!172 [openEuler-20.03-LTS-SP4] Backport patches from upstream

From: @yixiangzhike 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-CVE-2013-4235.patch

@@ -0,0 +1,34 @@
+From b4472167c2f5057d56686d3349a9b55fc508efe6 Mon Sep 17 00:00:00 2001
+From: ed neville <ed@s5h.net>
+Date: Fri, 31 Dec 2021 22:40:13 +0000
+Subject: [PATCH] Adding nofollow to opens
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/b4472167c2f5057d56686d3349a9b55fc508efe6
+
+---
+ libmisc/copydir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libmisc/copydir.c b/libmisc/copydir.c
+index f2130bcac..a296d925d 100644
+--- a/libmisc/copydir.c
++++ b/libmisc/copydir.c
+@@ -741,7 +741,7 @@ static int copy_file (const char *src, const char *dst,
+ 	char buf[1024];
+ 	ssize_t cnt;
+ 
+-	ifd = open (src, O_RDONLY);
++	ifd = open (src, O_RDONLY|O_NOFOLLOW);
+ 	if (ifd < 0) {
+ 		return -1;
+ 	}
+@@ -751,7 +751,7 @@ static int copy_file (const char *src, const char *dst,
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+-	ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC, statp->st_mode & 07777);
++	ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW, statp->st_mode & 07777);
+ 	if (   (ofd < 0)
+ 	    || (fchown_if_needed (ofd, statp,
+ 	                          old_uid, new_uid, old_gid, new_gid) != 0)

backport-Read-whole-line-in-yes_or_no.patch

@@ -0,0 +1,67 @@
+From 0c83b981053b65c9bab4f1c2e60d004e920f8faf Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Fri, 27 Jan 2023 11:53:57 +0000
+Subject: [PATCH] Read whole line in yes_or_no
+
+Do not stop after 79 characters. Read the complete line to avoid
+arbitrary limitations.
+
+Proof of Concept:
+
+```
+cat > passwd-poc << EOF
+root:x:0:0:root:/root:/bin/bash
+root:x:0:0:root:/root:/bin/bash
+root:x:0:0:root:/root:/bin/bash
+EOF
+python -c "print(80*'y')" | pwck passwd-poc
+```
+
+Two lines should still be within the file because we agreed only once
+to remove a duplicated line.
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Reviewed-by: Serge Hallyn <serge@hallyn.com>
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/0c83b981053b65c9bab4f1c2e60d004e920f8faf
+---
+ libmisc/yesno.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/libmisc/yesno.c b/libmisc/yesno.c
+index 1a1a3714..d8847e40 100644
+--- a/libmisc/yesno.c
++++ b/libmisc/yesno.c
+@@ -28,7 +28,8 @@
+  */
+ bool yes_or_no (bool read_only)
+ {
+-	char buf[80];
++	int c;
++	bool result;
+ 
+ 	/*
+ 	 * In read-only mode all questions are answered "no".
+@@ -46,11 +47,13 @@ bool yes_or_no (bool read_only)
+ 	/*
+ 	 * Get a line and see what the first character is.
+ 	 */
++	c = fgetc(stdin);
+ 	/* TODO: use gettext */
+-	if (fgets (buf, (int) sizeof buf, stdin) == buf) {
+-		return buf[0] == 'y' || buf[0] == 'Y';
+-	}
++	result = (c == 'y' || c == 'Y');
++
++	while (c != '\n' && c != EOF)
++		c = fgetc(stdin);
+ 
+-	return false;
++	return result;
+ }
+ 
+-- 
+2.27.0
+

