!131 [sync] PR-125: 同步社区补丁

From: @zhengxiaoxiaoGitee 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-Added-control-character-check.patch

@@ -0,0 +1,45 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -21,9 +21,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+ 	}
+ 
+ 	if (0 == err) {
+-		/* Search if there are some non-printable characters */
++		/* Search if there are non-printable or control characters */
+ 		for (cp = field; '\0' != *cp; cp++) {
+ 			if (!isprint (*cp)) {
+ 				err = 1;
++			}
++			if (!iscntrl (*cp)) {
++				err = -1;
+ 				break;
+ 			}
+ 		}
+-- 
+2.27.0
+

backport-CVE-2013-4235.patch

@@ -0,0 +1,34 @@
+From b4472167c2f5057d56686d3349a9b55fc508efe6 Mon Sep 17 00:00:00 2001
+From: ed neville <ed@s5h.net>
+Date: Fri, 31 Dec 2021 22:40:13 +0000
+Subject: [PATCH] Adding nofollow to opens
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/b4472167c2f5057d56686d3349a9b55fc508efe6
+
+---
+ libmisc/copydir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libmisc/copydir.c b/libmisc/copydir.c
+index f2130bcac..a296d925d 100644
+--- a/libmisc/copydir.c
++++ b/libmisc/copydir.c
+@@ -741,7 +741,7 @@ static int copy_file (const char *src, const char *dst,
+ 	char buf[1024];
+ 	ssize_t cnt;
+ 
+-	ifd = open (src, O_RDONLY);
++	ifd = open (src, O_RDONLY|O_NOFOLLOW);
+ 	if (ifd < 0) {
+ 		return -1;
+ 	}
+@@ -751,7 +751,7 @@ static int copy_file (const char *src, const char *dst,
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+-	ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC, statp->st_mode & 07777);
++	ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW, statp->st_mode & 07777);
+ 	if (   (ofd < 0)
+ 	    || (fchown_if_needed (ofd, statp,
+ 	                          old_uid, new_uid, old_gid, new_gid) != 0)

backport-Overhaul-valid_field.patch

@@ -0,0 +1,61 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are non-printable or control characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-			}
+-			if (!iscntrl (*cp)) {
+-				err = -1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 
+-- 
+2.27.0
+

backport-Read-whole-line-in-yes_or_no.patch

@@ -0,0 +1,67 @@
+From 0c83b981053b65c9bab4f1c2e60d004e920f8faf Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Fri, 27 Jan 2023 11:53:57 +0000
+Subject: [PATCH] Read whole line in yes_or_no
+
+Do not stop after 79 characters. Read the complete line to avoid
+arbitrary limitations.
+
+Proof of Concept:
+
+```
+cat > passwd-poc << EOF
+root:x:0:0:root:/root:/bin/bash
+root:x:0:0:root:/root:/bin/bash
+root:x:0:0:root:/root:/bin/bash
+EOF
+python -c "print(80*'y')" | pwck passwd-poc
+```
+
+Two lines should still be within the file because we agreed only once
+to remove a duplicated line.
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Reviewed-by: Serge Hallyn <serge@hallyn.com>
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/0c83b981053b65c9bab4f1c2e60d004e920f8faf
+---
+ libmisc/yesno.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/libmisc/yesno.c b/libmisc/yesno.c
+index 1a1a3714..d8847e40 100644
+--- a/libmisc/yesno.c
++++ b/libmisc/yesno.c
+@@ -28,7 +28,8 @@
+  */
+ bool yes_or_no (bool read_only)
+ {
+-	char buf[80];
++	int c;
++	bool result;
+ 
+ 	/*
+ 	 * In read-only mode all questions are answered "no".
+@@ -46,11 +47,13 @@ bool yes_or_no (bool read_only)
+ 	/*
+ 	 * Get a line and see what the first character is.
+ 	 */
++	c = fgetc(stdin);
+ 	/* TODO: use gettext */
+-	if (fgets (buf, (int) sizeof buf, stdin) == buf) {
+-		return buf[0] == 'y' || buf[0] == 'Y';
+-	}
++	result = (c == 'y' || c == 'Y');
++
++	while (c != '\n' && c != EOF)
++		c = fgetc(stdin);
+ 
+-	return false;
++	return result;
+ }
+ 
+-- 
+2.27.0
+

