!68 update version to 4.13

From: @yunjia_w Reviewed-by: @houmingyong, @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
2023-02-08 09:27:08 +00:00 · 2023-02-08 09:27:08 +00:00 · f592896f18
commit f592896f18
parent dac9dc298e ebbcf53efe
34 changed files with 797 additions and 2742 deletions
--- a/Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
+++ b/Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
@ -1,112 +0,0 @@
 From 537b8cd90be7b47b45c45cfd27765ef85eb0ebf1 Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <serge@hallyn.com>
 Date: Fri, 23 Jul 2021 17:51:13 -0500
 Subject: [PATCH] Fix out of tree builds with respect to libsubid includes
 There's a better way to do this, and I hope to clean that up,
 but this fixes out of tree builds for me right now.
 Closes #386
 Signed-off-by: Serge Hallyn <serge@hallyn.com>
 ---
 lib/Makefile.am      | 2 ++
 libmisc/Makefile.am  | 2 +-
 libsubid/Makefile.am | 4 ++--
 src/Makefile.am      | 6 ++++++
 4 files changed, 11 insertions(+), 3 deletions(-)
 diff --git a/lib/Makefile.am b/lib/Makefile.am
 index ecf3ee2..5ac2e11 100644
 --- a/lib/Makefile.am
 +++ b/lib/Makefile.am
@@ -10,6 +10,8 @@ if HAVE_VENDORDIR
 libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
 endif
 +libshadow_la_CPPFLAGS += -I$(top_srcdir)
 +
 libshadow_la_SOURCES = \
 	commonio.c \
 	commonio.h \
 diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
 index 9766a7e..9f237e0 100644
 --- a/libmisc/Makefile.am
 +++ b/libmisc/Makefile.am
@@ -1,7 +1,7 @@
 EXTRA_DIST = .indent.pro xgetXXbyYY.c
 -AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
 +AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
 noinst_LTLIBRARIES = libmisc.la
 diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
 index 8305156..99308c1 100644
 --- a/libsubid/Makefile.am
 +++ b/libsubid/Makefile.am
@@ -20,8 +20,8 @@ MISCLIBS = \
 	$(LIBPAM)
 libsubid_la_LIBADD = \
 -	$(top_srcdir)/lib/libshadow.la \
 -	$(top_srcdir)/libmisc/libmisc.la \
 +	$(top_builddir)/lib/libshadow.la \
 +	$(top_builddir)/libmisc/libmisc.la \
 	$(MISCLIBS) -ldl
 AM_CPPFLAGS = \
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 3502701..7c1a349 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
@@ -10,6 +10,7 @@ sgidperms = 2755
 AM_CPPFLAGS = \
 	-I${top_srcdir}/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-DLOCALEDIR=\"$(datadir)/locale\"
 # XXX why are login and su in /bin anyway (other than for
@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \
 list_subid_ranges_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 get_subid_owners_LDADD = \
@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \
 get_subid_owners_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 new_subid_range_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 new_subid_range_LDADD = \
@@ -210,6 +214,7 @@ new_subid_range_LDADD = \
 free_subid_range_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 free_subid_range_LDADD = \
@@ -220,6 +225,7 @@ free_subid_range_LDADD = \
 check_subid_range_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libmisc
 check_subid_range_LDADD = \
 -- 
 1.8.3.1
--- a/Fixes-the-linking-issues-when-libsubid-is-static-and.patch
+++ b/Fixes-the-linking-issues-when-libsubid-is-static-and.patch
@ -1,28 +0,0 @@
 From fc832e4648d6e80e95aaa762a158453ee43fe1cb Mon Sep 17 00:00:00 2001
 From: "(GalaxyMaster)" <galaxy4public@users.noreply.github.com>
 Date: Wed, 27 Oct 2021 20:14:42 +1100
 Subject: [PATCH] Fixes the linking issues when libsubid is static and linked
 to binaries that also define the Prog and shadow_logfd variables.
 ---
 libsubid/api.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/libsubid/api.c b/libsubid/api.c
 index a7b904d..a51b4e0 100644
 --- a/libsubid/api.c
 +++ b/libsubid/api.c
@@ -39,8 +39,8 @@
 #include "idmapping.h"
 #include "subid.h"
 -const char *Prog = "(libsubid)";
 -FILE *shadow_logfd;
 +static const char *Prog = "(libsubid)";
 +static FILE *shadow_logfd;
 bool libsubid_init(const char *progname, FILE * logfd)
 {
 -- 
 1.8.3.1
--- a/Makefile-include-libeconf-dependency-in-new-idmap.patch
+++ b/Makefile-include-libeconf-dependency-in-new-idmap.patch
@ -1,32 +0,0 @@
 From c6847011e8b656adacd9a0d2a78418cad0de34cb Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Mon, 2 Aug 2021 15:54:20 +0200
 Subject: [PATCH] Makefile: include libeconf dependency in new*idmap
 new*idmap has a dependency with libeconf since commit
 c464ec55709dc931ba2f24073b8b1a86d5209ab0. I'm just adding it to the
 Makefile to be able to compile in distributions that include libeconf.
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/Makefile.am | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 7c1a349..6cc873b 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
@@ -96,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
 endif
 chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
 -newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
 -newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
 +newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 +newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
 chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
 chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
 -- 
 1.8.3.1
--- a/Respect-enable-static-no-in-libsubid.patch
+++ b/Respect-enable-static-no-in-libsubid.patch
@ -1,45 +0,0 @@
 From fa986b1d73605ecca54a4f19249227aeab827bf6 Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <shallyn@cisco.com>
 Date: Sun, 25 Jul 2021 17:18:02 +0000
 Subject: [PATCH] Respect --enable-static=no in libsubid
 libsubid's Makefile.am was always setting enable-shared in its LDFLAGS.
 Do that only if not building static.
 Closes #387
 Signed-off-by: Serge Hallyn <shallyn@cisco.com>
 ---
 configure.ac         | 2 ++
 libsubid/Makefile.am | 2 ++
 2 files changed, 4 insertions(+)
 diff --git a/configure.ac b/configure.ac
 index 0f237cc..994836b 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -321,6 +321,8 @@ if test "$with_sha_crypt" = "yes"; then
 	AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
 fi
 +AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
 +
 AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
 if test "$with_bcrypt" = "yes"; then
 	AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
 diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
 index 99308c1..8bba02a 100644
 --- a/libsubid/Makefile.am
 +++ b/libsubid/Makefile.am
@@ -1,6 +1,8 @@
 lib_LTLIBRARIES = libsubid.la
 +if ENABLE_SHARED
 libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
 	-shared -version-info @LIBSUBID_ABI_MAJOR@
 +endif
 libsubid_la_SOURCES = api.c
 pkginclude_HEADERS = subid.h
 -- 
 1.8.3.1
--- a/Revert-useradd.c-fix-memleaks-of-grp.patch
+++ b/Revert-useradd.c-fix-memleaks-of-grp.patch
@ -1,30 +0,0 @@
 From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <serge@hallyn.com>
 Date: Sat, 14 Aug 2021 19:37:24 -0500
 Subject: [PATCH] Revert "useradd.c:fix memleaks of grp"
 In some cases, the value which was being freed is not actually
 safe to free.
 Closes #394
 This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5.
 ---
 src/useradd.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index f90127c..0d3f390 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -413,7 +413,6 @@ static void get_defaults (void)
 			} else {
 				def_group = grp->gr_gid;
 				def_gname = xstrdup (grp->gr_name);
 -				gr_free(grp);
 			}
 		}
 -- 
 1.8.3.1
--- a/backport-Add-header-guards.patch
+++ b/backport-Add-header-guards.patch
@ -1,48 +0,0 @@
 From 0c7ded471fdd2a130edfb265279663c68cfd2a3c Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Tue, 10 May 2022 15:26:15 +0200
 Subject: [PATCH] Add header guards
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Reference: https://github.com/shadow-maint/shadow/commit/0c7ded471fdd2a130edfb265279663c68cfd2a3c
 Conflict: shadowlog_internal.h is not currently available, and run_part.h is adapted
 ---
 lib/pwauth.h             | 5 +++++
 lib/run_part.h           | 5 +++++
 2 files changed, 10 insertions(+)
 diff --git a/lib/pwauth.h b/lib/pwauth.h
 index fb205b71..b610025d 100644
 --- a/lib/pwauth.h
 +++ b/lib/pwauth.h
@@ -34,6 +34,9 @@
  *	$Id$
  */
 +#ifndef _PWAUTH_H
 +#define _PWAUTH_H
 +
 #ifndef USE_PAM
 int pw_auth (const char *cipher,
              const char *user,
@@ -64,3 +67,5 @@ int pw_auth (const char *cipher,
 #define	PW_RLOGIN	202
 #define	PW_FTP		203
 #define	PW_REXEC	204
 +
 +#endif /* _PWAUTH_H */
 diff --git a/lib/run_part.h b/lib/run_part.h
 index 0b68dbfc..6422134c 100644
 --- a/lib/run_part.h
 +++ b/lib/run_part.h
@@ -1,2 +1,7 @@
 +#ifndef _RUN_PART_H
 +#define _RUN_PART_H
 +
 int run_part (char *script_path, char *name, char *action);
 int run_parts (char *directory, char *name, char *action);
 +
 +#endif /* _RUN_PART_H */
 -- 
 2.23.0
--- a/backport-Change-to-strncat.patch
+++ b/backport-Change-to-strncat.patch
@ -1,29 +0,0 @@
 From 9560152f1bdae02b072b54ea65d1e686ebd46e5f Mon Sep 17 00:00:00 2001
 From: Steve Grubb <sgrubb@redhat.com>
 Date: Fri, 18 Mar 2022 15:35:02 -0400
 Subject: [PATCH] Change to strncat
 ut_line is declared as a nonstring in bits/utmp.h. It might not be NUL
 terminated. Limit how much it copies to the size of the array.
 Reference: https://github.com/shadow-maint/shadow/commit/4f393a5f9fd9168c91225ae1b39843fc90372c74
 Conflict: NA
 ---
 src/logoutd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/logoutd.c b/src/logoutd.c
 index 780c29f..06c12c6 100644
 --- a/src/logoutd.c
 +++ b/src/logoutd.c
@@ -250,7 +250,7 @@ int main (int argc, char **argv)
 				tty_name[0] = '\0';
 			}
 -			strcat (tty_name, ut->ut_line);
 +			strncat (tty_name, ut->ut_line, UT_LINESIZE);
 #ifndef O_NOCTTY
 #define O_NOCTTY 0
 #endif
 -- 
 2.33.0
--- a/backport-Do-not-return-garbage-in-run_parts.patch
+++ b/backport-Do-not-return-garbage-in-run_parts.patch
@ -1,31 +0,0 @@
 From b2bc1f692736debf3ba94872db73435d114d19ec Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
 Date: Mon, 3 Jan 2022 13:12:31 +0100
 Subject: [PATCH] Do not return garbage in run_parts
 If scandir(3) returns 0, the uninitialized value of execute_result will
 be returned.
 Reference: https://github.com/shadow-maint/shadow/commit/b2bc1f692736debf3ba94872db73435d114d19ec
 Conflict: NA
 ---
 lib/run_part.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/run_part.c b/lib/run_part.c
 index 884bbefa..1e4f154b 100644
 --- a/lib/run_part.c
 +++ b/lib/run_part.c
@@ -48,7 +48,7 @@ int run_parts (const char *directory, const char *name, const char *action)
 	int execute_result;
 	scanlist = scandir (directory, &namelist, 0, alphasort);
 -	if (scanlist<0) {
 +	if (scanlist<=0) {
 		return (0);
 	}
 -- 
 2.27.0
--- a/backport-Handle-ERANGE-error-correctly.patch
+++ b/backport-Handle-ERANGE-error-correctly.patch
@ -1,38 +0,0 @@
 From e9bf727253e13968c4c61d71f4725e668cd49881 Mon Sep 17 00:00:00 2001
 From: Niko <2089413+NikoDelarich@users.noreply.github.com>
 Date: Tue, 1 Mar 2022 14:43:07 +0100
 Subject: [PATCH] Handle ERANGE error correctly
 The reentrant functions getgrgid_r, getgrnam_r, getpwnam_r, etc. all return an error code instead of setting errno. Adapt the error check accordingly.
