add some backport to optimize some functions

Signed-off-by: yunjia_w <yunjia.wang@huawei.com>

backport-Add-header-guards.patch

@@ -0,0 +1,48 @@
+From 0c7ded471fdd2a130edfb265279663c68cfd2a3c Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Tue, 10 May 2022 15:26:15 +0200
+Subject: [PATCH] Add header guards
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+
+Reference: https://github.com/shadow-maint/shadow/commit/0c7ded471fdd2a130edfb265279663c68cfd2a3c
+Conflict: shadowlog_internal.h is not currently available, and run_part.h is adapted
+---
+ lib/pwauth.h             | 5 +++++
+ lib/run_part.h           | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/lib/pwauth.h b/lib/pwauth.h
+index fb205b71..b610025d 100644
+--- a/lib/pwauth.h
++++ b/lib/pwauth.h
+@@ -34,6 +34,9 @@
+  *	$Id$
+  */
+ 
++#ifndef _PWAUTH_H
++#define _PWAUTH_H
++
+ #ifndef USE_PAM
+ int pw_auth (const char *cipher,
+              const char *user,
+@@ -64,3 +67,5 @@ int pw_auth (const char *cipher,
+ #define	PW_RLOGIN	202
+ #define	PW_FTP		203
+ #define	PW_REXEC	204
++
++#endif /* _PWAUTH_H */
+diff --git a/lib/run_part.h b/lib/run_part.h
+index 0b68dbfc..6422134c 100644
+--- a/lib/run_part.h
++++ b/lib/run_part.h
+@@ -1,2 +1,7 @@
++#ifndef _RUN_PART_H
++#define _RUN_PART_H
++
+ int run_part (char *script_path, char *name, char *action);
+ int run_parts (char *directory, char *name, char *action);
++
++#endif /* _RUN_PART_H */
+-- 
+2.23.0

backport-Change-to-strncat.patch

@@ -0,0 +1,29 @@
+From 9560152f1bdae02b072b54ea65d1e686ebd46e5f Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Fri, 18 Mar 2022 15:35:02 -0400
+Subject: [PATCH] Change to strncat
+ 
+ut_line is declared as a nonstring in bits/utmp.h. It might not be NUL
+terminated. Limit how much it copies to the size of the array.
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/4f393a5f9fd9168c91225ae1b39843fc90372c74
+Conflict: NA
+---
+ src/logoutd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/logoutd.c b/src/logoutd.c
+index 780c29f..06c12c6 100644
+--- a/src/logoutd.c
++++ b/src/logoutd.c
+@@ -250,7 +250,7 @@ int main (int argc, char **argv)
+ 				tty_name[0] = '\0';
+ 			}
+ 
+-			strcat (tty_name, ut->ut_line);
++			strncat (tty_name, ut->ut_line, UT_LINESIZE);
+ #ifndef O_NOCTTY
+ #define O_NOCTTY 0
+ #endif
+-- 
+2.33.0

backport-Do-not-return-garbage-in-run_parts.patch

@@ -0,0 +1,31 @@
+From b2bc1f692736debf3ba94872db73435d114d19ec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 3 Jan 2022 13:12:31 +0100
+Subject: [PATCH] Do not return garbage in run_parts
+ 
+If scandir(3) returns 0, the uninitialized value of execute_result will
+be returned.
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/b2bc1f692736debf3ba94872db73435d114d19ec
+Conflict: NA
+ 
+---
+ lib/run_part.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/lib/run_part.c b/lib/run_part.c
+index 884bbefa..1e4f154b 100644
+--- a/lib/run_part.c
++++ b/lib/run_part.c
+@@ -48,7 +48,7 @@ int run_parts (const char *directory, const char *name, const char *action)
+ 	int execute_result;
+ 
+ 	scanlist = scandir (directory, &namelist, 0, alphasort);
+-	if (scanlist<0) {
++	if (scanlist<=0) {
+ 		return (0);
+ 	}
+ 
+-- 
+2.27.0
+ 