backport-commonio-free-removed-database-entries.patch

@@ -0,0 +1,39 @@
+From a8dd8ce6c9a5f6e69ed4e9fa7b0c0976bb4ba332 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 1 Apr 2023 13:36:51 +0200
+Subject: [PATCH] commonio: free removed database entries
+
+Free the actual struct of the removed entry.
+
+Example userdel report:
+
+    Direct leak of 40 byte(s) in 1 object(s) allocated from:
+        #0 0x55b230efe857 in reallocarray (./src/userdel+0xda857)
+        #1 0x55b230f6041f in mallocarray ./lib/./alloc.h:97:9
+        #2 0x55b230f6041f in commonio_open ./lib/commonio.c:563:7
+        #3 0x55b230f39098 in open_files ./src/userdel.c:555:6
+        #4 0x55b230f39098 in main ./src/userdel.c:1189:2
+        #5 0x7f9b48c64189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/a8dd8ce6c9a5f6e69ed4e9fa7b0c0976bb4ba332
+---
+ lib/commonio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 40e62298..a0449c83 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -1060,6 +1060,8 @@ int commonio_remove (struct commonio_db *db, const char *name)
+ 		db->ops->free (p->eptr);
+ 	}
+ 
++	free(p);
++
+ 	return 1;
+ }
+ 
+-- 
+2.27.0
+

backport-gpasswd-1-Fix-password-leak.patch

@@ -0,0 +1,142 @@
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index 609fe0a4..3b76ff8e 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -898,6 +898,7 @@ static void change_passwd (struct group *gr)
+		strzero (cp);
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 
+-- 
+2.27.0
+

backport-lib-encrypt.c-Do-not-exit-in-error-case.patch

@@ -0,0 +1,38 @@
+From 6cbce81df97a16363c46cbd1e8202c3b4f0a2205 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 19 Jan 2025 21:23:54 +0100
+Subject: [PATCH] lib/encrypt.c: Do not exit in error case
+
+If crypt fails, pw_encrypt calls exit. This has the consequence that the
+plaintext password is not cleared.
+
+A valid password can fail if the underlying library does not support it.
+One such example is SHA512, for which the password must not be longer
+than 256 characters on musl. A password longer than this with glibc
+works, so it is actually possible that a user, running passwd, tries to
+enter the old password but the musl-based passwd binary simply exits.
+Let passwd clear the password before exiting.
+
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ lib/encrypt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/encrypt.c b/lib/encrypt.c
+index c84a2552..9c1cb406 100644
+--- a/lib/encrypt.c
++++ b/lib/encrypt.c
+@@ -65,7 +65,8 @@
+ 		(void) fprintf (stderr,
+ 		                _("crypt method not supported by libcrypt? (%s)\n"),
+ 		                method);
+-		exit (EXIT_FAILURE);
++		errno = EINVAL;
++		return NULL;
+ 	}
+ 
+ 	if (strlen (cp) != 13) {
+-- 
+2.33.0
+

backport-semanage-disconnect-to-free-libsemanage-internals.patch

@@ -0,0 +1,76 @@
+From 7078ed1e0b8a197aa9e5103986bce927abef87a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 1 Apr 2023 14:11:06 +0200
+Subject: [PATCH] semanage: disconnect to free libsemanage internals
+
+Destroying the handle does not actually disconnect, see [1].
+Also free the key on user removal.
+
+[1]: https://github.com/SELinuxProject/selinux/blob/e9072e7d45f4559887d11b518099135cbe564163/libsemanage/src/direct_api.c#L330
+
+Example adduser leak:
+
+    Direct leak of 1008 byte(s) in 14 object(s) allocated from:
+        #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+        #1 0x7fb5cfffad09 in dbase_file_init src/database_file.c:170:45
+
+    Direct leak of 392 byte(s) in 7 object(s) allocated from:
+        #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+        #1 0x7fb5cfffc929 in dbase_policydb_init src/database_policydb.c:187:27
+
+    Direct leak of 144 byte(s) in 2 object(s) allocated from:
+        #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+        #1 0x7fb5cfffb519 in dbase_join_init src/database_join.c:249:28
+
+    [...]
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/7078ed1e0b8a197aa9e5103986bce927abef87a4
+---
+ lib/semanage.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/semanage.c b/lib/semanage.c
+index 5d336b08..d412186c 100644
+--- a/lib/semanage.c
++++ b/lib/semanage.c
+@@ -97,6 +97,8 @@ static semanage_handle_t *semanage_init (void)
+ 	return handle;
+ 
+ fail:
++	if (handle)
++		semanage_disconnect (handle);
+ 	semanage_handle_destroy (handle);
+ 	return NULL;
+ }
+@@ -156,7 +158,7 @@ done:
+ 
+ 
+ static int semanage_user_add (semanage_handle_t *handle,
+-                             semanage_seuser_key_t *key,
++                             const semanage_seuser_key_t *key,
+                              const char *login_name,
+                              const char *seuser_name)
+ {
+@@ -279,6 +281,8 @@ int set_seuser (const char *login_name, const char *seuser_name)
+ 
+ done:
+ 	semanage_seuser_key_free (key);
++	if (handle)
++		semanage_disconnect (handle);
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+ }
+@@ -353,6 +357,9 @@ int del_seuser (const char *login_name)
+ 	matchpathcon_fini();
+
+ done:
++	semanage_seuser_key_free (key);
++	if (handle)
++		semanage_disconnect (handle);
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+ }
+-- 
+2.27.0
+