 Reference: https://github.com/shadow-maint/shadow/commit/e9bf727253e13968c4c61d71f4725e668cd49881
 Conflict: NA
 ---
 libmisc/xgetXXbyYY.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/libmisc/xgetXXbyYY.c b/libmisc/xgetXXbyYY.c
 index db010224..6a3f9693 100644
 --- a/libmisc/xgetXXbyYY.c
 +++ b/libmisc/xgetXXbyYY.c
@@ -66,7 +66,6 @@
 			         "x" STRINGIZE(FUNCTION_NAME));
 			exit (13);
 		}
 -		errno = 0;
 		status = REENTRANT_NAME(ARG_NAME, result, buffer,
 		                        length, &resbuf);
 		if ((0 == status) && (resbuf == result)) {
@@ -78,7 +77,7 @@
 			return ret_result;
 		}
 -		if (ERANGE != errno) {
 +		if (ERANGE != status) {
 			free (buffer);
 			free (result);
 			return NULL;
 -- 
 2.27.0
--- a/backport-Initialize-local-variables.patch
+++ b/backport-Initialize-local-variables.patch
@ -1,89 +0,0 @@
 From 3b89b71680b2eb46135439e0a7760dbe040628e5 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Mon, 16 May 2022 17:24:58 +0200
 Subject: [PATCH] Initialize local variables
 CWE-457 by CodeQL.
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Reference: https://github.com/shadow-maint/shadow/commit/3b89b71680b2eb46135439e0a7760dbe040628e5
 Conflict: The number of lines is inconsistent and there is a little difference in adaptation
 ---
 lib/run_part.c |  2 +-
 src/faillog.c  |  4 ++--
 src/lastlog.c  | 21 ++++++++++-----------
 3 files changed, 13 insertions(+), 14 deletions(-)
 diff --git a/lib/run_part.c b/lib/run_part.c
 index 1e4f154b..bce11d37 100644
 --- a/lib/run_part.c
 +++ b/lib/run_part.c
@@ -43,7 +43,7 @@ int run_parts (char *directory, char *name, char *action)
 	struct dirent **namelist;
 	int scanlist;
 	int n;
 -	int execute_result;
 +	int execute_result = 0;
 	scanlist = scandir (directory, &namelist, 0, alphasort);
 	if (scanlist<=0) {
 diff --git a/src/faillog.c b/src/faillog.c
 index d33fe9b6..0f94836f 100644
 --- a/src/faillog.c
 +++ b/src/faillog.c
@@ -565,9 +565,9 @@ static void set_locktime (long locktime)
 int main (int argc, char **argv)
 {
 -	long fail_locktime;
 +	long fail_locktime = 0;
 	short fail_max = 0; // initialize to silence compiler warning
 -	long days;
 +	long days = 0;
 	/*
 	 * Get the program name. The program name is used as a prefix to
 diff --git a/src/lastlog.c b/src/lastlog.c
 index 3c0fc9c6..0d4b5fd2 100644
 --- a/src/lastlog.c
 +++ b/src/lastlog.c
@@ -114,7 +114,16 @@ static void print_one (/*@null@*/const struct passwd *pw)
 #endif
 #ifdef HAVE_LL_HOST
 -	int maxIPv6Addrlen;
 +	/*
 +	 * ll_host is in minimized form, thus the maximum IPv6 address possible is
 +	 * 8*4+7 = 39 characters.
 +	 * RFC 4291 2.5.6 states that for LL-addresses fe80+only the interface ID is set,
 +	 * thus having a maximum size of 25+1+IFNAMSIZ.
 +	 * POSIX says IFNAMSIZ should be 16 characters long including the null byte, thus
 +	 * 25+1+IFNAMSIZ >= 42 > 39
 +	 */
 +	/* Link-Local address + % + Interfacename */
 +	const int maxIPv6Addrlen = 25+1+IFNAMSIZ;
 #endif
 	if (NULL == pw) {
@@ -158,16 +167,6 @@ static void print_one (/*@null@*/const struct passwd *pw)
 	/* Print the header only once */
 	if (!once) {
 #ifdef HAVE_LL_HOST
 -		/*
 -		 * ll_host is in minimized form, thus the maximum IPv6 address possible is
 -		 * 8*4+7 = 39 characters.
 -		 * RFC 4291 2.5.6 states that for LL-addresses fe80+only the interface ID is set,
 -		 * thus having a maximum size of 25+1+IFNAMSIZ.
 -		 * POSIX says IFNAMSIZ should be 16 characters long including the null byte, thus
 -		 * 25+1+IFNAMSIZ >= 42 > 39
 -		 */
 -		/* Link-Local address + % + Interfacename */
 -		maxIPv6Addrlen = 25+1+IFNAMSIZ;
 		printf (_("Username         Port     From%*sLatest\n"), maxIPv6Addrlen-3, " ");
 #else
 		puts (_("Username                Port     Latest"));
 -- 
 2.27.0
--- a/backport-Remove-commented-out-code-and-FIXMEs.patch
+++ b/backport-Remove-commented-out-code-and-FIXMEs.patch
@ -1,79 +0,0 @@
 From 0b51cde162322ad1c6d162be0bc1b97065ff25c8 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Tue, 10 May 2022 15:01:21 +0200
 Subject: [PATCH] Remove commented out code and FIXMEs
 In order to remove some of the FIXMEs it was necessary to change the
 code and call getulong() instead of getlong().
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Reference: https://github.com/shadow-maint/shadow/commit/0b51cde162322ad1c6d162be0bc1b97065ff25c8
 Conflict: NA
 ---
 lib/getdef.c    | 1 -
 lib/sgetspent.c | 3 +--
 lib/shadow.c    | 3 +--
 libmisc/salt.c  | 3 ++-
 4 files changed, 4 insertions(+), 6 deletions(-)
 diff --git a/lib/getdef.c b/lib/getdef.c
 index fbaea2e1..2e6022fa 100644
 --- a/lib/getdef.c
 +++ b/lib/getdef.c
@@ -345,7 +345,6 @@ unsigned long getdef_ulong (const char *item, unsigned long dflt)
 	}
 	if (getulong (d->value, &val) == 0) {
 -		/* FIXME: we should have a getulong */
 		fprintf (shadow_logfd,
 		         _("configuration error - cannot parse %s value: '%s'"),
 		         item, d->value);
 diff --git a/lib/sgetspent.c b/lib/sgetspent.c
 index a35b6759..cbadb7e6 100644
 --- a/lib/sgetspent.c
 +++ b/lib/sgetspent.c
@@ -171,8 +171,7 @@ struct spwd *sgetspent (const char *string)
 	if (fields[8][0] == '\0') {
 		spwd.sp_flag = SHADOW_SP_FLAG_UNSET;
 -	} else if (getlong (fields[8], &spwd.sp_flag) == 0) {
 -		/* FIXME: add a getulong function */
 +	} else if (getulong (fields[8], &spwd.sp_flag) == 0) {
 		return 0;
 	}
 diff --git a/lib/shadow.c b/lib/shadow.c
 index 9e86b908..b628b657 100644
 --- a/lib/shadow.c
 +++ b/lib/shadow.c
@@ -305,8 +305,7 @@ static struct spwd *my_sgetspent (const char *string)
 	if (fields[8][0] == '\0') {
 		spwd.sp_flag = SHADOW_SP_FLAG_UNSET;
 	} else {
 -		if (getlong (fields[8], &spwd.sp_flag) == 0) {
 -			/* FIXME: add a getulong function */
 +		if (getulong (fields[8], &spwd.sp_flag) == 0) {
 #ifdef	USE_NIS
 			if (nis_used) {
 				spwd.sp_flag = SHADOW_SP_FLAG_UNSET;
 diff --git a/libmisc/salt.c b/libmisc/salt.c
 index ebf162fc..450293d7 100644
 --- a/libmisc/salt.c
 +++ b/libmisc/salt.c
@@ -341,9 +341,10 @@ static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *
 	/*
 	 * Use 19 as an upper bound for now,
 	 * because musl doesn't allow rounds >= 20.
 +	 * If musl ever supports > 20 rounds,
 +	 * rounds should be set to B_ROUNDS_MAX.
 	 */
 	if (rounds > 19) {
 -		/* rounds = B_ROUNDS_MAX; */
 		rounds = 19;
 	}
 #endif /* USE_XCRYPT_GENSALT */
 -- 
 2.27.0
--- a/backport-Remove-redeclared-variable.patch
+++ b/backport-Remove-redeclared-variable.patch
@ -1,31 +0,0 @@
 From 23baa40d9d96743dd3377de0de8e422b7ec3ed94 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Tue, 10 May 2022 13:23:07 +0200
 Subject: [PATCH] Remove redeclared variable
 No need to redeclare a variable with the same name and type. Just keep
 the one with the biggest scope.
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Reference: https://github.com/shadow-maint/shadow/commit/23baa40d9d96743dd3377de0de8e422b7ec3ed94
 Conflict: NA
 ---
 src/vipw.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/vipw.c b/src/vipw.c
 index 8c97f4bc..488a97d9 100644
 --- a/src/vipw.c
 +++ b/src/vipw.c
@@ -293,7 +293,6 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void))
 		/* use the system() call to invoke the editor so that it accepts
 		   command line args in the EDITOR and VISUAL environment vars */
 		char *buf;
 -		int status;
 		/* Wait for parent to make us the foreground pgrp. */
 		if (orig_pgrp != -1) {
 -- 
 2.27.0
--- a/backport-chpasswd-add-get_salt-for-generating-salt-value.patch
+++ b/backport-chpasswd-add-get_salt-for-generating-salt-value.patch
@ -1,117 +0,0 @@
 From 6d1b10b9e516bd88fa34392395b0a7c6e6f54fd7 Mon Sep 17 00:00:00 2001
 From: juyin <zhuyan34@huawei.com>
 Date: Thu, 31 Mar 2022 16:45:19 +0800
 Subject: [PATCH] chpasswd: add get_salt for generating salt value
 The function that generates the salt value is extracted separately, and it is more convenient to modify it later.
 Reference: https://github.com/shadow-maint/shadow/commit/a026154c6fca7c7e5d6d0723e0cc29d6cd9fa00a
 Conflict: The EulerOS supports SM3. As a result, the patch is different.
