mapping, allow_setgroups)) {
-   fprintf(stderr, _( "%s: gid range [%lu-%lu) -> 
[%lu-%lu) not allowed\n"),
-   Prog,
-   mapping->upper,
-@@ -89,6 +94,70 @@ static void usage(void)
-   exit(EXIT_FAILURE);
- }
- 
-+void write_setgroups(int proc_dir_fd, bool allow_setgroups)
-+{
-+  int setgroups_fd;
-+  char *policy, policy_buffer[4096];
-+
-+  /*
-+   * Default is "deny", and any "allow" will out-rank a "deny". We don't
-+   * forcefully write an "allow" here because the process we are writing
-+   * mappings for may have already set themselves to "deny" (and "allow"
-+   * is the default anyway). So allow_setgroups == true is a noop.
-+   */
-+  policy = "deny\n";
-+  if (allow_setgroups)
-+  return;
-+
-+  setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
-+  if (setgroups_fd < 0) {
-+  /*
-+   * If it's an ENOENT then we are on too old a kernel for the 
setgroups
-+   * code to exist. Emit a

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/

2018-04-12 Thread Lars Wendler 
commit: 067ef63075c8f2348bd6c2c9d213093f7b4e892f
Author: Michael Mair-Keimberger  gmail  com>
AuthorDate: Thu Apr 12 13:25:40 2018 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Thu Apr 12 13:50:34 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=067ef630

sys-apps/shadow: remove unused patches

Closes: https://github.com/gentoo/gentoo/pull/7956

 .../shadow/files/shadow-4.4-CVE-2017-2616.patch| 62 --
 .../shadow/files/shadow-4.4-load_defaults.patch| 37 -
 sys-apps/shadow/files/shadow-4.4-prototypes.patch  | 42 ---
 sys-apps/shadow/files/shadow-4.4-su-snprintf.patch | 29 --
 4 files changed, 170 deletions(-)

diff --git a/sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch 
b/sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch
deleted file mode 100644
index b788ec35342..000
--- a/sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann 
-Date: Thu, 23 Feb 2017 09:47:29 -0600
-Subject: [PATCH] su: properly clear child PID
-
-If su is compiled with PAM support, it is possible for any local user
-to send SIGKILL to other processes with root privileges. There are
-only two conditions. First, the user must be able to perform su with
-a successful login. This does NOT have to be the root user, even using
-su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
-can only be sent to processes which were executed after the su process.
-It is not possible to send SIGKILL to processes which were already
-running. I consider this as a security vulnerability, because I was
-able to write a proof of concept which unlocked a screen saver of
-another user this way.

- src/su.c | 19 +--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/src/su.c b/src/su.c
-index f20d230..d86aa86 100644
 a/src/su.c
-+++ b/src/su.c
-@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void)
-   /* wake child when resumed */
-   kill (pid, SIGCONT);
-   stop = false;
-+  } else {
-+  pid_child = 0;
-   }
-   } while (!stop);
-   }
- 
--  if (0 != caught) {
-+  if (0 != caught && 0 != pid_child) {
-   (void) fputs ("\n", stderr);
-   (void) fputs (_("Session terminated, terminating shell..."),
- stderr);
-@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void)
-   snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child 
to terminate.\n"));
- 
-   (void) signal (SIGALRM, kill_child);
-+  (void) signal (SIGCHLD, catch_signals);
-   (void) alarm (2);
- 
--  (void) wait ();
-+  sigemptyset ();
-+  if ((sigaddset (, SIGALRM) != 0)
-+  || (sigprocmask (SIG_BLOCK, , NULL) != 0)) {
-+  fprintf (stderr, _("%s: signal masking malfunction\n"), 
Prog);
-+  kill_child (0);
-+  } else {
-+  while (0 == waitpid (pid_child, , WNOHANG)) {
-+  sigsuspend ();
-+  }
-+  pid_child = 0;
-+  (void) sigprocmask (SIG_UNBLOCK, , NULL);
-+  }
-+
-   (void) fputs (_(" ...terminated.\n"), stderr);
-   }
- 