backport-Handle-ERANGE-error-correctly.patch

@@ -0,0 +1,38 @@
+From e9bf727253e13968c4c61d71f4725e668cd49881 Mon Sep 17 00:00:00 2001
+From: Niko <2089413+NikoDelarich@users.noreply.github.com>
+Date: Tue, 1 Mar 2022 14:43:07 +0100
+Subject: [PATCH] Handle ERANGE error correctly
+ 
+The reentrant functions getgrgid_r, getgrnam_r, getpwnam_r, etc. all return an error code instead of setting errno. Adapt the error check accordingly.
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/e9bf727253e13968c4c61d71f4725e668cd49881
+Conflict: NA
+ 
+---
+ libmisc/xgetXXbyYY.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+ 
+diff --git a/libmisc/xgetXXbyYY.c b/libmisc/xgetXXbyYY.c
+index db010224..6a3f9693 100644
+--- a/libmisc/xgetXXbyYY.c
++++ b/libmisc/xgetXXbyYY.c
+@@ -66,7 +66,6 @@
+ 			         "x" STRINGIZE(FUNCTION_NAME));
+ 			exit (13);
+ 		}
+-		errno = 0;
+ 		status = REENTRANT_NAME(ARG_NAME, result, buffer,
+ 		                        length, &resbuf);
+ 		if ((0 == status) && (resbuf == result)) {
+@@ -78,7 +77,7 @@
+ 			return ret_result;
+ 		}
+ 
+-		if (ERANGE != errno) {
++		if (ERANGE != status) {
+ 			free (buffer);
+ 			free (result);
+ 			return NULL;
+-- 
+2.27.0
+ 

backport-Initialize-local-variables.patch

@@ -0,0 +1,89 @@
+From 3b89b71680b2eb46135439e0a7760dbe040628e5 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 16 May 2022 17:24:58 +0200
+Subject: [PATCH] Initialize local variables
+ 
+CWE-457 by CodeQL.
+ 
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/3b89b71680b2eb46135439e0a7760dbe040628e5
+Conflict: The number of lines is inconsistent and there is a little difference in adaptation
+ 
+---
+ lib/run_part.c |  2 +-
+ src/faillog.c  |  4 ++--
+ src/lastlog.c  | 21 ++++++++++-----------
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+ 
+diff --git a/lib/run_part.c b/lib/run_part.c
+index 1e4f154b..bce11d37 100644
+--- a/lib/run_part.c
++++ b/lib/run_part.c
+@@ -43,7 +43,7 @@ int run_parts (char *directory, char *name, char *action)
+ 	struct dirent **namelist;
+ 	int scanlist;
+ 	int n;
+-	int execute_result;
++	int execute_result = 0;
+ 
+ 	scanlist = scandir (directory, &namelist, 0, alphasort);
+ 	if (scanlist<=0) {
+diff --git a/src/faillog.c b/src/faillog.c
+index d33fe9b6..0f94836f 100644
+--- a/src/faillog.c
++++ b/src/faillog.c
+@@ -565,9 +565,9 @@ static void set_locktime (long locktime)
+ 
+ int main (int argc, char **argv)
+ {
+-	long fail_locktime;
++	long fail_locktime = 0;
+ 	short fail_max = 0; // initialize to silence compiler warning
+-	long days;
++	long days = 0;
+ 
+ 	/*
+ 	 * Get the program name. The program name is used as a prefix to
+diff --git a/src/lastlog.c b/src/lastlog.c
+index 3c0fc9c6..0d4b5fd2 100644
+--- a/src/lastlog.c
++++ b/src/lastlog.c
+@@ -114,7 +114,16 @@ static void print_one (/*@null@*/const struct passwd *pw)
+ #endif
+ 
+ #ifdef HAVE_LL_HOST
+-	int maxIPv6Addrlen;
++	/*
++	 * ll_host is in minimized form, thus the maximum IPv6 address possible is
++	 * 8*4+7 = 39 characters.
++	 * RFC 4291 2.5.6 states that for LL-addresses fe80+only the interface ID is set,
++	 * thus having a maximum size of 25+1+IFNAMSIZ.
++	 * POSIX says IFNAMSIZ should be 16 characters long including the null byte, thus
++	 * 25+1+IFNAMSIZ >= 42 > 39
++	 */
++	/* Link-Local address + % + Interfacename */
++	const int maxIPv6Addrlen = 25+1+IFNAMSIZ;
+ #endif
+ 
+ 	if (NULL == pw) {
+@@ -158,16 +167,6 @@ static void print_one (/*@null@*/const struct passwd *pw)
+ 	/* Print the header only once */
+ 	if (!once) {
+ #ifdef HAVE_LL_HOST
+-		/*
+-		 * ll_host is in minimized form, thus the maximum IPv6 address possible is
+-		 * 8*4+7 = 39 characters.
+-		 * RFC 4291 2.5.6 states that for LL-addresses fe80+only the interface ID is set,
+-		 * thus having a maximum size of 25+1+IFNAMSIZ.
+-		 * POSIX says IFNAMSIZ should be 16 characters long including the null byte, thus
+-		 * 25+1+IFNAMSIZ >= 42 > 39
+-		 */
+-		/* Link-Local address + % + Interfacename */
+-		maxIPv6Addrlen = 25+1+IFNAMSIZ;
+ 		printf (_("Username         Port     From%*sLatest\n"), maxIPv6Addrlen-3, " ");
+ #else
+ 		puts (_("Username                Port     Latest"));
+-- 
+2.27.0
+ 