backport-src-gpasswd-Clear-password-in-more-cases.patch

@@ -0,0 +1,35 @@
+From 6b4bbbeecd676c9423f82658bb3a8f6990218e8d Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 19 Jan 2025 21:27:50 +0100
+Subject: [PATCH] src/gpasswd: Clear password in more cases
+
+If encryption of password fails, clear the memory before exiting.
+
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/gpasswd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index 560b0ea7..e9e111a9 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -864,13 +864,13 @@ static void change_passwd (struct group *gr)
+ 
+ 	salt = crypt_make_salt (NULL, NULL);
+ 	cp = pw_encrypt (pass, salt);
++	memzero (pass, sizeof pass);
+ 	if (NULL == cp) {
+ 		fprintf (stderr,
+ 		         _("%s: failed to crypt password with salt '%s': %s\n"),
+ 		         Prog, salt, strerror (errno));
+ 		exit (1);
+ 	}
+-	memzero (pass, sizeof pass);
+ #ifdef SHADOWGRP
+ 	if (is_shadowgrp) {
+ 		gr->gr_passwd = SHADOW_PASSWD_STRING;
+-- 
+2.33.0
+

backport-src-passwd-add-overflow-check.patch

@@ -0,0 +1,32 @@
+From 2d188a9987789f019dae2d46c50578a474ab2bdd Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Wed, 20 Dec 2023 20:48:54 +0100
+Subject: [PATCH] src/passwd.c: Add overflow check
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Link: <https://github.com/shadow-maint/shadow/pull/876>
+Co-developed-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+
+Reference: https://github.com/shadow-maint/shadow/commit/2d188a9987789f019dae2d46c50578a474ab2bdd
+Conflict: NA
+---
+ src/passwd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/passwd.c b/src/passwd.c
+index a24e62dfd..f494a9257 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -387,8 +387,9 @@ static void check_password (const struct passwd *pw, const struct spwd *sp)
+ 		long now, ok;
+ 		now = time(NULL) / DAY;
+ 		ok = sp->sp_lstchg;
+-		if (sp->sp_min > 0) {
+-			ok += sp->sp_min;
++		if (   (sp->sp_min > 0)
++		    && __builtin_add_overflow(ok, sp->sp_min, &ok)) {
++			ok = LONG_MAX;
+ 		}
+ 
+ 		if (now < ok) {