diff --git a/sys-apps/shadow/files/shadow-4.4-load_defaults.patch 
b/sys-apps/shadow/files/shadow-4.4-load_defaults.patch
deleted file mode 100644
index 4c0b84f6803..000
--- a/sys-apps/shadow/files/shadow-4.4-load_defaults.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 507f96cdeb54079fb636c7ce21e371f7a16a520e Mon Sep 17 00:00:00 2001
-From: Tomas Mraz 
-Date: Thu, 25 Aug 2016 11:20:34 +0200
-Subject: [PATCH] Fix regression in useradd not loading defaults properly.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The get_defaults() has to be called before processing the flags.
-
-Signed-off-by: Tomáš Mráz 

- src/useradd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/useradd.c b/src/useradd.c
-index fefa234..6c43e7e 100644
 a/src/useradd.c
-+++ b/src/useradd.c
-@@ -2027,6 +2027,8 @@ int main (int argc, char **argv)
-   is_shadow_grp = sgr_file_present ();
- #endif
- 
-+  get_defaults ();
-+
-   process_flags (argc, argv);
- 
- #ifdef ENABLE_SUBIDS
-@@ -2036,8 +2038,6 @@ int main (int argc, char **argv)
-   (!user_id || (user_id <= uid_max && user_id >= uid_min));
- #endif/* ENABLE_SUBIDS */
- 
--  get_defaults ();
--
- #ifdef

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2018-02-17 Thread Lars Wendler 
commit: 78e50f251c0ad49437a4146dc2bdd1552a88fe04
Author: Michael Vetter  iodoru  org>
AuthorDate: Fri Feb 16 11:22:10 2018 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Sat Feb 17 12:50:11 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78e50f25

sys-apps/shadow: Fix CVE-2018-7169

Fix CVE-2018-7169 by applying upstream patch:
https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0

Bug: https://bugs.gentoo.org/647790

Package-Manager: Portage-2.3.19, Repoman-2.3.6
Closes: https://github.com/gentoo/gentoo/pull/7203

 .../shadow/files/shadow-4.5-CVE-2018-7169.patch| 180 ++
 sys-apps/shadow/shadow-4.5-r1.ebuild   | 210 +
 2 files changed, 390 insertions(+)

diff --git a/sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch 
b/sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch
new file mode 100644
index 000..30ad9e61406
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch
@@ -0,0 +1,180 @@
+From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai 
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+Reported-by: Craig Furman 
+Signed-off-by: Aleksa Sarai 
+---
+ src/newgidmap.c | 89 +++--
+ 1 file changed, 80 insertions(+), 9 deletions(-)
+
+diff --git a/src/newgidmap.c b/src/newgidmap.c
+index b1e33513..59a2e75c 100644
+--- a/src/newgidmap.c
 b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+  */
+ const char *Prog;
+ 
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool 
*allow_setgroups)
+ {
+   /* An empty range is invalid */
+   if (range->count == 0)
+   return false;
+ 
+-  /* Test /etc/subgid */
+-  if (have_sub_gids(pw->pw_name, range->lower, range->count))
++  /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++  if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++  *allow_setgroups = true;
+   return true;
++  }
+ 
+-  /* Allow a process to map its own gid */
+-  if ((range->count == 1) && (pw->pw_gid == range->lower))
++  /* Allow a process to map its own gid. */
++  if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++  /* noop -- if setgroups is enabled already we won't disable it. 
*/
+   return true;
++  }
+ 
+   return false;
+ }
+ 
+ static void verify_ranges(struct passwd *pw, int ranges,
+-  struct map_range *mappings)
++  struct map_range *mappings, bool *allow_setgroups)
+ {
+   struct map_range *mapping;
+   int idx;
+ 
+   mapping = mappings;
+   for (idx = 0; idx < ranges; idx++, mapping++) {
+-  if (!verify_range(pw, mapping)) {
++  if (!verify_range(pw, mapping, allow_setgroups)) {
+   fprintf(stderr, _( "%s: gid range [%lu-%lu) -> 
[%lu-%lu) not allowed\n"),
+   Prog,
+   mapping->upper,
+@@ -89,6 +94,70 @@ static void usage(void)
+   exit(EXIT_FAILURE);
+ }
+ 
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++  int setgroups_fd;
++  char *policy, policy_buffer[4096];
++
++  /*
++   * Default is "deny", and any "allow" will out-rank a "deny". We don't
++   * forcefully write an "allow" here because the process we are writing
++   * mappings for may have already set themselves to "deny" (and "allow"
++   * is the default anyway). So allow_setgroups == true is a noop.
++   */
++