backport-Remove-commented-out-code-and-FIXMEs.patch

@@ -0,0 +1,79 @@
+From 0b51cde162322ad1c6d162be0bc1b97065ff25c8 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Tue, 10 May 2022 15:01:21 +0200
+Subject: [PATCH] Remove commented out code and FIXMEs
+ 
+In order to remove some of the FIXMEs it was necessary to change the
+code and call getulong() instead of getlong().
+ 
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/0b51cde162322ad1c6d162be0bc1b97065ff25c8
+Conflict: NA
+ 
+---
+ lib/getdef.c    | 1 -
+ lib/sgetspent.c | 3 +--
+ lib/shadow.c    | 3 +--
+ libmisc/salt.c  | 3 ++-
+ 4 files changed, 4 insertions(+), 6 deletions(-)
+ 
+diff --git a/lib/getdef.c b/lib/getdef.c
+index fbaea2e1..2e6022fa 100644
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -345,7 +345,6 @@ unsigned long getdef_ulong (const char *item, unsigned long dflt)
+ 	}
+ 
+ 	if (getulong (d->value, &val) == 0) {
+-		/* FIXME: we should have a getulong */
+ 		fprintf (shadow_logfd,
+ 		         _("configuration error - cannot parse %s value: '%s'"),
+ 		         item, d->value);
+diff --git a/lib/sgetspent.c b/lib/sgetspent.c
+index a35b6759..cbadb7e6 100644
+--- a/lib/sgetspent.c
++++ b/lib/sgetspent.c
+@@ -171,8 +171,7 @@ struct spwd *sgetspent (const char *string)
+ 
+ 	if (fields[8][0] == '\0') {
+ 		spwd.sp_flag = SHADOW_SP_FLAG_UNSET;
+-	} else if (getlong (fields[8], &spwd.sp_flag) == 0) {
+-		/* FIXME: add a getulong function */
++	} else if (getulong (fields[8], &spwd.sp_flag) == 0) {
+ 		return 0;
+ 	}
+ 
+diff --git a/lib/shadow.c b/lib/shadow.c
+index 9e86b908..b628b657 100644
+--- a/lib/shadow.c
++++ b/lib/shadow.c
+@@ -305,8 +305,7 @@ static struct spwd *my_sgetspent (const char *string)
+ 	if (fields[8][0] == '\0') {
+ 		spwd.sp_flag = SHADOW_SP_FLAG_UNSET;
+ 	} else {
+-		if (getlong (fields[8], &spwd.sp_flag) == 0) {
+-			/* FIXME: add a getulong function */
++		if (getulong (fields[8], &spwd.sp_flag) == 0) {
+ #ifdef	USE_NIS
+ 			if (nis_used) {
+ 				spwd.sp_flag = SHADOW_SP_FLAG_UNSET;
+diff --git a/libmisc/salt.c b/libmisc/salt.c
+index ebf162fc..450293d7 100644
+--- a/libmisc/salt.c
++++ b/libmisc/salt.c
+@@ -341,9 +341,10 @@ static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *
+ 	/*
+ 	 * Use 19 as an upper bound for now,
+ 	 * because musl doesn't allow rounds >= 20.
++	 * If musl ever supports > 20 rounds,
++	 * rounds should be set to B_ROUNDS_MAX.
+ 	 */
+ 	if (rounds > 19) {
+-		/* rounds = B_ROUNDS_MAX; */
+ 		rounds = 19;
+ 	}
+ #endif /* USE_XCRYPT_GENSALT */
+-- 
+2.27.0
+ 

backport-Remove-redeclared-variable.patch

@@ -0,0 +1,31 @@
+From 23baa40d9d96743dd3377de0de8e422b7ec3ed94 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Tue, 10 May 2022 13:23:07 +0200
+Subject: [PATCH] Remove redeclared variable
+ 
+No need to redeclare a variable with the same name and type. Just keep
+the one with the biggest scope.
+ 
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/23baa40d9d96743dd3377de0de8e422b7ec3ed94
+Conflict: NA
+ 
+---
+ src/vipw.c | 1 -
+ 1 file changed, 1 deletion(-)
+ 
+diff --git a/src/vipw.c b/src/vipw.c
+index 8c97f4bc..488a97d9 100644
+--- a/src/vipw.c
++++ b/src/vipw.c
+@@ -293,7 +293,6 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void))
+ 		/* use the system() call to invoke the editor so that it accepts
+ 		   command line args in the EDITOR and VISUAL environment vars */
+ 		char *buf;
+-		int status;
+ 
+ 		/* Wait for parent to make us the foreground pgrp. */
+ 		if (orig_pgrp != -1) {
+-- 
+2.27.0