 ---
 src/chpasswd.c | 73 +++++++++++++++++++++++++++-----------------------
 1 file changed, 39 insertions(+), 34 deletions(-)
 diff --git a/src/chpasswd.c b/src/chpasswd.c
 index 5dfb995..708f973 100644
 --- a/src/chpasswd.c
 +++ b/src/chpasswd.c
@@ -430,12 +430,54 @@ static void close_files (void)
 	pw_locked = false;
 }
 +static const char *get_salt(void)
 +{
 +	if (   !eflg
 +		&& (   (NULL == crypt_method)
 +			|| (0 != strcmp (crypt_method, "NONE")))) {
 +		void *arg = NULL;
 +
 +		if (md5flg) {
 +			crypt_method = "MD5";
 +		}
 +#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
 +		if (sflg) {
 +#if defined(USE_SHA_CRYPT)
 +			if (   (0 == strcmp (crypt_method, "SHA256"))
 +				|| (0 == strcmp (crypt_method, "SHA512"))) {
 +				arg = &sha_rounds;
 +			}
 +#endif				/* USE_SHA_CRYPT */
 +#if defined(USE_BCRYPT)
 +			if (0 == strcmp (crypt_method, "BCRYPT")) {
 +				arg = &bcrypt_rounds;
 +			}
 +#endif				/* USE_BCRYPT */
 +#if defined(USE_YESCRYPT)
 +			if (0 == strcmp (crypt_method, "YESCRYPT")) {
 +				arg = &yescrypt_cost;
 +			}
 +#endif				/* USE_YESCRYPT */
 +#if defined(USE_SM3_CRYPT)
 +			if (0 == strcmp (crypt_method, "SM3")) {
 +				arg = &sm3_rounds;
 +			}
 +#endif				/* USE_SM3_CRYPT */
 +		}
 +#endif
 +		return crypt_make_salt (crypt_method, arg);
 +	}
 +
 +	return NULL;
 +}
 +
 int main (int argc, char **argv)
 {
 	char buf[BUFSIZ];
 	char *name;
 	char *newpwd;
 	char *cp;
 +	const char *salt;
 #ifdef USE_PAM
 	bool use_pam = true;
@@ -545,40 +587,8 @@ int main (int argc, char **argv)
 		const struct passwd *pw;
 		struct passwd newpw;
 -		if (   !eflg
 -		    && (   (NULL == crypt_method)
 -		        || (0 != strcmp (crypt_method, "NONE")))) {
 -			void *arg = NULL;
 -			const char *salt;
 -			if (md5flg) {
 -				crypt_method = "MD5";
 -			}
 -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
 -			if (sflg) {
 -#if defined(USE_SHA_CRYPT)
 -				if (   (0 == strcmp (crypt_method, "SHA256"))
 -					|| (0 == strcmp (crypt_method, "SHA512"))) {
 -					arg = &sha_rounds;
 -				}
 -#endif				/* USE_SHA_CRYPT */
 -#if defined(USE_BCRYPT)
 -				if (0 == strcmp (crypt_method, "BCRYPT")) {
 -					arg = &bcrypt_rounds;
 -				}
 -#endif				/* USE_BCRYPT */
 -#if defined(USE_YESCRYPT)
 -				if (0 == strcmp (crypt_method, "YESCRYPT")) {
 -					arg = &yescrypt_cost;
 -				}
 -#endif				/* USE_YESCRYPT */
 -#if defined(USE_SM3_CRYPT)
 -				if (0 == strcmp (crypt_method, "SM3")) {
 -					arg = &sm3_rounds;
 -				}
 -#endif				/* USE_SM3_CRYPT */
 -			}
 -#endif
 -			salt = crypt_make_salt (crypt_method, arg);
 +		salt = get_salt();
 +		if (salt) {
 			cp = pw_encrypt (newpwd, salt);
 			if (NULL == cp) {
 				fprintf (stderr,
 -- 
 2.33.0
--- a/backport-chpasswd-fix-function-problem-with-R-parameter.patch
+++ b/backport-chpasswd-fix-function-problem-with-R-parameter.patch
@ -1,48 +0,0 @@
 From 3732cf72d6f05fcd9d9f301eac84c1a61443e379 Mon Sep 17 00:00:00 2001
 From: juyin <zhuyan34@huawei.com>
 Date: Thu, 31 Mar 2022 16:48:52 +0800
 Subject: [PATCH] chpasswd: fix function problem with -R parameter
 Generating salt value depends on /dev/urandom. But after the
 function process_root_flag changed the root directory, It does
 not exist.
 So, generate salt value before changeing the directory.
 Fixes: #514
 Reference: https://github.com/shadow-maint/shadow/commit/3732cf72d6f05fcd9d9f301eac84c1a61443e379
 Conflict: NA
 ---
 src/chpasswd.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/src/chpasswd.c b/src/chpasswd.c
 index 94e923ab..d0da14c6 100644
 --- a/src/chpasswd.c
 +++ b/src/chpasswd.c
@@ -451,10 +451,11 @@ int main (int argc, char **argv)
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 	(void) textdomain (PACKAGE);
 -	process_root_flag ("-R", argc, argv);
 -
 	process_flags (argc, argv);
 +	salt = get_salt();
 +	process_root_flag ("-R", argc, argv);
 +
 #ifdef USE_PAM
 	if (md5flg || eflg || cflg) {
 		use_pam = false;
@@ -545,7 +546,6 @@ int main (int argc, char **argv)
 		const struct passwd *pw;
 		struct passwd newpw;
 -		salt = get_salt();
 		if (salt) {
 			cp = pw_encrypt (newpwd, salt);
 			if (NULL == cp) {
 -- 
 2.23.0
--- a/backport-libmisc-add-check-fopen-return-value-in-read_random_.patch
+++ b/backport-libmisc-add-check-fopen-return-value-in-read_random_.patch
@ -1,33 +0,0 @@
 From a43d0b95c44b2c36025452b772b9d4b251281e3e Mon Sep 17 00:00:00 2001
 From: juyin <zhuyan34@huawei.com>
 Date: Wed, 30 Mar 2022 19:21:32 +0800
 Subject: [PATCH] libmisc: add check fopen return value in read_random_bytes()
 Returns null when fopen fails. Then, using fread with a null pointer will cause a segfault.
 Signed-off-by: Yan Zhu <zhuyan34@huawei.com>
 Reference: https://github.com/shadow-maint/shadow/commit/a43d0b95c44b2c36025452b772b9d4b251281e3e
 Conflict: NA
 ---
 libmisc/salt.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/libmisc/salt.c b/libmisc/salt.c
 index f8ac5669..ebf162fc 100644
 --- a/libmisc/salt.c
 +++ b/libmisc/salt.c
@@ -175,6 +175,9 @@ static long read_random_bytes (void)
 #else
 	FILE *f = fopen ("/dev/urandom", "r");
 +	if (NULL == f) {
 +		goto fail;
 +	}
 	if (fread (&randval, sizeof (randval), 1, f) != 1) {
 		fclose(f);
 -- 
 2.27.0
--- a/backport-passwd-erase-password-copy-on-all-error-branches.patch
+++ b/backport-passwd-erase-password-copy-on-all-error-branches.patch
@ -1,35 +0,0 @@
 From 58b6e97a9eef866e9e479fb781aaaf59fb11ef36 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
 Date: Mon, 25 Apr 2022 12:17:40 +0200
 Subject: [PATCH] passwd: erase password copy on all error branches
 Reference: https://github.com/shadow-maint/shadow/commit/58b6e97a9eef866e9e479fb781aaaf59fb11ef36
 Conflict: NA
 ---
 src/passwd.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/passwd.c b/src/passwd.c
 index 80531ec6..8c6f81a9 100644
 --- a/src/passwd.c
 +++ b/src/passwd.c
@@ -289,6 +289,7 @@ static int new_password (const struct passwd *pw)
 		cp = getpass (_("New password: "));
 		if (NULL == cp) {
 			memzero (orig, sizeof orig);
 +			memzero (pass, sizeof pass);
 			return -1;
 		}
 		if (warned && (strcmp (pass, cp) != 0)) {
@@ -316,6 +317,7 @@ static int new_password (const struct passwd *pw)
 		cp = getpass (_("Re-enter new password: "));
 		if (NULL == cp) {
 			memzero (orig, sizeof orig);
 +			memzero (pass, sizeof pass);
 			return -1;
 		}
 		if (strcmp (cp, pass) != 0) {
 -- 
 2.27.0
--- a/backport-useradd-modify-check-ID-range-for-system-users.patch
+++ b/backport-useradd-modify-check-ID-range-for-system-users.patch
@ -1,42 +0,0 @@
 From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Tue, 4 Jan 2022 13:06:00 +0100
 Subject: [PATCH] useradd: modify check ID range for system users
 useradd warns that a system user ID less than SYS_UID_MIN is outside the
 expected range, even though that ID has been specifically selected with
 the "-u" option.
 In my opinion all the user ID's below SYS_UID_MAX are for the system,
 thus I change the condition to take that into account.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Conflict: context adaptation
 ---
 src/useradd.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index 34376fa..4c71c38 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
 	uid_t uid_min ;
 	uid_t uid_max ;
 	if(rflg){
 -		uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
 		uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
 -		if(uid_min <= uid_max){
 -			if(user_id < uid_min || user_id >uid_max)
 -				fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
 +		if (user_id > uid_max) {
 +			fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
 		}
 	}else{
 		uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
 -- 
 1.8.3.1
--- a/groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
+++ b/groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
@ -1,32 +0,0 @@
 From a757b458ffb4fb9a40bcbb4f7869449431c67f83 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fran=C3=A7ois=20Rigault?= <frigo@amadeus.com>
 Date: Mon, 1 Nov 2021 13:54:25 +0100
 Subject: [PATCH] groupdel: fix SIGSEGV when passwd does not exist
 When using groupdel with a prefix, groupdel will attempt to read a
 passwd file to look for any user in the group. When the file does not
 exist it cores with segmentation fault.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1986111
 Conflict: context adaptation
 ---
 libmisc/prefix_flag.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/libmisc/prefix_flag.c b/libmisc/prefix_flag.c
 index cca553a..b6628ac 100644
 --- a/libmisc/prefix_flag.c
 +++ b/libmisc/prefix_flag.c
@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent()
 	if(!passwd_db_file) {
 		return getpwent();
 	}
 +	if (!fp_pwent) {
 +		return NULL;
 +	}
 	return fgetpwent(fp_pwent);
 }
 extern void prefix_endpwent()
 -- 
 1.8.3.1
--- a/libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
+++ b/libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
@ -1,60 +0,0 @@
 From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001
 From: Mike Gilbert <floppym@gentoo.org>
 Date: Sat, 14 Aug 2021 13:24:34 -0400
 Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()
 If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
 use SHA_ROUNDS_DEFAULT.
 Previously, the code fell through, calling shadow_random(-1, -1). This
 ultimately set rounds = (unsigned long) -1, which ends up being a very
 large number! This then got capped to SHA_ROUNDS_MAX later in the
 function.
 The new behavior matches BCRYPT_get_salt_rounds().
 Bug: https://bugs.gentoo.org/808195
 Fixes: https://github.com/shadow-maint/shadow/issues/393
 ---
 libmisc/salt.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)
 diff --git a/libmisc/salt.c b/libmisc/salt.c
 index 91d528f..30eefb9 100644
 --- a/libmisc/salt.c
 +++ b/libmisc/salt.c
@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
 		if ((-1 == min_rounds) && (-1 == max_rounds)) {
 			rounds = SHA_ROUNDS_DEFAULT;
 		}
 +		else {
 +			if (-1 == min_rounds) {
 +				min_rounds = max_rounds;
 +			}
 -		if (-1 == min_rounds) {
 -			min_rounds = max_rounds;
 -		}
 +			if (-1 == max_rounds) {
 +				max_rounds = min_rounds;
 +			}
 -		if (-1 == max_rounds) {
 -			max_rounds = min_rounds;
 -		}
 +			if (min_rounds > max_rounds) {
 +				max_rounds = min_rounds;
 +			}
 -		if (min_rounds > max_rounds) {
 -			max_rounds = min_rounds;
 +			rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 		}
 -
 -		rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 	} else if (0 == *prefered_rounds) {
 		rounds = SHA_ROUNDS_DEFAULT;
 	} else {
 -- 
 1.8.3.1
--- a/libsubid-link-to-PAM-libraries.patch
+++ b/libsubid-link-to-PAM-libraries.patch
@ -1,28 +0,0 @@
 From f4a84efb468b8be21be124700ce35159c444e9d6 Mon Sep 17 00:00:00 2001
 From: Xi Ruoyao <xry111@mengyan1223.wang>
 Date: Fri, 23 Jul 2021 14:38:08 +0800
 Subject: [PATCH] libsubid: link to PAM libraries
 libsubid.so links to libmisc.a, which contains several routines referring to
 PAM functions.
 ---
 libsubid/Makefile.am | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
 index 189165b..8305156 100644
 --- a/libsubid/Makefile.am
 +++ b/libsubid/Makefile.am
@@ -16,7 +16,8 @@ MISCLIBS = \
 	$(LIBCRYPT) \
 	$(LIBACL) \
 	$(LIBATTR) \
 -	$(LIBTCB)
 +	$(LIBTCB) \
 +	$(LIBPAM)
 libsubid_la_LIBADD = \
 	$(top_srcdir)/lib/libshadow.la \
 -- 
 1.8.3.1
--- a/newgrp-fix-segmentation-fault.patch
+++ b/newgrp-fix-segmentation-fault.patch
@ -1,35 +0,0 @@
 From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Wed, 10 Nov 2021 12:02:04 +0100
 Subject: [PATCH] newgrp: fix segmentation fault
 Fix segmentation fault in newgrp when xgetspnam() returns a NULL value
 that is immediately freed.