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/

2017-02-04 Thread David Seifert 
commit: 70c8dfb8b08966fa158f5eb94e14eba120cb5ad1
Author: Michael Mair-Keimberger (asterix)  gmail 
 com>
AuthorDate: Fri Feb  3 15:16:47 2017 +
Commit: David Seifert  gentoo  org>
CommitDate: Sat Feb  4 21:20:08 2017 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70c8dfb8

sys-apps/shadow: remove unused files

Closes: https://github.com/gentoo/gentoo/pull/3791

 sys-apps/shadow/files/login_defs_pam.sed | 24 -
 sys-apps/shadow/files/securetty  | 36 
 2 files changed, 60 deletions(-)

diff --git a/sys-apps/shadow/files/login_defs_pam.sed 
b/sys-apps/shadow/files/login_defs_pam.sed
deleted file mode 100644
index ba308ba..
--- a/sys-apps/shadow/files/login_defs_pam.sed
+++ /dev/null
@@ -1,24 +0,0 @@
-/^FAILLOG_ENAB/b comment
-/^LASTLOG_ENAB/b comment
-/^MAIL_CHECK_ENAB/b comment
-/^OBSCURE_CHECKS_ENAB/b comment
-/^PORTTIME_CHECKS_ENAB/b comment
-/^QUOTAS_ENAB/b comment
-/^MOTD_FILE/b comment
-/^FTMP_FILE/b comment
-/^NOLOGINS_FILE/b comment
-/^ENV_HZ/b comment
-/^PASS_MIN_LEN/b comment
-/^SU_WHEEL_ONLY/b comment
-/^CRACKLIB_DICTPATH/b comment
-/^PASS_CHANGE_TRIES/b comment
-/^PASS_ALWAYS_WARN/b comment
-/^CHFN_AUTH/b comment
-/^ENVIRON_FILE/b comment
-
-b exit
-
-: comment
-  s:^:#:
-
-: exit

diff --git a/sys-apps/shadow/files/securetty b/sys-apps/shadow/files/securetty
deleted file mode 100644
index 55ce54d..
--- a/sys-apps/shadow/files/securetty
+++ /dev/null
@@ -1,36 +0,0 @@
-# /etc/securetty: list of terminals on which root is allowed to login.
-# See securetty(5) and login(1).
-console
-
-vc/0
-vc/1
-vc/2
-vc/3
-vc/4
-vc/5
-vc/6
-vc/7
-vc/8
-vc/9
-vc/10
-vc/11
-vc/12
-tty0
-tty1
-tty2
-tty3
-tty4
-tty5
-tty6
-tty7
-tty8
-tty9
-tty10
-tty11
-tty12
-
-tts/0
-ttyS0
-ttyS1
-ttyS2
-ttyS3

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2016-12-06 Thread Lars Wendler 
commit: 6d77df88eaeaf655fe420153b0a77d931bdefa31
Author: Lars Wendler  gentoo  org>
AuthorDate: Tue Dec  6 10:35:00 2016 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Tue Dec  6 10:35:00 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d77df88

sys-apps/shadow: Fixed loading of defaults (bug #601802).