backport-commonio-free-removed-database-entries.patch

@@ -0,0 +1,39 @@
+From a8dd8ce6c9a5f6e69ed4e9fa7b0c0976bb4ba332 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 1 Apr 2023 13:36:51 +0200
+Subject: [PATCH] commonio: free removed database entries
+
+Free the actual struct of the removed entry.
+
+Example userdel report:
+
+    Direct leak of 40 byte(s) in 1 object(s) allocated from:
+        #0 0x55b230efe857 in reallocarray (./src/userdel+0xda857)
+        #1 0x55b230f6041f in mallocarray ./lib/./alloc.h:97:9
+        #2 0x55b230f6041f in commonio_open ./lib/commonio.c:563:7
+        #3 0x55b230f39098 in open_files ./src/userdel.c:555:6
+        #4 0x55b230f39098 in main ./src/userdel.c:1189:2
+        #5 0x7f9b48c64189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/a8dd8ce6c9a5f6e69ed4e9fa7b0c0976bb4ba332
+---
+ lib/commonio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 40e62298..a0449c83 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -1060,6 +1060,8 @@ int commonio_remove (struct commonio_db *db, const char *name)
+ 		db->ops->free (p->eptr);
+ 	}
+ 
++	free(p);
++
+ 	return 1;
+ }
+ 
+-- 
+2.27.0
+

backport-gpasswd-1-Fix-password-leak.patch

@@ -0,0 +1,142 @@
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index 609fe0a4..3b76ff8e 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -898,6 +898,7 @@ static void change_passwd (struct group *gr)
+		strzero (cp);
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 
+-- 
+2.27.0
+

backport-semanage-disconnect-to-free-libsemanage-internals.patch

@@ -0,0 +1,76 @@
+From 7078ed1e0b8a197aa9e5103986bce927abef87a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 1 Apr 2023 14:11:06 +0200
+Subject: [PATCH] semanage: disconnect to free libsemanage internals
+
+Destroying the handle does not actually disconnect, see [1].
+Also free the key on user removal.
+
+[1]: https://github.com/SELinuxProject/selinux/blob/e9072e7d45f4559887d11b518099135cbe564163/libsemanage/src/direct_api.c#L330
+
+Example adduser leak:
+
+    Direct leak of 1008 byte(s) in 14 object(s) allocated from:
+        #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+        #1 0x7fb5cfffad09 in dbase_file_init src/database_file.c:170:45
+
+    Direct leak of 392 byte(s) in 7 object(s) allocated from:
+        #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+        #1 0x7fb5cfffc929 in dbase_policydb_init src/database_policydb.c:187:27
+
+    Direct leak of 144 byte(s) in 2 object(s) allocated from:
+        #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+        #1 0x7fb5cfffb519 in dbase_join_init src/database_join.c:249:28
+
+    [...]
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/7078ed1e0b8a197aa9e5103986bce927abef87a4
+---
+ lib/semanage.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/semanage.c b/lib/semanage.c
+index 5d336b08..d412186c 100644
+--- a/lib/semanage.c
++++ b/lib/semanage.c
+@@ -97,6 +97,8 @@ static semanage_handle_t *semanage_init (void)
+ 	return handle;
+ 
+ fail:
++	if (handle)
++		semanage_disconnect (handle);
+ 	semanage_handle_destroy (handle);
+ 	return NULL;
+ }
+@@ -156,7 +158,7 @@ done:
+ 
+ 
+ static int semanage_user_add (semanage_handle_t *handle,
+-                             semanage_seuser_key_t *key,
++                             const semanage_seuser_key_t *key,
+                              const char *login_name,
+                              const char *seuser_name)
+ {
+@@ -279,6 +281,8 @@ int set_seuser (const char *login_name, const char *seuser_name)
+ 
+ done:
+ 	semanage_seuser_key_free (key);
++	if (handle)
++		semanage_disconnect (handle);
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+ }
+@@ -353,6 +357,9 @@ int del_seuser (const char *login_name)
+ 	matchpathcon_fini();
+
+ done:
++	semanage_seuser_key_free (key);
++	if (handle)
++		semanage_disconnect (handle);
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+ }
+-- 
+2.27.0
+

