Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1123372,
regarding bookworm-pu: package shadow/4.13+dfsg1-1+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123372
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:shadow
User: [email protected]
Usertags: pu
[ Reason ]
shadow upstream received a (renewed) bug report that groupmod -U ...
can segfault. Upstream asked that we backport the fix for this.
[ Impact ]
groupmod -U continues to segfault.
[ Tests ]
I've manually tested the fix.
[ Risks ]
The upstream fix landed a long time ago, and the diff is quite
readable.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Includes upstream patch. No other changes.
[ Other info ]
Nothing I'm aware of.
diff -Nru shadow-4.13+dfsg1/debian/changelog shadow-4.13+dfsg1/debian/changelog
--- shadow-4.13+dfsg1/debian/changelog 2025-04-07 12:38:46.000000000 +0200
+++ shadow-4.13+dfsg1/debian/changelog 2025-12-14 15:00:01.000000000 +0100
@@ -1,3 +1,9 @@
+shadow (1:4.13+dfsg1-1+deb12u2) bookworm; urgency=medium
+
+ * Apply upstream patch to fix groupmod -U "" segfault (Closes: #1122913)
+
+ -- Chris Hofstaedtler <[email protected]> Sun, 14 Dec 2025 15:00:01 +0100
+
shadow (1:4.13+dfsg1-1+deb12u1) bookworm; urgency=medium
[ Balint Reczey ]
diff -Nru shadow-4.13+dfsg1/debian/patches/series
shadow-4.13+dfsg1/debian/patches/series
--- shadow-4.13+dfsg1/debian/patches/series 2025-04-07 12:38:46.000000000
+0200
+++ shadow-4.13+dfsg1/debian/patches/series 2025-12-14 14:59:23.000000000
+0100
@@ -1,3 +1,6 @@
+# Debian #1122913
+upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
+
# CVE-2023-4641
0001-gpasswd-1-Fix-password-leak.patch
diff -Nru
shadow-4.13+dfsg1/debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
shadow-4.13+dfsg1/debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
---
shadow-4.13+dfsg1/debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
1970-01-01 01:00:00.000000000 +0100
+++
shadow-4.13+dfsg1/debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
2025-12-14 15:00:01.000000000 +0100
@@ -0,0 +1,54 @@
+From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001
+From: lixinyun <[email protected]>
+Date: Wed, 29 May 2024 06:53:02 +0800
+Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double
+ free
+
+Groupmod -U may cause crashes because of double free. If without -a, the first
free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update
without -n or gr_remove with -n.
+Considering the minimal impact of modifications on existing code, delete
gr_free_members(&grp) to avoid double free.Although this may seem reckless, the
second free in two different positions will definitely be triggered, and the
following two test cases can be used to illustrate the situation :
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -n g2 -U u1,u2 g1
+Segmentation fault
+
+This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment
statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)),
which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again.
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -U u1,u2 g1
+Segmentation fault
+
+The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in
if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to
free (*ogrp).gr_mem again.
+
+So the first free is unnecessary, maybe we can drop it.
+
+Fixes: 342c934a3590 ("add -U option to groupadd and groupmod")
+Closes: <https://github.com/shadow-maint/shadow/issues/1013>
+Link: <https://github.com/shadow-maint/shadow/pull/1007>
+Link: <https://github.com/shadow-maint/shadow/pull/271>
+Link: <https://github.com/shadow-maint/shadow/issues/265>
+Cc: "Serge E. Hallyn" <[email protected]>
+Reviewed-by: Alejandro Colomar <[email protected]>
+Signed-off-by: lixinyun <[email protected]>
+---
+ src/groupmod.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git i/src/groupmod.c w/src/groupmod.c
+index 006eca1c..7eae4c6f 100644
+--- i/src/groupmod.c
++++ w/src/groupmod.c
+@@ -244,8 +244,6 @@ static void grp_update (void)
+
+ if (!aflg) {
+ // requested to replace the existing groups
+- if (NULL != grp.gr_mem[0])
+- gr_free_members(&grp);
+ grp.gr_mem = (char **)xmalloc(sizeof(char *));
+ grp.gr_mem[0] = (char *)0;
+ } else {
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as
part of Debian 12.13.
--- End Message ---