Package-Manager: portage-2.3.3

 .../shadow/files/shadow-4.4-load_defaults.patch| 37 ++
 .../{shadow-4.4.ebuild => shadow-4.4-r1.ebuild}|  2 ++
 2 files changed, 39 insertions(+)

diff --git a/sys-apps/shadow/files/shadow-4.4-load_defaults.patch 
b/sys-apps/shadow/files/shadow-4.4-load_defaults.patch
new file mode 100644
index ..4c0b84f
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.4-load_defaults.patch
@@ -0,0 +1,37 @@
+From 507f96cdeb54079fb636c7ce21e371f7a16a520e Mon Sep 17 00:00:00 2001
+From: Tomas Mraz 
+Date: Thu, 25 Aug 2016 11:20:34 +0200
+Subject: [PATCH] Fix regression in useradd not loading defaults properly.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The get_defaults() has to be called before processing the flags.
+
+Signed-off-by: Tomáš Mráz 
+---
+ src/useradd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index fefa234..6c43e7e 100644
+--- a/src/useradd.c
 b/src/useradd.c
+@@ -2027,6 +2027,8 @@ int main (int argc, char **argv)
+   is_shadow_grp = sgr_file_present ();
+ #endif
+ 
++  get_defaults ();
++
+   process_flags (argc, argv);
+ 
+ #ifdef ENABLE_SUBIDS
+@@ -2036,8 +2038,6 @@ int main (int argc, char **argv)
+   (!user_id || (user_id <= uid_max && user_id >= uid_min));
+ #endif/* ENABLE_SUBIDS */
+ 
+-  get_defaults ();
+-
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+   {

diff --git a/sys-apps/shadow/shadow-4.4.ebuild 
b/sys-apps/shadow/shadow-4.4-r1.ebuild
similarity index 99%
rename from sys-apps/shadow/shadow-4.4.ebuild
rename to sys-apps/shadow/shadow-4.4-r1.ebuild
index 900c60b..4c302d8 100644
--- a/sys-apps/shadow/shadow-4.4.ebuild
+++ b/sys-apps/shadow/shadow-4.4-r1.ebuild
@@ -1,5 +1,6 @@
 # Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
+# $Id$
 
 EAPI="5"
 
@@ -38,6 +39,7 @@ PATCHES=(
"${FILESDIR}"/${PN}-4.1.3-dots-in-usernames.patch
"${FILESDIR}"/${P}-su-snprintf.patch
"${FILESDIR}"/${P}-prototypes.patch
+   "${FILESDIR}"/${P}-load_defaults.patch
 )
 
 src_prepare() {

[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/, sys-apps/shadow/

2016-12-05 Thread Mike Frysinger 
commit: 46e0b1d2b5a8babfa822438be2bc77daafc22057
Author: Mike Frysinger  gentoo  org>
AuthorDate: Mon Dec  5 22:18:52 2016 +
Commit: Mike Frysinger  gentoo  org>
CommitDate: Mon Dec  5 22:20:19 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46e0b1d2

sys-apps/shadow: version bump to 4.4 #580432

 sys-apps/shadow/Manifest   |   1 +
 sys-apps/shadow/files/shadow-4.4-prototypes.patch  |  42 
 sys-apps/shadow/files/shadow-4.4-su-snprintf.patch |  29 +++
 sys-apps/shadow/shadow-4.4.ebuild  | 213 +
 4 files changed, 285 insertions(+)

diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest
index 79bdd08..81eedeb 100644
--- a/sys-apps/shadow/Manifest
+++ b/sys-apps/shadow/Manifest
@@ -1,2 +1,3 @@
 DIST shadow-4.1.5.1.tar.bz2 2193325 SHA256 
aa32333748d68b58ed3a83625f0165e0f6b9dc4639e6377c9300c6bf4fe978fb SHA512 
c3bc605de1ca5b774b80d0d92cef5d4c0d5b4a206acadcf5a819f195453093bfe7990d7e32b98799180847ae4fadecfc7876c8ee7297f343acce2230d805d02c
 WHIRLPOOL 
08751597b5b57057f0a3141be97204df49fada25adf0a9f43106a4099ce1b06fec6e90592e43ff1d789bf0a7e16a40b45f29830879ea5c71e9f5a1a81e7a7357
 DIST shadow-4.2.1.tar.xz 1594536 SHA256 
3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41 SHA512 
7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0
 WHIRLPOOL 
032857f5fae8486cc3dd11303bfa7da55019000ce8ad7bac2f398f9f9764c8659e20a1547d05c5e4f366db749a52afb3083017faf14f6a72ee48345dcd1f86aa
+DIST shadow-4.4.tar.gz 3706812 SHA256 
2398fe436e548786c17ec387b4c41f5339f72ec9ee2f3f7a6e0cc2cb240bb482 SHA512 
c1e0f65a4fbd0f9d8de38e488b4a374cac5c476180e233269fc666988d9201c0dcc694605c5e54d54f81039c2e30c95b14c12f10adef749a45cc31f0b4b5d5a6
 WHIRLPOOL 
a22fc0f90ec0623cbbcef253378a16ad605cf71345074880e3fd12fb5914058d3e721f378730c9684497cc597595b7defc7e710206268ae320a090c8c35fd41e