backport-src-passwd-add-overflow-check.patch

@@ -0,0 +1,32 @@
+From 2d188a9987789f019dae2d46c50578a474ab2bdd Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Wed, 20 Dec 2023 20:48:54 +0100
+Subject: [PATCH] src/passwd.c: Add overflow check
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Link: <https://github.com/shadow-maint/shadow/pull/876>
+Co-developed-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+
+Reference: https://github.com/shadow-maint/shadow/commit/2d188a9987789f019dae2d46c50578a474ab2bdd
+Conflict: NA
+---
+ src/passwd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/passwd.c b/src/passwd.c
+index a24e62dfd..f494a9257 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -387,8 +387,9 @@ static void check_password (const struct passwd *pw, const struct spwd *sp)
+ 		long now, ok;
+ 		now = time(NULL) / DAY;
+ 		ok = sp->sp_lstchg;
+-		if (sp->sp_min > 0) {
+-			ok += sp->sp_min;
++		if (   (sp->sp_min > 0)
++		    && __builtin_add_overflow(ok, sp->sp_min, &ok)) {
++			ok = LONG_MAX;
+ 		}
+ 
+ 		if (now < ok) {

backport-src-passwd.c-Switch-to-day-precision.patch

@@ -0,0 +1,61 @@
+From 3b5ba41d3e9dfc3bf058f0f31529c08201265241 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 14 Dec 2023 11:54:00 +0100
+Subject: [PATCH] src/passwd.c: Switch to day precision
+
+The size of time_t varies across systems, but since data type long is
+more than enough to calculate with days (precision of shadow file),
+use it instead.
+
+Just in case a shadow file contains huge values, check for a possible
+signed integer overflow.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Link: <https://github.com/shadow-maint/shadow/pull/876>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+
+Reference: https://github.com/shadow-maint/shadow/commit/3b5ba41d3e9dfc3bf058f0f31529c08201265241
+Conflict: src/chpasswd.c
+---
+ src/passwd.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/src/passwd.c b/src/passwd.c
+index 336bbc9..d79767a 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -390,7 +390,6 @@ static int new_password (const struct passwd *pw)
+  */
+ static void check_password (const struct passwd *pw, const struct spwd *sp)
+ {
+-	time_t now;
+ 	int exp_status;
+ 
+ 	exp_status = isexpired (pw, sp);
+@@ -410,8 +409,6 @@ static void check_password (const struct passwd *pw, const struct spwd *sp)
+ 		return;
+ 	}
+ 
+-	(void) time (&now);
+-
+ 	/*
+ 	 * Expired accounts cannot be changed ever. Passwords which are
+ 	 * locked may not be changed. Passwords where min > max may not be
+@@ -434,10 +431,11 @@ static void check_password (const struct passwd *pw, const struct spwd *sp)
+ 	 * Passwords may only be changed after sp_min time is up.
+ 	 */
+ 	if (sp->sp_lstchg > 0) {
+-		time_t ok;
+-		ok = (time_t) sp->sp_lstchg * SCALE;
++		long now, ok;
++		now = time(NULL) / DAY;
++		ok = sp->sp_lstchg;
+ 		if (sp->sp_min > 0) {
+-			ok += (time_t) sp->sp_min * SCALE;
++			ok += sp->sp_min;
+ 		}
+ 
+ 		if (now < ok) {
+-- 
+2.33.0
+

shadow.spec

@@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.8.1
-Release: 5
+Release: 10
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@@ -24,6 +24,15 @@ Patch7:  shadow-4.1.5.1-var-lock.patch
 Patch8:  shadow-utils-fix-lock-file-residue.patch
 Patch9:  shadow-add-sm3-crypt-support.patch
 Patch10: groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
+Patch11: backport-Added-control-character-check.patch 
+Patch12: backport-Overhaul-valid_field.patch
+Patch13: backport-Read-whole-line-in-yes_or_no.patch
+Patch14: backport-commonio-free-removed-database-entries.patch
+Patch15: backport-semanage-disconnect-to-free-libsemanage-internals.patch
+Patch16: backport-gpasswd-1-Fix-password-leak.patch
+Patch17: backport-CVE-2013-4235.patch
+Patch18: backport-src-passwd.c-Switch-to-day-precision.patch
+Patch19: backport-src-passwd-add-overflow-check.patch
 
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel gdb
@@ -170,6 +179,21 @@ done
 %{_mandir}/*/*
 
 %changelog
+* Sun Feb 18 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2:4.8.1-10
+- backport some patches
+
+* Sat Nov 18 2023 wangqingsan <wangqingsan@huawei.com> - 2:4.8.1-9
+- fix CVE-2013-4235
+
+* Wed Sep 20 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.8.1-8
+- fix CVE-2023-4641
+
+* Mon Jun 19 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.8.1-7
+- backport some patches
+
+* Thu Apr 20 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.8.1-6
+- fix CVE-2023-29383
+
 * Fri Jan 28 2022 panxiaohe<panxh.life@foxmail.com> - 2:4.8.1-5
 - groupdel: fix SIGSEGV when passwd does not exist