 The error was committed in
 https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/newgrp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/newgrp.c b/src/newgrp.c
 index 730f47e..566f1c8 100644
 --- a/src/newgrp.c
 +++ b/src/newgrp.c
@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp,
 	spwd = xgetspnam (pwd->pw_name);
 	if (NULL != spwd) {
 		pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
 +		spw_free (spwd);
 	}
 -	spw_free (spwd);
 	if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
 		needspasswd = true;
 -- 
 1.8.3.1
--- a/pwck-fix-segfault-when-calling-fprintf.patch
+++ b/pwck-fix-segfault-when-calling-fprintf.patch
@ -1,30 +0,0 @@
 From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Mon, 15 Nov 2021 12:40:15 +0100
 Subject: [PATCH] pwck: fix segfault when calling fprintf()
 As shadow_logfd variable is not set at the beginning of the program if
 something fails and fprintf() is called a segmentation fault happens.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/pwck.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/pwck.c b/src/pwck.c
 index 4248944..4ce86af 100644
 --- a/src/pwck.c
 +++ b/src/pwck.c
@@ -857,6 +857,7 @@ int main (int argc, char **argv)
 	 * Get my name so that I can use it to report errors.
 	 */
 	Prog = Basename (argv[0]);
 +	shadow_logfd = stderr;
 	(void) setlocale (LC_ALL, "");
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 -- 
 1.8.3.1
--- a/semanage-close-the-selabel-handle.patch
+++ b/semanage-close-the-selabel-handle.patch
@ -1,61 +0,0 @@
 From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Fri, 8 Oct 2021 13:13:13 +0200
 Subject: [PATCH] semanage: close the selabel handle
 Close the selabel handle to update the file_context. This means that the
 file_context will be remmaped and used by selabel_lookup() to return
 the appropriate context to label the home folder.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 lib/prototypes.h | 1 +
 lib/selinux.c    | 5 +++++
 lib/semanage.c   | 1 +
 3 files changed, 7 insertions(+)
 diff --git a/lib/prototypes.h b/lib/prototypes.h
 index 1d1586d..b697e0e 100644
 --- a/lib/prototypes.h
 +++ b/lib/prototypes.h
@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
 /* selinux.c */
 #ifdef WITH_SELINUX
 extern int set_selinux_file_context (const char *dst_name, mode_t mode);
 +extern void reset_selinux_handle (void);
 extern int reset_selinux_file_context (void);
 extern int check_selinux_permit (const char *perm_name);
 #endif
 diff --git a/lib/selinux.c b/lib/selinux.c
 index c83545f..b075d4c 100644
 --- a/lib/selinux.c
 +++ b/lib/selinux.c
@@ -50,6 +50,11 @@ static void cleanup(void)
 	}
 }
 +void reset_selinux_handle (void)
 +{
 +    cleanup();
 +}
 +
 /*
  * set_selinux_file_context - Set the security context before any file or
  *                            directory creation.
 diff --git a/lib/semanage.c b/lib/semanage.c
 index 0d30456..a5bf921 100644
 --- a/lib/semanage.c
 +++ b/lib/semanage.c
@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
 	}
 	ret = 0;
 +	reset_selinux_handle();
 done:
 	semanage_seuser_key_free (key);
 -- 
 1.8.3.1
--- a/shadow-4.13.tar.xz
+++ b/shadow-4.13.tar.xz
--- a/shadow-4.8-goodname.patch
+++ b/shadow-4.8-goodname.patch
@ -1,100 +0,0 @@
 diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
 --- shadow-4.8/libmisc/chkname.c.goodname	2020-01-13 09:44:41.968507996 +0100
 +++ shadow-4.8/libmisc/chkname.c	2020-01-13 09:46:27.863727732 +0100
@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n
 	}
 	/*
 -	 * User/group names must match [a-z_][a-z0-9_-]*[$]
 -	 */
 +         * User/group names must match gnu e-regex:
 +         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
 +         *
 +         * as a non-POSIX, extension, allow "$" as the last char for
 +         * sake of Samba 3.x "add machine script"
 +         *
 +         * Also do not allow fully numeric names or just "." or "..".
 +         */
 +	int numeric;
 -	if (('\0' == *name) ||
 -	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
 +	if ('\0' == *name ||
 +	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
 +			      '\0' == name[1])) ||
 +	    !((*name >= 'a' && *name <= 'z') ||
 +	      (*name >= 'A' && *name <= 'Z') ||
 +	      (*name >= '0' && *name <= '9') ||
 +	      *name == '_' ||
 +	      *name == '.')) {
 		return false;
 	}
 +	numeric = isdigit(*name);
 +
 	while ('\0' != *++name) {
 -		if (!(( ('a' <= *name) && ('z' >= *name) ) ||
 -		      ( ('0' <= *name) && ('9' >= *name) ) ||
 -		      ('_' == *name) ||
 -		      ('-' == *name) ||
 -		      ( ('$' == *name) && ('\0' == *(name + 1)) )
 +		if (!((*name >= 'a' && *name <= 'z') ||
 +		      (*name >= 'A' && *name <= 'Z') ||
 +		      (*name >= '0' && *name <= '9') ||
 +		      *name == '_' ||
 +		      *name == '.' ||
 +		      *name == '-' ||
 +		      (*name == '$' && name[1] == '\0')
 		     )) {
 			return false;
 		}
 +		numeric &= isdigit(*name);
 	}
 -	return true;
 +	return !numeric;
 }
 bool is_valid_user_name (const char *name)
 diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
 --- shadow-4.8/man/groupadd.8.xml.goodname	2019-07-23 17:26:08.000000000 +0200
 +++ shadow-4.8/man/groupadd.8.xml	2020-01-13 09:44:41.968507996 +0100
@@ -273,10 +273,12 @@
    <refsect1 id='caveats'>
      <title>CAVEATS</title>
      <para>
 -       Groupnames must start with a lower case letter or an underscore,
 -       followed by lower case letters, digits, underscores, or dashes.
 -       They can end with a dollar sign.
 -       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
 +       Groupnames may contain only lower and upper case letters, digits,
 +       underscores, or dashes. They can end with a dollar sign.
 +
 +       Dashes are not allowed at the beginning of the groupname.
 +       Fully numeric groupnames and groupnames . or .. are
 +       also disallowed.
      </para>
      <para>
        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
 diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
 --- shadow-4.8/man/useradd.8.xml.goodname	2019-10-05 03:23:58.000000000 +0200
 +++ shadow-4.8/man/useradd.8.xml	2020-01-13 09:44:41.968507996 +0100
@@ -661,10 +661,14 @@
     </para>
     <para>
 -      Usernames must start with a lower case letter or an underscore,
 -      followed by lower case letters, digits, underscores, or dashes.
 -      They can end with a dollar sign.
 -      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
 +      Usernames may contain only lower and upper case letters, digits,
 +      underscores, or dashes. They can end with a dollar sign.
 +
 +      Dashes are not allowed at the beginning of the username.
 +      Fully numeric usernames and usernames . or .. are
 +      also disallowed. It is not recommended to use usernames beginning
 +      with . character as their home directories will be hidden in
 +      the <command>ls</command> output.
     </para>
     <para>
       Usernames may only be up to 32 characters long.
--- a/shadow-4.8-long-entry.patch
+++ b/shadow-4.8-long-entry.patch
@ -1,86 +0,0 @@
 diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h
 --- shadow-4.8/lib/defines.h.long-entry	2020-01-13 10:29:45.288957339 +0100
 +++ shadow-4.8/lib/defines.h	2020-01-13 10:30:47.482902954 +0100
@@ -388,6 +388,9 @@ extern char *strerror ();
 # endif
 #endif
 +/* Maximum length of passwd entry */
 +#define PASSWD_ENTRY_MAX_LENGTH 32768
 +
 #ifdef HAVE_SECURE_GETENV
 #  define shadow_getenv(name) secure_getenv(name)
 # else
 diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
 --- shadow-4.8/lib/pwio.c.long-entry	2019-07-23 17:26:08.000000000 +0200
 +++ shadow-4.8/lib/pwio.c	2020-01-13 10:29:45.288957339 +0100
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
 	    || (pw->pw_gid == (gid_t)-1)
 	    || (valid_field (pw->pw_gecos, ":\n") == -1)
 	    || (valid_field (pw->pw_dir, ":\n") == -1)
 -	    || (valid_field (pw->pw_shell, ":\n") == -1)) {
 +	    || (valid_field (pw->pw_shell, ":\n") == -1)
 +	    || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
 +	        strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
 +	        strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
 		return -1;
 	}
 diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
 --- shadow-4.8/lib/sgetpwent.c.long-entry	2019-10-05 03:23:58.000000000 +0200
 +++ shadow-4.8/lib/sgetpwent.c	2020-01-13 10:29:45.288957339 +0100
@@ -57,7 +57,7 @@
 struct passwd *sgetpwent (const char *buf)
 {
 	static struct passwd pwent;
 -	static char pwdbuf[1024];
 +	static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
 	register int i;
 	register char *cp;
 	char *fields[NFIELDS];
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
 	 * the password structure remain valid.