diff --git a/sys-apps/shadow/files/shadow-4.4-prototypes.patch 
b/sys-apps/shadow/files/shadow-4.4-prototypes.patch
new file mode 100644
index ..5209a29
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.4-prototypes.patch
@@ -0,0 +1,42 @@
+https://github.com/shadow-maint/shadow/pull/53
+
+From 32c0b283ef5d68b63e4ec05fb22ed0db938fea67 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger 
+Date: Mon, 5 Dec 2016 17:15:29 -0500
+Subject: [PATCH] include getdef.h for getdef_bool prototype
+
+Otherwise we get build warnings like:
+sgroupio.c:255:6: warning: implicit declaration of function 'getdef_bool' 
[-Wimplicit-function-declaration]
+shadowio.c:131:6: warning: implicit declaration of function 'getdef_bool' 
[-Wimplicit-function-declaration]
+---
+ lib/sgroupio.c | 1 +
+ lib/shadowio.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/lib/sgroupio.c b/lib/sgroupio.c
+index f2685779a12b..5423626a01da 100644
+--- a/lib/sgroupio.c
 b/lib/sgroupio.c
+@@ -40,6 +40,7 @@
+ #include "prototypes.h"
+ #include "defines.h"
+ #include "commonio.h"
++#include "getdef.h"
+ #include "sgroupio.h"
+ 
+ /*@null@*/ /*@only@*/struct sgrp *__sgr_dup (const struct sgrp *sgent)
+diff --git a/lib/shadowio.c b/lib/shadowio.c
+index 6e44ab24d69c..5fa3d312bbf9 100644
+--- a/lib/shadowio.c
 b/lib/shadowio.c
+@@ -40,6 +40,7 @@
+ #include 
+ #include 
+ #include "commonio.h"
++#include "getdef.h"
+ #include "shadowio.h"
+ #ifdef WITH_TCB
+ #include 
+-- 
+2.11.0.rc2
+

diff --git a/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch 
b/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch
new file mode 100644
index ..45667c8
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch
@@ -0,0 +1,29 @@
+fix from upstream
+
+From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn 
+Date: Sun, 18 Sep 2016 21:31:18 -0500
+Subject: [PATCH] su.c: fix missing length argument to snprintf
+
+---
+ src/su.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 0c50a9456afd..93ffd2fbe2b4 100644
+--- a/src/su.c
 b/src/su.c
+@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void)
+ stderr);
+   (void) kill (-pid_child, caught);
+ 
+-  snprintf (kill_msg, _(" ...killed.\n"));
+-  snprintf (wait_msg, _(" ...waiting for child to terminate.\n"));
++  snprintf (kill_msg, 256, _(" ...killed.\n"));
++  snprintf (wait_msg, 256, _(" ...waiting for child to 
terminate.\n"));
+ 
+   (void) signal (SIGALRM, kill_child);
+   (void) alarm (2);
+-- 
+2.11.0.rc2
+

diff --git a/sys-apps/shadow/shadow-4.4.ebuild 
b/sys-apps/shadow/shadow-4.4.ebuild
new file mode 100644
index ..900c60b
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.4.ebuild
@@ -0,0 +1,213 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public