backport-src-passwd.c-Switch-to-day-precision.patch

@@ -0,0 +1,61 @@
+From 3b5ba41d3e9dfc3bf058f0f31529c08201265241 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 14 Dec 2023 11:54:00 +0100
+Subject: [PATCH] src/passwd.c: Switch to day precision
+
+The size of time_t varies across systems, but since data type long is
+more than enough to calculate with days (precision of shadow file),
+use it instead.
+
+Just in case a shadow file contains huge values, check for a possible
+signed integer overflow.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Link: <https://github.com/shadow-maint/shadow/pull/876>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+
+Reference: https://github.com/shadow-maint/shadow/commit/3b5ba41d3e9dfc3bf058f0f31529c08201265241
+Conflict: src/chpasswd.c
+---
+ src/passwd.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/src/passwd.c b/src/passwd.c
+index 336bbc9..d79767a 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -390,7 +390,6 @@ static int new_password (const struct passwd *pw)
+  */
+ static void check_password (const struct passwd *pw, const struct spwd *sp)
+ {
+-	time_t now;
+ 	int exp_status;
+ 
+ 	exp_status = isexpired (pw, sp);
+@@ -410,8 +409,6 @@ static void check_password (const struct passwd *pw, const struct spwd *sp)
+ 		return;
+ 	}
+ 
+-	(void) time (&now);
+-
+ 	/*
+ 	 * Expired accounts cannot be changed ever. Passwords which are
+ 	 * locked may not be changed. Passwords where min > max may not be
+@@ -434,10 +431,11 @@ static void check_password (const struct passwd *pw, const struct spwd *sp)
+ 	 * Passwords may only be changed after sp_min time is up.
+ 	 */
+ 	if (sp->sp_lstchg > 0) {
+-		time_t ok;
+-		ok = (time_t) sp->sp_lstchg * SCALE;
++		long now, ok;
++		now = time(NULL) / DAY;
++		ok = sp->sp_lstchg;
+ 		if (sp->sp_min > 0) {
+-			ok += (time_t) sp->sp_min * SCALE;
++			ok += sp->sp_min;
+ 		}
+ 
+ 		if (now < ok) {
+-- 
+2.33.0
+

backport-src-useradd.c-get_groups-Fix-memory-leak.patch

@@ -0,0 +1,32 @@
+From feead2f639506d49cef9dde385eb56cd3413ecf0 Mon Sep 17 00:00:00 2001
+From: sgakerru <sulmpx60@yandex.ru>
+Date: Sat, 19 Oct 2024 13:26:44 +0400
+Subject: [PATCH] src/useradd.c: get_groups(): Fix memory leak
+
+---
+ src/useradd.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 64e7a412..bd3b0624 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -760,6 +760,15 @@ static int get_groups (char *list)
+ 	int errors = 0;
+ 	int ngroups = 0;
+ 
++	/*
++	 * Free previous group list before creating a new one.
++	 */
++	int i = 0;
++	while (NULL != user_groups[i]) {
++		free(user_groups[i]);
++		user_groups[i++] = NULL;
++	}
++
+ 	if ('\0' == *list) {
+ 		return 0;
+ 	}
+-- 
+2.33.0
+

shadow.spec

@@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.8.1
-Release: 6
+Release: 11
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@@ -26,6 +26,16 @@ Patch9:  shadow-add-sm3-crypt-support.patch
 Patch10: groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
 Patch11: backport-Added-control-character-check.patch 
 Patch12: backport-Overhaul-valid_field.patch
+Patch13: backport-Read-whole-line-in-yes_or_no.patch
+Patch14: backport-commonio-free-removed-database-entries.patch
+Patch15: backport-semanage-disconnect-to-free-libsemanage-internals.patch
+Patch16: backport-gpasswd-1-Fix-password-leak.patch
+Patch17: backport-CVE-2013-4235.patch
+Patch18: backport-src-passwd.c-Switch-to-day-precision.patch
+Patch19: backport-src-passwd-add-overflow-check.patch
+Patch20: backport-src-useradd.c-get_groups-Fix-memory-leak.patch
+Patch21: backport-src-gpasswd-Clear-password-in-more-cases.patch
+Patch22: backport-lib-encrypt.c-Do-not-exit-in-error-case.patch
 
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel gdb
@@ -172,8 +182,23 @@ done
 %{_mandir}/*/*
 
 %changelog
+* Tue Mar 11 2025 yixiangzhike <yixiangzhike007@163.com> - 2:4.8.1-11
+- backport patches from upstream
+
+* Sun Feb 18 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2:4.8.1-10
+- backport some patches
+
+* Sat Nov 18 2023 wangqingsan <wangqingsan@huawei.com> - 2:4.8.1-9
+- fix CVE-2013-4235
+
+* Wed Sep 20 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.8.1-8
+- fix CVE-2023-4641
+
+* Mon Jun 19 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.8.1-7
+- backport some patches
+
 * Thu Apr 20 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.8.1-6
-- fix CVE-2023-29383 
+- fix CVE-2023-29383
 
 * Fri Jan 28 2022 panxiaohe<panxh.life@foxmail.com> - 2:4.8.1-5
 - groupdel: fix SIGSEGV when passwd does not exist