backport-libmisc-add-check-fopen-return-value-in-read_random_.patch

@@ -0,0 +1,33 @@
+From a43d0b95c44b2c36025452b772b9d4b251281e3e Mon Sep 17 00:00:00 2001
+From: juyin <zhuyan34@huawei.com>
+Date: Wed, 30 Mar 2022 19:21:32 +0800
+Subject: [PATCH] libmisc: add check fopen return value in read_random_bytes()
+ 
+Returns null when fopen fails. Then, using fread with a null pointer will cause a segfault.
+ 
+Signed-off-by: Yan Zhu <zhuyan34@huawei.com>
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/a43d0b95c44b2c36025452b772b9d4b251281e3e
+Conflict: NA
+ 
+---
+ libmisc/salt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+ 
+diff --git a/libmisc/salt.c b/libmisc/salt.c
+index f8ac5669..ebf162fc 100644
+--- a/libmisc/salt.c
++++ b/libmisc/salt.c
+@@ -175,6 +175,9 @@ static long read_random_bytes (void)
+ 
+ #else
+ 	FILE *f = fopen ("/dev/urandom", "r");
++	if (NULL == f) {
++		goto fail;
++	}
+ 
+ 	if (fread (&randval, sizeof (randval), 1, f) != 1) {
+ 		fclose(f);
+-- 
+2.27.0
+ 

backport-passwd-erase-password-copy-on-all-error-branches.patch

@@ -0,0 +1,35 @@
+From 58b6e97a9eef866e9e479fb781aaaf59fb11ef36 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 25 Apr 2022 12:17:40 +0200
+Subject: [PATCH] passwd: erase password copy on all error branches
+ 
+Reference: https://github.com/shadow-maint/shadow/commit/58b6e97a9eef866e9e479fb781aaaf59fb11ef36
+Conflict: NA
+ 
+---
+ src/passwd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+ 
+diff --git a/src/passwd.c b/src/passwd.c
+index 80531ec6..8c6f81a9 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -289,6 +289,7 @@ static int new_password (const struct passwd *pw)
+ 		cp = getpass (_("New password: "));
+ 		if (NULL == cp) {
+ 			memzero (orig, sizeof orig);
++			memzero (pass, sizeof pass);
+ 			return -1;
+ 		}
+ 		if (warned && (strcmp (pass, cp) != 0)) {
+@@ -316,6 +317,7 @@ static int new_password (const struct passwd *pw)
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
+ 			memzero (orig, sizeof orig);
++			memzero (pass, sizeof pass);
+ 			return -1;
+ 		}
+ 		if (strcmp (cp, pass) != 0) {
+-- 
+2.27.0
+ 

shadow.spec

@@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.9
-Release: 5
+Release: 6
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@@ -37,6 +37,15 @@ Patch17: newgrp-fix-segmentation-fault.patch
 Patch18: groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
 Patch19: backport-useradd-modify-check-ID-range-for-system-users.patch
 Patch20: shadow-add-sm3-crypt-support.patch
+Patch21: backport-Add-header-guards.patch
+Patch22: backport-Change-to-strncat.patch
+Patch23: backport-Do-not-return-garbage-in-run_parts.patch
+Patch24: backport-Handle-ERANGE-error-correctly.patch
+Patch25: backport-Initialize-local-variables.patch
+Patch26: backport-Remove-commented-out-code-and-FIXMEs.patch
+Patch27: backport-Remove-redeclared-variable.patch
+Patch28: backport-libmisc-add-check-fopen-return-value-in-read_random_.patch
+Patch29: backport-passwd-erase-password-copy-on-all-error-branches.patch
 
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel
@@ -203,6 +212,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_mandir}/*/*
 
 %changelog
+* Mon Oct 31 2022  yunjia_w<yunjia.wang@huawei.com> - 2:4.9-6
+- add some backport to optimize some functions
+
 * Sat Mar 26 2022 fushanqing <fushanqing@kylinos.cn> - 2:4.9-5
 - remove patch 'shadow-4.1.5.1-var-lock.patch' and 'shadow-utils-fix-lock-file-residue.patch'