 	 */
 -	if (strlen (buf) >= sizeof pwdbuf)
 +	if (strlen (buf) >= sizeof pwdbuf) {
 +		fprintf (stderr, "Too long passwd entry encountered, file corruption?\n");
 		return 0;	/* fail if too long */
 +	}
 	strcpy (pwdbuf, buf);
 	/*
 diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
 --- shadow-4.8/lib/sgetspent.c.long-entry	2019-07-23 17:26:08.000000000 +0200
 +++ shadow-4.8/lib/sgetspent.c	2020-01-13 10:29:45.289957322 +0100
@@ -48,7 +48,7 @@
  */
 struct spwd *sgetspent (const char *string)
 {
 -	static char spwbuf[1024];
 +	static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
 	static struct spwd spwd;
 	char *fields[FIELDS];
 	char *cp;
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
 	 */
 	if (strlen (string) >= sizeof spwbuf) {
 +		fprintf (stderr, "Too long shadow entry encountered, file corruption?\n");
 		return 0;	/* fail if too long */
 	}
 	strcpy (spwbuf, string);
 diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c
 --- shadow-4.8/lib/shadowio.c.long-entry	2019-07-23 17:26:08.000000000 +0200
 +++ shadow-4.8/lib/shadowio.c	2020-01-13 10:29:45.289957322 +0100
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
 	if (   (NULL == sp)
 	    || (valid_field (sp->sp_namp, ":\n") == -1)
 -	    || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
 +	    || (valid_field (sp->sp_pwdp, ":\n") == -1)
 +	    || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
 +	        1000 > PASSWD_ENTRY_MAX_LENGTH)) {
 		return -1;
 	}
--- a/shadow-4.9-null-tm.patch
+++ b/shadow-4.9-null-tm.patch
@ -1,70 +0,0 @@
 Index: shadow-4.5/src/chage.c
 ===================================================================
 --- shadow-4.5.orig/src/chage.c
 +++ shadow-4.5/src/chage.c
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
 	struct tm *tp;
 	tp = gmtime (&date);
 +	if (tp == NULL) {
 +		(void) snprintf (buf, maxsize, "(unknown)");
 +		return;
 +	}
 #ifdef HAVE_STRFTIME
 	(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
 #else
 Index: shadow-4.5/src/lastlog.c
 ===================================================================
 --- shadow-4.5.orig/src/lastlog.c
 +++ shadow-4.5/src/lastlog.c
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
 	ll_time = ll.ll_time;
 	tm = localtime (&ll_time);
 +	if (tm == NULL) {
 +		cp = "(unknown)";
 +	} else {
 #ifdef HAVE_STRFTIME
 -	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
 -	cp = ptime;
 +		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
 +		cp = ptime;
 #else
 -	cp = asctime (tm);
 -	cp[24] = '\0';
 +		cp = asctime (tm);
 +		cp[24] = '\0';
 #endif
 +	}
 	if (ll.ll_time == (time_t) 0) {
 		cp = _("**Never logged in**\0");
 Index: shadow-4.5/src/passwd.c
 ===================================================================
 --- shadow-4.5.orig/src/passwd.c
 +++ shadow-4.5/src/passwd.c
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
 	struct tm *tm;
 	tm = gmtime (&t);
 +	if (tm == NULL) {
 +		return "(unknown)";
 +	}
 #ifdef HAVE_STRFTIME
 	(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
 #else				/* !HAVE_STRFTIME */
 Index: shadow-4.5/src/usermod.c
 ===================================================================
 --- shadow-4.5.orig/src/usermod.c
 +++ shadow-4.5/src/usermod.c
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
 	} else {
 		time_t t = (time_t) date;
 		tp = gmtime (&t);
 +		if (tp == NULL) {
 +			strncpy (buf, "unknown", maxsize);
 +			return;
 +		}
 #ifdef HAVE_STRFTIME
 		strftime (buf, maxsize, "%Y-%m-%d", tp);
 #else
--- a/shadow-4.9.tar.xz
+++ b/shadow-4.9.tar.xz
--- a/shadow-add-sm3-crypt-support.patch
+++ b/shadow-add-sm3-crypt-support.patch
@ -11,26 +11,26 @@ Subject: [PATCH] shadow add sm3 crypt support
 libmisc/obscure.c |   3 ++
 libmisc/salt.c    | 106 +++++++++++++++++++++++++++++++++++++++++++---
 src/chgpasswd.c   |  48 +++++++++++++++------
- src/chpasswd.c    |  44 +++++++++++++------
+ src/chpasswd.c    |  46 ++++++++++++++------
- src/newusers.c    |  59 +++++++++++++++++++-------
+ src/newusers.c    |  61 +++++++++++++++++++-------
 src/passwd.c      |   7 ++-
- 10 files changed, 252 insertions(+), 48 deletions(-)
+ 10 files changed, 254 insertions(+), 50 deletions(-)
 diff --git a/configure.ac b/configure.ac
-index 994836b..40348c0 100644
+index 924254a..dde1de8 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -288,6 +288,9 @@ AC_ARG_WITH(libcrack,
+@@ -274,6 +274,9 @@ AC_ARG_WITH(libcrack,
 AC_ARG_WITH(sha-crypt,
- 	[AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
+ 	[AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
 	[with_sha_crypt=$withval], [with_sha_crypt=yes])
 +AC_ARG_WITH(sm3-crypt,
 +	[AC_HELP_STRING([--with-sm3-crypt], [allow the SM3 password encryption algorithms @<:@default=yes@:>@])],
 +	[with_sm3_crypt=$withval], [with_sm3_crypt=yes])
 AC_ARG_WITH(bcrypt,
- 	[AC_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])],
+ 	[AS_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])],
 	[with_bcrypt=$withval], [with_bcrypt=no])
-@@ -321,6 +324,11 @@ if test "$with_sha_crypt" = "yes"; then
+@@ -307,6 +310,11 @@ if test "$with_sha_crypt" = "yes"; then
 	AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
 fi
@ -39,10 +39,10 @@ index 994836b..40348c0 100644
 +	AC_DEFINE(USE_SM3_CRYPT, 1, [Define to allow the SM3 password encryption algorithms])
 +fi
 +
 AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
 AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
-@@ -766,6 +774,7 @@ echo "	tcb support (incomplete):	$with_tcb"
+ if test "$with_bcrypt" = "yes"; then
 	AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
@@ -752,6 +760,7 @@ echo "	tcb support (incomplete):	$with_tcb"
 echo "	shadow group support:		$enable_shadowgrp"
 echo "	S/Key support:			$with_skey"
 echo "	SHA passwords encryption:	$with_sha_crypt"
@ -51,7 +51,7 @@ index 994836b..40348c0 100644
 echo "	yescrypt passwords encryption:	$with_yescrypt"
 echo "	nscd support:			$with_nscd"
 diff --git a/etc/login.defs b/etc/login.defs
-index 94a2b1b..6db08e1 100644
+index 114dbcd..fd310b7 100644
 --- a/etc/login.defs
 +++ b/etc/login.defs
@@ -353,6 +353,23 @@ CHFN_RESTRICT		rwh
@ -79,10 +79,10 @@ index 94a2b1b..6db08e1 100644
 # Only works if ENCRYPT_METHOD is set to BCRYPT.
 #
 diff --git a/lib/encrypt.c b/lib/encrypt.c
-index 66c52f2..7fae31d 100644
+index c84a255..11b301b 100644
 --- a/lib/encrypt.c
 +++ b/lib/encrypt.c
-@@ -74,6 +74,9 @@
+@@ -52,6 +52,9 @@
 			case '6':
 				method = "SHA512";
 				break;
@ -93,10 +93,10 @@ index 66c52f2..7fae31d 100644
 				method = "YESCRYPT";
 				break;
 diff --git a/lib/getdef.c b/lib/getdef.c
-index 80eb18c..00459ff 100644
+index dcd1fe7..9a8089a 100644
 --- a/lib/getdef.c
 +++ b/lib/getdef.c
-@@ -124,6 +124,10 @@ static struct itemdef def_table[] = {
+@@ -102,6 +102,10 @@ static struct itemdef def_table[] = {
 	{"SHA_CRYPT_MAX_ROUNDS", NULL},
 	{"SHA_CRYPT_MIN_ROUNDS", NULL},
 #endif
@ -108,10 +108,10 @@ index 80eb18c..00459ff 100644
 	{"BCRYPT_MAX_ROUNDS", NULL},
 	{"BCRYPT_MIN_ROUNDS", NULL},
 diff --git a/libmisc/obscure.c b/libmisc/obscure.c
-index dc69f76..3907294 100644
+index 3daaa95..644259d 100644
 --- a/libmisc/obscure.c
 +++ b/libmisc/obscure.c
-@@ -269,6 +269,9 @@ static /*@observer@*//*@null@*/const char *obscure_msg (
+@@ -246,6 +246,9 @@ static /*@observer@*//*@null@*/const char *obscure_msg (
 		    || (strcmp (result, "SHA256") == 0)
 		    || (strcmp (result, "SHA512") == 0)
 #endif
@ -122,10 +122,10 @@ index dc69f76..3907294 100644
 		    || (strcmp (result, "BCRYPT") == 0)
 #endif
 diff --git a/libmisc/salt.c b/libmisc/salt.c
-index 30eefb9..b108a23 100644
+index e5f633a..df4b328 100644
 --- a/libmisc/salt.c
 +++ b/libmisc/salt.c
-@@ -55,6 +55,17 @@
+@@ -63,6 +63,17 @@
 #define SHA_ROUNDS_MAX 999999999
 #endif
@ -143,7 +143,7 @@ index 30eefb9..b108a23 100644
 #ifdef USE_YESCRYPT
 /*
  * Default number of base64 characters used for the salt.
-@@ -87,13 +98,17 @@ static long read_random_bytes (void);
+@@ -95,13 +106,17 @@ static long read_random_bytes (void);
 #if !USE_XCRYPT_GENSALT
 static /*@observer@*/const char *gensalt (size_t salt_size);
 #endif /* !USE_XCRYPT_GENSALT */
@ -153,7 +153,7 @@ index 30eefb9..b108a23 100644
 -#endif /* USE_SHA_CRYPT || USE_BCRYPT */
 +#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_SM3_CRYPT*/
 #ifdef USE_SHA_CRYPT
- static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds);
+ static /*@observer@*/unsigned long SHA_get_salt_rounds (/*@null@*/const int *prefered_rounds);
 static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds);
 #endif /* USE_SHA_CRYPT */
 +#ifdef USE_SM3_CRYPT
@ -161,9 +161,9 @@ index 30eefb9..b108a23 100644
 +static /*@observer@*/void SM3_salt_rounds_to_buf (char *buf, unsigned long rounds);
 +#endif
 #ifdef USE_BCRYPT
- static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds);
+ static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds);
 static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds);
-@@ -186,7 +201,7 @@ end:
+@@ -195,7 +210,7 @@ end:
 	return randval;
 }
@ -172,7 +172,7 @@ index 30eefb9..b108a23 100644
 /*
  * Return a random number between min and max (both included).
  *
-@@ -208,7 +223,7 @@ static long shadow_random (long min, long max)
+@@ -217,7 +232,7 @@ static long shadow_random (long min, long max)
 	}
 	return ret;
 }
@ -181,7 +181,7 @@ index 30eefb9..b108a23 100644
 #ifdef USE_SHA_CRYPT
 /* Return the the rounds number for the SHA crypt methods. */
-@@ -284,6 +299,80 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long round
+@@ -293,6 +308,80 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long round
 }
 #endif /* USE_SHA_CRYPT */
@ -261,8 +261,8 @@ index 30eefb9..b108a23 100644
 +
 #ifdef USE_BCRYPT
 /* Return the the rounds number for the BCRYPT method. */
- static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds)
+ static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds)
-@@ -453,7 +542,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+@@ -463,7 +552,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
  * which can both be set inside the login.defs file.
  *
  * If meth is specified, an additional parameter can be provided.
@ -271,7 +271,7 @@ index 30eefb9..b108a23 100644
  *    (if not NULL).
  *  * For the YESCRYPT method, this specifies the cost factor (if not NULL).
