1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch b/meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch
new file mode 100644
index 0000000000..7cd45afebb
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch
@@ -0,0 +1,63 @@
+This patch is from Slackware, I tried to find the actual
+author to add that attribution.  The comment below is the
+best summary, I will not repeat it here.
+Upstream-Status: Backport from slackware
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+Index: shadow-4.1.4.3/lib/encrypt.c
+===================================================================
+--- shadow-4.1.4.3.orig/lib/encrypt.c
+++ shadow-4.1.4.3/lib/encrypt.c
+@@ -45,15 +45,40 @@ char *pw_encrypt (const char *clear, con
+        static char cipher[128];
+        char *cp;
+ 
+-       cp = crypt (clear, salt);
+-       if (!cp) {
+-               /*
+-                * Single Unix Spec: crypt() may return a null pointer,
+-                * and set errno to indicate an error.  The caller doesn't
+-                * expect us to return NULL, so...
+-                */
+-               perror ("crypt");
+-               exit (EXIT_FAILURE);
+       cp = crypt (clear, salt);
+       if (!cp) {
+               /*
+                * In glibc-2.17 and newer, crypt() will return NULL if
+                * it was called using an invalid salt format.  Previous
+                * versions of glibc would go ahead and compute a DES hash
+                * using the invalid salt.  The salt value in this case was
+                * always '!'.  We might arrive at this place if either the
+                * user does not exist, or if the hash in /etc/shadow doesn't
+                * have the proper magic for one of the supported hash
+                * formats (for example, if the account was locked using
+                * "passwd -l".  To handle this situation, we will recompute
+                * the hash using a hardcoded salt as was previously done
+                * by glibc.  The hash returned by the old glibc function
+                * always began with "!!", which would ensure that it could
+                * never match an otherwise valid hash in /etc/shadow that
+                * was disabled with a "!" at the beginning (since the second
+                * character would never be "!" as well), so we will also
+                * prepend the resulting hash with "!!".  Finally, in case
+                * crypt() failed for some other reason we will check to see
+                * if we still get NULL from crypt even with the valid salt
+                * and will fail if that's the case.
+                */
+
+               /* Recalculate hash using a hardcoded, valid SHA512 salt: */
+               cp = crypt (clear, "$6$8IIcy/1EPOk/");
+
+               if (!cp) {
+                       perror ("crypt");
+                       exit (EXIT_FAILURE);
+               } else {
+                       sprintf (cipher, "!!%s", cp);
+                       return cipher;
+               }
+        }
+ 
+        /* The GNU crypt does not return NULL if the algorithm is not

diff --git a/meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch b/meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch new file mode 100644 index 0000000000..7cd45afebb --- /dev/null +++ b/meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch
@@ -0,0 +1,63 @@
	1
	2	This patch is from Slackware, I tried to find the actual
	3	author to add that attribution. The comment below is the
	4	best summary, I will not repeat it here.
	5
	6	Upstream-Status: Backport from slackware
	7
	8	Signed-off-by: Saul Wold <sgw@linux.intel.com>
	9
	10	Index: shadow-4.1.4.3/lib/encrypt.c
	11	===================================================================
	12	--- shadow-4.1.4.3.orig/lib/encrypt.c
	13	+++ shadow-4.1.4.3/lib/encrypt.c
	14	@@ -45,15 +45,40 @@ char pw_encrypt (const char clear, con
	15	static char cipher[128];
	16	char *cp;
	17
	18	- cp = crypt (clear, salt);
	19	- if (!cp) {
	20	- /*
	21	- * Single Unix Spec: crypt() may return a null pointer,
	22	- * and set errno to indicate an error. The caller doesn't
	23	- * expect us to return NULL, so...
	24	- */
	25	- perror ("crypt");
	26	- exit (EXIT_FAILURE);
	27	+ cp = crypt (clear, salt);
	28	+ if (!cp) {
	29	+ /*
	30	+ * In glibc-2.17 and newer, crypt() will return NULL if
	31	+ * it was called using an invalid salt format. Previous
	32	+ * versions of glibc would go ahead and compute a DES hash
	33	+ * using the invalid salt. The salt value in this case was
	34	+ * always '!'. We might arrive at this place if either the
	35	+ * user does not exist, or if the hash in /etc/shadow doesn't
	36	+ * have the proper magic for one of the supported hash
	37	+ * formats (for example, if the account was locked using
	38	+ * "passwd -l". To handle this situation, we will recompute
	39	+ * the hash using a hardcoded salt as was previously done
	40	+ * by glibc. The hash returned by the old glibc function
	41	+ * always began with "!!", which would ensure that it could
	42	+ * never match an otherwise valid hash in /etc/shadow that
	43	+ * was disabled with a "!" at the beginning (since the second
	44	+ * character would never be "!" as well), so we will also
	45	+ * prepend the resulting hash with "!!". Finally, in case
	46	+ * crypt() failed for some other reason we will check to see
	47	+ * if we still get NULL from crypt even with the valid salt
	48	+ * and will fail if that's the case.
	49	+ */
	50	+
	51	+ /* Recalculate hash using a hardcoded, valid SHA512 salt: */
	52	+ cp = crypt (clear, "$6$8IIcy/1EPOk/");
	53	+
	54	+ if (!cp) {
	55	+ perror ("crypt");
	56	+ exit (EXIT_FAILURE);
	57	+ } else {
	58	+ sprintf (cipher, "!!%s", cp);
	59	+ return cipher;
	60	+ }
	61	}
	62
	63	/* The GNU crypt does not return NULL if the algorithm is not