[Pkg-shadow-devel] Bug#1123372: bookworm-pu: package shadow/4.13+dfsg1-1+deb12u2

Chris Hofstädtler zeha at debian.org
Tue Dec 16 19:52:18 GMT 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: shadow at packages.debian.org
Control: affects -1 + src:shadow
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
shadow upstream received a (renewed) bug report that groupmod -U ... 
can segfault. Upstream asked that we backport the fix for this.

[ Impact ]
groupmod -U continues to segfault.

[ Tests ]
I've manually tested the fix.

[ Risks ]
The upstream fix landed a long time ago, and the diff is quite 
readable.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Includes upstream patch. No other changes.

[ Other info ]
Nothing I'm aware of.

-------------- next part --------------
diff -Nru shadow-4.13+dfsg1/debian/changelog shadow-4.13+dfsg1/debian/changelog
--- shadow-4.13+dfsg1/debian/changelog	2025-04-07 12:38:46.000000000 +0200
+++ shadow-4.13+dfsg1/debian/changelog	2025-12-14 15:00:01.000000000 +0100
@@ -1,3 +1,9 @@
+shadow (1:4.13+dfsg1-1+deb12u2) bookworm; urgency=medium
+
+  * Apply upstream patch to fix groupmod -U "" segfault (Closes: #1122913)
+
+ -- Chris Hofstaedtler <zeha at debian.org>  Sun, 14 Dec 2025 15:00:01 +0100
+
 shadow (1:4.13+dfsg1-1+deb12u1) bookworm; urgency=medium
 
   [ Balint Reczey ]
diff -Nru shadow-4.13+dfsg1/debian/patches/series shadow-4.13+dfsg1/debian/patches/series
--- shadow-4.13+dfsg1/debian/patches/series	2025-04-07 12:38:46.000000000 +0200
+++ shadow-4.13+dfsg1/debian/patches/series	2025-12-14 14:59:23.000000000 +0100
@@ -1,3 +1,6 @@
+# Debian #1122913
+upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
+
 # CVE-2023-4641
 0001-gpasswd-1-Fix-password-leak.patch
 
diff -Nru shadow-4.13+dfsg1/debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch shadow-4.13+dfsg1/debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
--- shadow-4.13+dfsg1/debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch	1970-01-01 01:00:00.000000000 +0100
+++ shadow-4.13+dfsg1/debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch	2025-12-14 15:00:01.000000000 +0100
@@ -0,0 +1,54 @@
+From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001
+From: lixinyun <li.xinyun at h3c.com>
+Date: Wed, 29 May 2024 06:53:02 +0800
+Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double
+ free
+
+Groupmod -U may cause crashes because of double free. If without -a, the first free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update without -n or gr_remove with -n.
+Considering the minimal impact of modifications on existing code, delete gr_free_members(&grp) to avoid double free.Although this may seem reckless, the second free in two different positions will definitely be triggered, and the following two test cases can be used to illustrate the situation :
+
+[root at localhost src]# ./useradd u1
+[root at localhost src]# ./useradd u2
+[root at localhost src]# ./useradd u3
+[root at localhost src]# ./groupadd -U u1,u2,u3 g1
+[root at localhost src]# ./groupmod -n g2 -U u1,u2 g1
+Segmentation fault
+
+This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)), which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again.
+
+[root at localhost src]# ./useradd u1
+[root at localhost src]# ./useradd u2
+[root at localhost src]# ./useradd u3
+[root at localhost src]# ./groupadd -U u1,u2,u3 g1
+[root at localhost src]# ./groupmod -U u1,u2 g1
+Segmentation fault
+
+The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to free (*ogrp).gr_mem again.
+
+So the first free is unnecessary, maybe we can drop it.
+
+Fixes: 342c934a3590 ("add -U option to groupadd and groupmod")
+Closes: <https://github.com/shadow-maint/shadow/issues/1013>
+Link: <https://github.com/shadow-maint/shadow/pull/1007>
+Link: <https://github.com/shadow-maint/shadow/pull/271>
+Link: <https://github.com/shadow-maint/shadow/issues/265>
+Cc: "Serge E. Hallyn" <serge at hallyn.com>
+Reviewed-by: Alejandro Colomar <alx at kernel.org>
+Signed-off-by: lixinyun <li.xinyun at h3c.com>
+---
+ src/groupmod.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git i/src/groupmod.c w/src/groupmod.c
+index 006eca1c..7eae4c6f 100644
+--- i/src/groupmod.c
++++ w/src/groupmod.c
+@@ -244,8 +244,6 @@ static void grp_update (void)
+ 
+ 		if (!aflg) {
+ 			// requested to replace the existing groups
+-			if (NULL != grp.gr_mem[0])
+-				gr_free_members(&grp);
+ 			grp.gr_mem = (char **)xmalloc(sizeof(char *));
+ 			grp.gr_mem[0] = (char *)0;
+ 		} else {

More information about the Pkg-shadow-devel mailing list