  */
-@@ -505,6 +594,13 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+@@ -515,6 +604,13 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
 		rounds = SHA_get_salt_rounds ((int *) arg);
 		SHA_salt_rounds_to_buf (result, rounds);
 #endif /* USE_SHA_CRYPT */
@ -283,14 +283,14 @@ index 30eefb9..b108a23 100644
 +		SM3_salt_rounds_to_buf (result, rounds);
 +#endif /* USE_SM3_CRYPT */
 	} else if (0 != strcmp (method, "DES")) {
- 		fprintf (shadow_logfd,
+ 		fprintf (log_get_logfd(),
 			 _("Invalid ENCRYPT_METHOD value: '%s'.\n"
 diff --git a/src/chgpasswd.c b/src/chgpasswd.c
-index 56f3e88..f019d99 100644
+index d17acb6..9b00520 100644
 --- a/src/chgpasswd.c
 +++ b/src/chgpasswd.c
-@@ -62,15 +62,18 @@ const char *Prog;
+@@ -39,15 +39,18 @@
- FILE *shadow_logfd = NULL;
+ const char *Prog;
 static bool eflg   = false;
 static bool md5flg = false;
 -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
@ -310,17 +310,17 @@ index 56f3e88..f019d99 100644
 #ifdef USE_BCRYPT
 static long bcrypt_rounds = 13;
 #endif
-@@ -141,6 +144,9 @@ static /*@noreturn@*/void usage (int status)
+@@ -119,6 +122,9 @@ static /*@noreturn@*/void usage (int status)
 #endif
 #if defined(USE_YESCRYPT)
 	                " YESCRYPT"
-+#endif
+ #endif
 +#if defined(USE_SM3_CRYPT)
 +	                " SM3"
- #endif
+ #endif
 	               );
 	(void) fputs (_("  -e, --encrypted               supplied passwords are encrypted\n"), usageout);
-@@ -149,11 +155,11 @@ static /*@noreturn@*/void usage (int status)
+ 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
@@ -126,11 +132,11 @@ static /*@noreturn@*/void usage (int status)
 	                "                                the MD5 algorithm\n"),
 	              usageout);
 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
@ -335,7 +335,7 @@ index 56f3e88..f019d99 100644
 	(void) fputs ("\n", usageout);
 	exit (status);
-@@ -167,22 +173,22 @@ static /*@noreturn@*/void usage (int status)
+@@ -144,22 +150,22 @@ static /*@noreturn@*/void usage (int status)
 static void process_flags (int argc, char **argv)
 {
 	int c;
@ -363,7 +363,7 @@ index 56f3e88..f019d99 100644
 	                         "c:ehmR:s:",
 #else
 	                         "c:ehmR:",
-@@ -203,7 +209,7 @@ static void process_flags (int argc, char **argv)
+@@ -180,7 +186,7 @@ static void process_flags (int argc, char **argv)
 			break;
 		case 'R': /* no-op, handled in process_root_flag () */
 			break;
@ -372,7 +372,7 @@ index 56f3e88..f019d99 100644
 		case 's':
 			sflg = true;
                         bad_s = 0;
-@@ -225,6 +231,12 @@ static void process_flags (int argc, char **argv)
+@@ -202,6 +208,12 @@ static void process_flags (int argc, char **argv)
                             bad_s = 1;
                         }
 #endif				/* USE_YESCRYPT */
@ -385,7 +385,7 @@ index 56f3e88..f019d99 100644
                         if (bad_s != 0) {
 				fprintf (stderr,
 				         _("%s: invalid numeric argument '%s'\n"),
-@@ -232,7 +244,7 @@ static void process_flags (int argc, char **argv)
+@@ -209,7 +221,7 @@ static void process_flags (int argc, char **argv)
 				usage (E_USAGE);
 			}
 			break;
@ -394,7 +394,7 @@ index 56f3e88..f019d99 100644
 		default:
 			usage (E_USAGE);
-@@ -251,7 +263,7 @@ static void process_flags (int argc, char **argv)
+@@ -228,7 +240,7 @@ static void process_flags (int argc, char **argv)
  */
 static void check_flags (void)
 {
@ -403,7 +403,7 @@ index 56f3e88..f019d99 100644
 	if (sflg && !cflg) {
 		fprintf (stderr,
 		         _("%s: %s flag is only allowed with the %s flag\n"),
-@@ -282,6 +294,9 @@ static void check_flags (void)
+@@ -259,6 +271,9 @@ static void check_flags (void)
 #ifdef USE_YESCRYPT
 		    && (0 != strcmp (crypt_method, "YESCRYPT"))
 #endif				/* USE_YESCRYPT */
@ -413,7 +413,7 @@ index 56f3e88..f019d99 100644
 		    ) {
 			fprintf (stderr,
 			         _("%s: unsupported crypt method: %s\n"),
-@@ -505,7 +520,7 @@ int main (int argc, char **argv)
+@@ -483,7 +498,7 @@ int main (int argc, char **argv)
 			if (md5flg) {
 				crypt_method = "MD5";
 			}
@ -422,7 +422,7 @@ index 56f3e88..f019d99 100644
 			if (sflg) {
 #if defined(USE_SHA_CRYPT)
 				if (   (0 == strcmp (crypt_method, "SHA256"))
-@@ -523,6 +538,11 @@ int main (int argc, char **argv)
+@@ -501,6 +516,11 @@ int main (int argc, char **argv)
 					arg = &yescrypt_cost;
 				}
 #endif				/* USE_YESCRYPT */
@ -435,11 +435,11 @@ index 56f3e88..f019d99 100644
 #endif
 			salt = crypt_make_salt (crypt_method, arg);
 diff --git a/src/chpasswd.c b/src/chpasswd.c
-index 8a01227..5dfb995 100644
+index 48d5178..9003c18 100644
 --- a/src/chpasswd.c
 +++ b/src/chpasswd.c
-@@ -59,7 +59,7 @@ const char *Prog;
+@@ -38,7 +38,7 @@
- FILE *shadow_logfd = NULL;
+ const char *Prog;
 static bool eflg   = false;
 static bool md5flg = false;
 -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
@ -447,7 +447,7 @@ index 8a01227..5dfb995 100644
 static bool sflg   = false;
 #endif
-@@ -68,6 +68,9 @@ static /*@null@*//*@observer@*/const char *crypt_method = NULL;
+@@ -47,6 +47,9 @@ static /*@null@*//*@observer@*/const char *crypt_method = NULL;
 #ifdef USE_SHA_CRYPT
 static long sha_rounds = 5000;
 #endif
@ -457,7 +457,7 @@ index 8a01227..5dfb995 100644
 #ifdef USE_BCRYPT
 static long bcrypt_rounds = 13;
 #endif
-@@ -134,6 +137,9 @@ static /*@noreturn@*/void usage (int status)
+@@ -113,6 +116,9 @@ static /*@noreturn@*/void usage (int status)
 #endif
 #if defined(USE_YESCRYPT)
 	                " YESCRYPT"
@ -467,7 +467,7 @@ index 8a01227..5dfb995 100644
 #endif
 	               );
 	(void) fputs (_("  -e, --encrypted               supplied passwords are encrypted\n"), usageout);
-@@ -142,11 +148,11 @@ static /*@noreturn@*/void usage (int status)
+@@ -121,11 +127,11 @@ static /*@noreturn@*/void usage (int status)
 	                "                                the MD5 algorithm\n"),
 	              usageout);
 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
@ -482,7 +482,7 @@ index 8a01227..5dfb995 100644
 	(void) fputs ("\n", usageout);
 	exit (status);
-@@ -160,23 +166,23 @@ static /*@noreturn@*/void usage (int status)
+@@ -139,23 +145,23 @@ static /*@noreturn@*/void usage (int status)
 static void process_flags (int argc, char **argv)
 {
 	int c;
@ -511,7 +511,7 @@ index 8a01227..5dfb995 100644
 	                         "c:ehmR:s:",
 #else
 	                         "c:ehmR:",
-@@ -197,7 +203,7 @@ static void process_flags (int argc, char **argv)
+@@ -176,7 +182,7 @@ static void process_flags (int argc, char **argv)
 			break;
 		case 'R': /* no-op, handled in process_root_flag () */
 			break;
@ -520,20 +520,21 @@ index 8a01227..5dfb995 100644
 		case 's':
 			sflg = true;
                         bad_s = 0;
-@@ -219,6 +225,12 @@ static void process_flags (int argc, char **argv)
+@@ -198,14 +204,20 @@ static void process_flags (int argc, char **argv)
                             bad_s = 1;
                         }
 #endif				/* USE_YESCRYPT */
 -                        if (bad_s != 0) {
 +#if defined(USE_SM3_CRYPT)
 +                        if ((   (0 == strcmp (crypt_method, "SM3"))
 +			       && (0 == getlong(optarg, &sm3_rounds)))) {
 +                            bad_s = 1;
 +                        }
 +#endif				/* USE_SM3_CRYPT */
-                         if (bad_s != 0) {
+			if (bad_s != 0) {
 				fprintf (stderr,
 				         _("%s: invalid numeric argument '%s'\n"),
-@@ -226,7 +238,7 @@ static void process_flags (int argc, char **argv)
+ 				         Prog, optarg);
 				usage (E_USAGE);
 			}
 			break;
@ -542,7 +543,7 @@ index 8a01227..5dfb995 100644
 		default:
 			usage (E_USAGE);
-@@ -245,7 +257,7 @@ static void process_flags (int argc, char **argv)
+@@ -224,7 +236,7 @@ static void process_flags (int argc, char **argv)
  */
 static void check_flags (void)
 {
@ -551,17 +552,17 @@ index 8a01227..5dfb995 100644
 	if (sflg && !cflg) {
 		fprintf (stderr,
 		         _("%s: %s flag is only allowed with the %s flag\n"),
-@@ -270,6 +282,9 @@ static void check_flags (void)
+@@ -249,6 +261,9 @@ static void check_flags (void)
- 		    && (0 != strcmp (crypt_method, "SHA256"))
+ 		    &&(!IS_CRYPT_METHOD("SHA256"))
- 		    && (0 != strcmp (crypt_method, "SHA512"))
+ 		    &&(!IS_CRYPT_METHOD("SHA512"))
 #endif				/* USE_SHA_CRYPT */
 +#ifdef USE_SM3_CRYPT
 +		    && (0 != strcmp (crypt_method, "SM3"))
 +#endif				/* USE_SM3_CRYPT */
 #ifdef USE_BCRYPT
- 		    && (0 != strcmp (crypt_method, "BCRYPT"))
+ 		    &&(!IS_CRYPT_METHOD("BCRYPT"))
 #endif				/* USE_BCRYPT */
-@@ -556,6 +571,11 @@ int main (int argc, char **argv)
+@@ -422,6 +437,11 @@ static const char *get_salt(void)
 			arg = &yescrypt_cost;
 		}
 #endif				/* USE_YESCRYPT */
@ -572,12 +573,12 @@ index 8a01227..5dfb995 100644
 +#endif				/* USE_SM3_CRYPT */
 	}
 #endif
- 			salt = crypt_make_salt (crypt_method, arg);
+ 	return crypt_make_salt (crypt_method, arg);
 diff --git a/src/newusers.c b/src/newusers.c
-index 16bf722..dd101fb 100644
+index deeb361..149670e 100644
 --- a/src/newusers.c
 +++ b/src/newusers.c
-@@ -81,12 +81,15 @@ static bool rflg = false;	/* create a system account */
+@@ -58,12 +58,15 @@ static bool rflg = false;	/* create a system account */
 #ifndef USE_PAM
 static /*@null@*//*@observer@*/char *crypt_method = NULL;
 #define cflg (NULL != crypt_method)
@ -594,7 +595,7 @@ index 16bf722..dd101fb 100644
 #ifdef USE_BCRYPT
 static long bcrypt_rounds = 13;
 #endif				/* USE_BCRYPT */
-@@ -152,6 +155,9 @@ static void usage (int status)
+@@ -129,6 +132,9 @@ static void usage (int status)
 #endif
 #if defined(USE_YESCRYPT)
 	                " YESCRYPT"
@ -604,7 +605,7 @@ index 16bf722..dd101fb 100644
 #endif
 	               );
 #endif				/* !USE_PAM */
-@@ -159,11 +165,11 @@ static void usage (int status)
+@@ -136,11 +142,11 @@ static void usage (int status)
 	(void) fputs (_("  -r, --system                  create system accounts\n"), usageout);
 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
 #ifndef USE_PAM
@ -619,7 +620,7 @@ index 16bf722..dd101fb 100644
 #endif				/* !USE_PAM */
 	(void) fputs ("\n", usageout);
-@@ -460,6 +466,13 @@ static int update_passwd (struct passwd *pwd, const char *password)
+@@ -436,6 +442,13 @@ static int update_passwd (struct passwd *pwd, const char *password)
 			}
 		}
 #endif				/* USE_YESCRYPT */
@ -633,7 +634,7 @@ index 16bf722..dd101fb 100644
 	}
 	if ((NULL != crypt_method) && (0 == strcmp(crypt_method, "NONE"))) {
-@@ -514,6 +527,13 @@ static int add_passwd (struct passwd *pwd, const char *password)
+@@ -492,6 +505,13 @@ static int add_passwd (struct passwd *pwd, const char *password)
 			}
 		}
 #endif				/* USE_PAM */
@ -647,19 +648,19 @@ index 16bf722..dd101fb 100644
 	}
 	/*
-@@ -630,9 +650,9 @@ static int add_passwd (struct passwd *pwd, const char *password)
+@@ -609,9 +629,9 @@ static void process_flags (int argc, char **argv)
 static void process_flags (int argc, char **argv)
 {
 	int c;
 #ifndef USE_PAM
 -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
 +#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
         int bad_s;
 -#endif				/* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
 +#endif				/* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
 #endif 				/* !USE_PAM */
 	static struct option long_options[] = {
- 		{"badnames",     no_argument,       NULL, 'b'},
+ 		{"badname",      no_argument,       NULL, 'b'},
- #ifndef USE_PAM
+@@ -622,20 +642,20 @@ static void process_flags (int argc, char **argv)
@@ -642,20 +662,20 @@ static void process_flags (int argc, char **argv)
 		{"system",       no_argument,       NULL, 'r'},
 		{"root",         required_argument, NULL, 'R'},
 #ifndef USE_PAM
@ -685,7 +686,7 @@ index 16bf722..dd101fb 100644
 #else				/* USE_PAM */
 	                         "bhr",
 #endif
-@@ -678,7 +698,7 @@ static void process_flags (int argc, char **argv)
+@@ -658,7 +678,7 @@ static void process_flags (int argc, char **argv)
 		case 'R': /* no-op, handled in process_root_flag () */
 			break;
 #ifndef USE_PAM
@ -694,20 +695,21 @@ index 16bf722..dd101fb 100644
 		case 's':
 			sflg = true;
                         bad_s = 0;
-@@ -700,6 +720,12 @@ static void process_flags (int argc, char **argv)
+@@ -680,14 +700,20 @@ static void process_flags (int argc, char **argv)
