new file mode 100644

@@ -0,0 +1,135 @@

+--- a/src/newgidmap.c	2018-07-31 05:56:46.642785135 +0530

+@@ -46,32 +46,36 @@

+  */

+ const char *Prog;

+ 

+-static bool verify_range(struct passwd *pw, struct map_range *range)

++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)

+ {

+ 	/* An empty range is invalid */

+ 	if (range->count == 0)

+ 		return false;

+ 

+-	/* Test /etc/subgid */

+-	if (have_sub_gids(pw->pw_name, range->lower, range->count))

++	/* Test /etc/subgid. If the mapping is valid then we allow setgroups. */

++	if (have_sub_gids(pw->pw_name, range->lower, range->count)) {

++		*allow_setgroups = true;

+ 		return true;

++	}

+ 

+ 	/* Allow a process to map it's own gid */

+-	if ((range->count == 1) && (pw->pw_gid == range->lower))

++	if ((range->count == 1) && (pw->pw_gid == range->lower)) {

++		/* noop -- if setgroups is enabled already we won't disable it. */

+ 		return true;

++	}

+ 

+ 	return false;

+ }

+ 

+ static void verify_ranges(struct passwd *pw, int ranges,

+-	struct map_range *mappings)

++	struct map_range *mappings, bool *allow_setgroups)

+ {

+ 	struct map_range *mapping;

+ 	int idx;

+ 

+ 	mapping = mappings;

+ 	for (idx = 0; idx < ranges; idx++, mapping++) {

+-		if (!verify_range(pw, mapping)) {

++		if (!verify_range(pw, mapping, allow_setgroups)) {

+ 			fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),

+ 				Prog,

+ 				mapping->upper,

+@@ -83,6 +87,70 @@ static void verify_ranges(struct passwd

+ 	}

+ }

+ 

++void write_setgroups(int proc_dir_fd, bool allow_setgroups)

++{

++	int setgroups_fd;

++	char *policy, policy_buffer[4096];

++

++	/*

++	 * Default is "deny", and any "allow" will out-rank a "deny". We don't

++	 * forcefully write an "allow" here because the process we are writing

++	 * mappings for may have already set themselves to "deny" (and "allow"

++	 * is the default anyway). So allow_setgroups == true is a noop.

++	 */

++	policy = "deny\n";

++	if (allow_setgroups)

++		return;

++

++	setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);

++	if (setgroups_fd < 0) {

++		/*

++		 * If it's an ENOENT then we are on too old a kernel for the setgroups

++		 * code to exist. Emit a warning and bail on this.

++		 */

++		if (ENOENT == errno) {

++			fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);

++			goto out;

++		}

++		fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),

++			Prog,

++			strerror(errno));

++		exit(EXIT_FAILURE);

++	}

++

++	/*

++	 * Check whether the policy is already what we want. /proc/self/setgroups

++	 * is write-once, so attempting to write after it's already written to will

++	 * fail.

++	 */

++	if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {

++		fprintf(stderr, _("%s: failed to read setgroups: %s\n"),

++			Prog,

++			strerror(errno));

++		exit(EXIT_FAILURE);

++	}

++	if (!strncmp(policy_buffer, policy, strlen(policy)))

++		goto out;

++

++	/* Write the policy. */

++	if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {

++		fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),

++			Prog,

++			strerror(errno));

++		exit(EXIT_FAILURE);

++	}

++	if (dprintf(setgroups_fd, "%s", policy) < 0) {

++		fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),

++			Prog,

++			policy,

++			strerror(errno));

++		exit(EXIT_FAILURE);

++	}

++

++out:

++	close(setgroups_fd);

++}

++

+ static void usage(void)

+ {

+ 	fprintf(stderr, _("usage: %s <pid> <gid> <lowergid> <count> [ <gid> <lowergid> <count> ] ... \n"), Prog);

+@@ -103,6 +171,7 @@ int main(int argc, char **argv)

+ 	struct stat st;

+ 	struct passwd *pw;

+ 	int written;

++	bool allow_setgroups = false;

+ 

+ 	Prog = Basename (argv[0]);

+ 

+@@ -174,8 +243,9 @@ int main(int argc, char **argv)

+ 	if (!mappings)

+ 		usage();

+ 

+-	verify_ranges(pw, ranges, mappings);

++	verify_ranges(pw, ranges, mappings, &allow_setgroups);

+ 

++	write_setgroups(proc_dir_fd, allow_setgroups);

+ 	write_mapping(proc_dir_fd, ranges, mappings, "gid_map");

+ 	sub_gid_close();

+ 

@@ -1,7 +1,7 @@

 Summary:        Programs for handling passwords in a secure way

 Name:           shadow

 Version:        4.2.1

-Release:        15%{?dist}

+Release:        16%{?dist}

 URL:            http://pkg-shadow.alioth.debian.org/

 License:        BSD

 Group:          Applications/System

@@ -23,6 +23,7 @@ Source11:       system-session

 Patch0:         chkname-allowcase.patch

 Patch1:         shadow-4.2.1-CVE-2016-6252-fix.patch

 Patch2:         shadow-4.2.1-CVE-2017-12424.patch

+Patch3:         shadow-4.2.1-CVE-2018-7169.patch

 BuildRequires:  cracklib

 BuildRequires:  cracklib-devel

 Requires:       cracklib

@@ -53,6 +54,7 @@ These are the additional language files of shadow.

 %patch0 -p1

 %patch1 -p1

 %patch2 -p1

+%patch3 -p1

 sed -i 's/groups$(EXEEXT) //' src/Makefile.in

 find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;

 sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \

@@ -169,6 +171,8 @@ make %{?_smp_mflags} check

 %defattr(-,root,root)

 %changelog

+*   Mon Jul 30 2018 Tapas Kundu <tkundu@vmware.com> 4.2.1-16

+-   Added fix for CVE-2018-7169

 *   Fri Apr 20 2018 Alexey Makhalov <amakhalov@vmware.com> 4.2.1-15

 -   Move pam.d config file to here for better tracking.

 -   Add pam_loginuid module as optional in a session.