                             bad_s = 1;
                         }
 #endif				/* USE_YESCRYPT */
 -                        if (bad_s != 0) {
 +#if defined(USE_SM3_CRYPT)
 +                        if ((   (0 == strcmp (crypt_method, "SM3"))
 +			       && (0 == getlong(optarg, &sm3_rounds)))) {
 +                            bad_s = 1;
 +                        }
 +#endif				/* USE_SM3_CRYPT */
-                         if (bad_s != 0) {
+			if (bad_s != 0) {
 				fprintf (stderr,
 				         _("%s: invalid numeric argument '%s'\n"),
-@@ -707,7 +733,7 @@ static void process_flags (int argc, char **argv)
+ 				         Prog, optarg);
 				usage (EXIT_FAILURE);
 			}
 			break;
@ -716,7 +718,7 @@ index 16bf722..dd101fb 100644
 #endif				/* !USE_PAM */
 		default:
 			usage (EXIT_FAILURE);
-@@ -741,14 +767,14 @@ static void process_flags (int argc, char **argv)
+@@ -721,14 +747,14 @@ static void process_flags (int argc, char **argv)
 static void check_flags (void)
 {
 #ifndef USE_PAM
@ -733,7 +735,7 @@ index 16bf722..dd101fb 100644
 	if (cflg) {
 		if (   (0 != strcmp (crypt_method, "DES"))
-@@ -758,6 +784,9 @@ static void check_flags (void)
+@@ -738,6 +764,9 @@ static void check_flags (void)
 		    && (0 != strcmp (crypt_method, "SHA256"))
 		    && (0 != strcmp (crypt_method, "SHA512"))
 #endif				/* USE_SHA_CRYPT */
@ -744,10 +746,10 @@ index 16bf722..dd101fb 100644
 		    && (0 != strcmp (crypt_method, "BCRYPT"))
 #endif				/* USE_BCRYPT */
 diff --git a/src/passwd.c b/src/passwd.c
-index 00cbef6..aa4eb5e 100644
+index 8c6f81a..00711da 100644
 --- a/src/passwd.c
 +++ b/src/passwd.c
-@@ -107,7 +107,7 @@ static bool spw_locked = false;
+@@ -84,7 +84,7 @@ static bool spw_locked = false;
 #ifndef USE_PAM
 /*
  * Size of the biggest passwd:
@ -756,7 +758,7 @@ index 00cbef6..aa4eb5e 100644
  *   rounds=	7
  *   999999999	9
  *   $		1
-@@ -116,7 +116,7 @@ static bool spw_locked = false;
+@@ -93,7 +93,7 @@ static bool spw_locked = false;
  *   SHA512	123
  *   nul	1
  *
@ -765,7 +767,7 @@ index 00cbef6..aa4eb5e 100644
  */
 static char crypt_passwd[256];
 static bool do_update_pwd = false;
-@@ -287,6 +287,9 @@ static int new_password (const struct passwd *pw)
+@@ -263,6 +263,9 @@ static int new_password (const struct passwd *pw)
 #ifdef USE_YESCRYPT
 		    || (strcmp (method, "YESCRYPT") == 0)
 #endif /* USE_YESCRYPT*/
--- a/shadow.spec
+++ b/shadow.spec
@ -1,11 +1,11 @@
 Name: shadow
-Version: 4.9
+Version: 4.13
-Release: 8
+Release: 1
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
 URL: http://pkg-shadow.alioth.debian.org/
-Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
+Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
 Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
@ -16,39 +16,9 @@ Source7: newusers
 %global includesubiddir %{_includedir}/shadow
 # fix unknown item 'LASTLOG_MAX_UID'
-Patch0:  shadow-4.8-goodname.patch
+Patch0: usermod-unlock.patch
-Patch1:  shadow-4.9-null-tm.patch
+Patch1: backport-useradd-check-if-subid-range-exists-for-user.patch
-Patch2:  shadow-4.8-long-entry.patch
+Patch2: shadow-add-sm3-crypt-support.patch
 Patch3:  usermod-unlock.patch
 Patch4:  useradd-create-directories-after-the-SELinux-user.patch
 Patch5:  Makefile-include-libeconf-dependency-in-new-idmap.patch 
 Patch6:  usermod-allow-all-group-types-with-G-option.patch
 Patch7:  useradd-avoid-generating-an-empty-subid-range.patch
 Patch8: libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
 Patch9: semanage-close-the-selabel-handle.patch
 Patch10: Revert-useradd.c-fix-memleaks-of-grp.patch
 Patch11: useradd-change-SELinux-labels-for-home-files.patch
 Patch12: libsubid-link-to-PAM-libraries.patch
 Patch13: Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
 Patch14: Respect-enable-static-no-in-libsubid.patch
 Patch15: Fixes-the-linking-issues-when-libsubid-is-static-and.patch
 Patch16: pwck-fix-segfault-when-calling-fprintf.patch
 Patch17: newgrp-fix-segmentation-fault.patch
 Patch18: groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
 Patch19: backport-useradd-modify-check-ID-range-for-system-users.patch
 Patch20: shadow-add-sm3-crypt-support.patch
 Patch21: backport-Add-header-guards.patch
 Patch22: backport-Change-to-strncat.patch
 Patch23: backport-Do-not-return-garbage-in-run_parts.patch
 Patch24: backport-Handle-ERANGE-error-correctly.patch
 Patch25: backport-Initialize-local-variables.patch
 Patch26: backport-Remove-commented-out-code-and-FIXMEs.patch
 Patch27: backport-Remove-redeclared-variable.patch
 Patch28: backport-libmisc-add-check-fopen-return-value-in-read_random_.patch
 Patch29: backport-passwd-erase-password-copy-on-all-error-branches.patch
 Patch30: backport-chpasswd-add-get_salt-for-generating-salt-value.patch
 Patch31: backport-chpasswd-fix-function-problem-with-R-parameter.patch
 Patch32: backport-useradd-check-if-subid-range-exists-for-user.patch
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel
@ -61,8 +31,8 @@ Requires(pre): coreutils
 Requires(post): coreutils
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Provides: shadow-utils
+Provides: shadow-utils = %{version}-%{release}
-Obsoletes: shadow-utils
+Obsoletes: shadow-utils < %{version}-%{release}
 %description
 This package includes the necessary programs for converting plain
@ -176,7 +146,7 @@ mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
 install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
 # Remove .la files created by libsubid
-rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a}
 %files -f shadow.lang
 %doc NEWS doc/HOWTO README
@ -194,6 +164,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_sbindir}/adduser
 %attr(0755,root,root)   %{_sbindir}/user*
 %attr(0755,root,root)   %{_sbindir}/group*
 %{_bindir}/getsubids
 %{_sbindir}/grpck
 %{_sbindir}/pwck
 %{_sbindir}/*conv
@ -215,7 +186,10 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_mandir}/*/*
 %changelog
-* Thu Dec 1 2022  xiongshenglan<xionshenglan@huawei.com> - 2:4.9-8
+* Wed Feb 8 2023 yunjia_w<yunjia.wang@huawei.com> - 2:4.13-1
 - update version to 4.13
 * Thu Dec 1 2022  xiongshenglan<xiongshenglan@huawei.com> - 2:4.9-8
 - backport useradd check if subid range exists for user
 * Tue Nov 22 2022  yunjia_w<yunjia.wang@huawei.com> - 2:4.9-7
@ -224,7 +198,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 * Mon Oct 31 2022  yunjia_w<yunjia.wang@huawei.com> - 2:4.9-6
 - add some backport to optimize some functions
-* Sat Mar 26 2022 fushanqing <fushanqing@kylinos.cn> - 2:4.9-5
+* Tue Aug 23 2022 fushanqing <fushanqing@kylinos.cn> - 2:4.9-5
 - remove patch 'shadow-4.1.5.1-var-lock.patch' and 'shadow-utils-fix-lock-file-residue.patch' 
 * Tue Aug 2 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2:4.9-4
--- a/useradd-avoid-generating-an-empty-subid-range.patch
+++ b/useradd-avoid-generating-an-empty-subid-range.patch
@ -1,107 +0,0 @@
 From 9dd720a28578eef5be8171697aae0906e4c53249 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Tue, 10 Aug 2021 09:07:03 +0200
 Subject: [PATCH] useradd: avoid generating an empty subid range
 useradd generates an empty subid range when adding a new user. This is
 caused because there are two variables, one local and the other one
 global, that have a very similar name and they are used indistinctly in
 the code. The local variable loads the SUB_*ID_COUNT configuration from
 the login.defs file, while the global variable, which holds a value of
 0, is used to generate the subid range. Causing the empty subid range
 problem.
 I've merged the two variables in the local one and removed the global
 variable. I prefer to do it this way to reduce the scope of it but I'm
 open to doing it the other way round.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1990653
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Conflict: context adaptation
 ---
 src/useradd.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index baeffb3..9abeea6 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -142,9 +142,7 @@ static bool is_sub_gid = false;
 static bool sub_uid_locked = false;
 static bool sub_gid_locked = false;
 static uid_t sub_uid_start;	/* New subordinate uid range */
 -static unsigned long sub_uid_count;
 static gid_t sub_gid_start;	/* New subordinate gid range */
 -static unsigned long sub_gid_count;
 #endif				/* ENABLE_SUBIDS */
 static bool pw_locked = false;
 static bool gr_locked = false;
@@ -234,7 +232,7 @@ static void open_shadow (void);
 static void faillog_reset (uid_t);
 static void lastlog_reset (uid_t);
 static void tallylog_reset (const char *);
 -static void usr_update (void);
 +static void usr_update (unsigned long subuid_count, unsigned long subgid_count);
 static void create_home (void);
 static void create_mail (void);
 static void check_uid_range(int rflg, uid_t user_id);
@@ -2092,7 +2090,7 @@ static void tallylog_reset (const char *user_name)
  *	usr_update() creates the password file entries for this user
  *	and will update the group entries if required.
  */
 -static void usr_update (void)
 +static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
 {
 	struct passwd pwent;
 	struct spwd spent;
@@ -2155,14 +2153,14 @@ static void usr_update (void)
 	}
 #ifdef ENABLE_SUBIDS
 	if (is_sub_uid &&
 -	    (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
 +	    (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
 		fprintf (stderr,
 		         _("%s: failed to prepare the new %s entry\n"),
 		         Prog, sub_uid_dbname ());
 		fail_exit (E_SUB_UID_UPDATE);
 	}
 	if (is_sub_gid &&
 -	    (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
 +	    (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
 		fprintf (stderr,
 		         _("%s: failed to prepare the new %s entry\n"),
 		         Prog, sub_uid_dbname ());
@@ -2624,16 +2622,16 @@ int main (int argc, char **argv)
 	}
 #ifdef ENABLE_SUBIDS
 -	if (is_sub_uid && sub_uid_count != 0) {
 -		if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) {
 +	if (is_sub_uid && subuid_count != 0) {
 +		if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) {
 			fprintf (stderr,
 			         _("%s: can't create subordinate user IDs\n"),
 			         Prog);
 			fail_exit(E_SUB_UID_UPDATE);
 		}
 	}
 -	if (is_sub_gid && sub_gid_count != 0) {
 -		if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) {
 +	if (is_sub_gid && subgid_count != 0) {
 +		if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) {
 			fprintf (stderr,
 			         _("%s: can't create subordinate group IDs\n"),
 			         Prog);
@@ -2642,7 +2640,7 @@ int main (int argc, char **argv)
 	}
 #endif				/* ENABLE_SUBIDS */
 -	usr_update ();
 +	usr_update (subuid_count, subgid_count);
 	close_files ();
 -- 
 1.8.3.1
--- a/useradd-change-SELinux-labels-for-home-files.patch
+++ b/useradd-change-SELinux-labels-for-home-files.patch
@ -1,34 +0,0 @@
 From 06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Fri, 12 Nov 2021 15:23:30 +0100
 Subject: [PATCH] useradd: change SELinux labels for home files
 Change SELinux labels for files copied from the skeleton directory to
 the home directory.
 This could cause gnome's graphical user adding to fail without copying
 the full skeleton files.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2022658
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/useradd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index b463a17..f7c9795 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -2704,7 +2704,7 @@ int main (int argc, char **argv)
 	if (mflg) {
 		create_home ();
 		if (home_added) {
 -			copy_tree (def_template, prefix_user_home, false, false,
 +			copy_tree (def_template, prefix_user_home, false, true,
 			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 		} else {
 			fprintf (stderr,
 -- 
 1.8.3.1
--- a/useradd-create-directories-after-the-SELinux-user.patch
+++ b/useradd-create-directories-after-the-SELinux-user.patch
@ -1,89 +0,0 @@
 From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Fri, 8 Oct 2021 13:09:59 +0200
 Subject: [PATCH] useradd: create directories after the SELinux user
 Create the home and mail folders after the SELinux user has been set for
 the added user. This will allow the folders to be created with the
 SELinux user label.
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Conflict: context adaptation
 ---
 src/useradd.c | 46 +++++++++++++++++++++++-----------------------
 1 file changed, 23 insertions(+), 23 deletions(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index 6269c01..b463a17 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -2670,27 +2670,12 @@ int main (int argc, char **argv)
 	usr_update ();
 -	if (mflg) {
 -		create_home ();
 -		if (home_added) {
 -			copy_tree (def_template, prefix_user_home, false, false,
 -			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 -		} else {
 -			fprintf (stderr,
 -			         _("%s: warning: the home directory %s already exists.\n"
 -			           "%s: Not copying any file from skel directory into it.\n"),
 -			         Prog, user_home, Prog);
 -		}
 -
 -	}
 -
 -	/* Do not create mail directory for system accounts */
 -	if (!rflg) {
 -		create_mail ();
 -	}
 -
 	close_files ();
 +	nscd_flush_cache ("passwd");
 +	nscd_flush_cache ("group");
 +	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
 +
 	/*
 	 * tallylog_reset needs to be able to lookup
 	 * a valid existing user name,
@@ -2716,15 +2701,30 @@ int main (int argc, char **argv)
 	}
 #endif				/* WITH_SELINUX */
 +	if (mflg) {
 +		create_home ();
 +		if (home_added) {
 +			copy_tree (def_template, prefix_user_home, false, false,
 +			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 +		} else {
 +			fprintf (stderr,
 +			         _("%s: warning: the home directory %s already exists.\n"
 +			           "%s: Not copying any file from skel directory into it.\n"),
 +			         Prog, user_home, Prog);
 +		}
 +
 +	}
 +
 +	/* Do not create mail directory for system accounts */
 +	if (!rflg) {
 +		create_mail ();
 +	}
 +
 	if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name,
 			"useradd")) {
 		exit(1);
 	}
 -	nscd_flush_cache ("passwd");
 -	nscd_flush_cache ("group");
 -	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
 -
 	return E_SUCCESS;
 }
 -- 
 1.8.3.1
--- a/usermod-allow-all-group-types-with-G-option.patch
+++ b/usermod-allow-all-group-types-with-G-option.patch
@ -1,322 +0,0 @@
 From e481437ab9ebe9a8bf8fbaabe986d42b2f765991 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Tue, 3 Aug 2021 08:57:20 +0200
 Subject: [PATCH] usermod: allow all group types with -G option
 The only way of removing a group from the supplementary list is to use
 -G option, and list all groups that the user is a member of except for
 the one that wants to be removed. The problem lies when there's a user
 that contains both local and remote groups, and the group to be removed
 is a local one. As we need to include the remote group with -G option
 the command will fail.
 This reverts commit 140510de9de4771feb3af1d859c09604043a4c9b. This way,
 it would be possible to remove the remote groups from the supplementary
 list.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967641
 Resolves: https://github.com/shadow-maint/shadow/issues/338
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/usermod.c | 220 ++++++++++++++++++++--------------------------------------
 1 file changed, 77 insertions(+), 143 deletions(-)
 diff --git a/src/usermod.c b/src/usermod.c
 index 03bb9b9..a0c03af 100644
 --- a/src/usermod.c
 +++ b/src/usermod.c
@@ -187,7 +187,6 @@ static bool sub_gid_locked = false;
 static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
                          long int date);
 static int get_groups (char *);
 -static struct group * get_local_group (char * grp_name);
 static /*@noreturn@*/void usage (int status);
 static void new_pwent (struct passwd *);
 static void new_spent (struct spwd *);
@@ -201,9 +200,7 @@ static void grp_update (void);
 static void process_flags (int, char **);
 static void close_files (void);
 -static void close_group_files (void);
 static void open_files (void);
 -static void open_group_files (void);
 static void usr_update (void);
 static void move_home (void);
 static void update_lastlog (void);
@@ -261,11 +258,6 @@ static int get_groups (char *list)
 	}
 	/*
 -	 * Open the group files
 -	 */
 -	open_group_files ();
 -
 -	/*
 	 * So long as there is some data to be converted, strip off each
 	 * name and look it up. A mix of numerical and string values for
 	 * group identifiers is permitted.
@@ -284,7 +276,7 @@ static int get_groups (char *list)
 		 * Names starting with digits are treated as numerical GID
 		 * values, otherwise the string is looked up as is.
 		 */
 -		grp = get_local_group (list);
 +		grp = prefix_getgr_nam_gid (list);
 		/*
 		 * There must be a match, either by GID value or by
@@ -334,8 +326,6 @@ static int get_groups (char *list)
 		gr_free ((struct group *)grp);
 	} while (NULL != list);
 -	close_group_files ();
 -
 	user_groups[ngroups] = (char *) 0;
 	/*
@@ -348,44 +338,6 @@ static int get_groups (char *list)
 	return 0;
 }
 -/*
 - * get_local_group - checks if a given group name exists locally
 - *
 - *	get_local_group() checks if a given group name exists locally.
 - *	If the name exists the group information is returned, otherwise NULL is
 - *	returned.
 - */
 -static struct group * get_local_group(char * grp_name)
 -{
 -	const struct group *grp;
 -	struct group *result_grp = NULL;
 -	long long int gid;
 -	char *endptr;
 -
 -	gid = strtoll (grp_name, &endptr, 10);
 -	if (   ('\0' != *grp_name)
 -		&& ('\0' == *endptr)
 -		&& (ERANGE != errno)
 -		&& (gid == (gid_t)gid)) {
 -		grp = gr_locate_gid ((gid_t) gid);
 -	}
 -	else {
 -		grp = gr_locate(grp_name);
 -	}
 -
 -	if (grp != NULL) {
 -		result_grp = __gr_dup (grp);
 -		if (NULL == result_grp) {
 -			fprintf (stderr,
 -					_("%s: Out of memory. Cannot find group '%s'.\n"),
 -					Prog, grp_name);
 -			fail_exit (E_GRP_UPDATE);
 -		}
 -	}
 -
 -	return result_grp;
 -}
 -
 #ifdef ENABLE_SUBIDS
 struct ulong_range
 {
@@ -1523,7 +1475,50 @@ static void close_files (void)
 	}
 	if (Gflg || lflg) {
 -		close_group_files ();
 +		if (gr_close () == 0) {
 +			fprintf (stderr,
 +			         _("%s: failure while writing changes to %s\n"),
 +			         Prog, gr_dbname ());
 +			SYSLOG ((LOG_ERR,
 +			         "failure while writing changes to %s",
 +			         gr_dbname ()));
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +#ifdef SHADOWGRP
 +		if (is_shadow_grp) {
 +			if (sgr_close () == 0) {
 +				fprintf (stderr,
 +				         _("%s: failure while writing changes to %s\n"),
 +				         Prog, sgr_dbname ());
 +				SYSLOG ((LOG_ERR,
 +				         "failure while writing changes to %s",
 +				         sgr_dbname ()));
 +				fail_exit (E_GRP_UPDATE);
 +			}
 +		}
 +#endif
 +#ifdef SHADOWGRP
 +		if (is_shadow_grp) {
 +			if (sgr_unlock () == 0) {
 +				fprintf (stderr,
 +				         _("%s: failed to unlock %s\n"),
 +				         Prog, sgr_dbname ());
 +				SYSLOG ((LOG_ERR,
 +				         "failed to unlock %s",
 +				         sgr_dbname ()));
 +				/* continue */
 +			}
 +		}
 +#endif
 +		if (gr_unlock () == 0) {
 +			fprintf (stderr,
 +			         _("%s: failed to unlock %s\n"),
 +			         Prog, gr_dbname ());
 +			SYSLOG ((LOG_ERR,
 +			         "failed to unlock %s",
 +			         gr_dbname ()));
 +			/* continue */
 +		}
 	}
 	if (is_shadow_pwd) {
@@ -1593,60 +1588,6 @@ static void close_files (void)
 }
 /*
 - * close_group_files - close all of the files that were opened
 - *
 - *	close_group_files() closes all of the files that were opened related
 - *  with groups. This causes any modified entries to be written out.
 - */
 -static void close_group_files (void)
 -{
 -	if (gr_close () == 0) {
 -		fprintf (stderr,
 -					_("%s: failure while writing changes to %s\n"),
 -					Prog, gr_dbname ());
 -		SYSLOG ((LOG_ERR,
 -					"failure while writing changes to %s",
 -					gr_dbname ()));
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -#ifdef SHADOWGRP
 -	if (is_shadow_grp) {
 -		if (sgr_close () == 0) {
 -			fprintf (stderr,
 -						_("%s: failure while writing changes to %s\n"),
 -						Prog, sgr_dbname ());
 -			SYSLOG ((LOG_ERR,
 -						"failure while writing changes to %s",
 -						sgr_dbname ()));
 -			fail_exit (E_GRP_UPDATE);
 -		}
 -	}
 -#endif
 -#ifdef SHADOWGRP
 -	if (is_shadow_grp) {
 -		if (sgr_unlock () == 0) {
 -			fprintf (stderr,
 -						_("%s: failed to unlock %s\n"),
 -						Prog, sgr_dbname ());
 -			SYSLOG ((LOG_ERR,
 -						"failed to unlock %s",
 -						sgr_dbname ()));
 -			/* continue */
 -		}
 -	}
 -#endif
 -	if (gr_unlock () == 0) {
 -		fprintf (stderr,
 -					_("%s: failed to unlock %s\n"),
 -					Prog, gr_dbname ());
 -		SYSLOG ((LOG_ERR,
 -					"failed to unlock %s",
 -					gr_dbname ()));
 -		/* continue */
 -	}
 -}
 -
 -/*
  * open_files - lock and open the password files
  *
  *	open_files() opens the two password files.
@@ -1681,7 +1622,38 @@ static void open_files (void)
 	}
 	if (Gflg || lflg) {
 -		open_group_files ();
 +		/*
 +		 * Lock and open the group file. This will load all of the
 +		 * group entries.
 +		 */
 +		if (gr_lock () == 0) {
 +			fprintf (stderr,
 +			         _("%s: cannot lock %s; try again later.\n"),
 +			         Prog, gr_dbname ());
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +		gr_locked = true;
 +		if (gr_open (O_CREAT | O_RDWR) == 0) {
 +			fprintf (stderr,
 +			         _("%s: cannot open %s\n"),
 +			         Prog, gr_dbname ());
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +#ifdef SHADOWGRP
 +		if (is_shadow_grp && (sgr_lock () == 0)) {
 +			fprintf (stderr,
 +			         _("%s: cannot lock %s; try again later.\n"),
 +			         Prog, sgr_dbname ());
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +		sgr_locked = true;
 +		if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
 +			fprintf (stderr,
 +			         _("%s: cannot open %s\n"),
 +			         Prog, sgr_dbname ());
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +#endif
 	}
 #ifdef ENABLE_SUBIDS
 	if (vflg || Vflg) {
@@ -1718,44 +1690,6 @@ static void open_files (void)
 }
 /*
 - * open_group_files - lock and open the group files
 - *
 - *	open_group_files() loads all of the group entries.
 - */
 -static void open_group_files (void)
 -{
 -	if (gr_lock () == 0) {
 -		fprintf (stderr,
 -					_("%s: cannot lock %s; try again later.\n"),
 -					Prog, gr_dbname ());
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -	gr_locked = true;
 -	if (gr_open (O_CREAT | O_RDWR) == 0) {
 -		fprintf (stderr,
 -					_("%s: cannot open %s\n"),
 -					Prog, gr_dbname ());
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -
 -#ifdef SHADOWGRP
 -	if (is_shadow_grp && (sgr_lock () == 0)) {
 -		fprintf (stderr,
 -					_("%s: cannot lock %s; try again later.\n"),
 -					Prog, sgr_dbname ());
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -	sgr_locked = true;
 -	if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
 -		fprintf (stderr,
 -					_("%s: cannot open %s\n"),
 -					Prog, sgr_dbname ());
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -#endif
 -}
 -
 -/*
  * usr_update - create the user entries
  *
  *	usr_update() creates the password file entries for this user and
 -- 
 1.8.3.1