Pat (and Michael Semon): good job catching the login issue with glibc 2.17.
I've patched shadow 126.96.36.199 to properly handle NULL crypt() returns under
glibc 2.17+ and submitted it to upstream here
However, I also wanted to share it with the Slackware community. So, here it is,
hot off the press. Patch applies against latest stable shadow 188.8.131.52
Pat, your patch prevents the nonexistent user log-in issue Michael found but
undesired behavior in other callers. On a FIPS-140 system I tested with either
DES or MD5 ENCRYPT_METHOD, setting a new password will not fail as it should but
returns with apparent success having set password: "!!$6$8IIcy/1EPOk/$..."
You asked about other user-land potentially affected by the new crypt() behavior.
Below is a partial list I've put together that should help you as you work towards
the next release:
- sudo (fixed in 1.8.6p8)
- apache httpd (fixed in 2.2.23)
- screen (fixed in cbaa666d4f) [I recommend updating screen to something more recent]
- ppp (fixed in 04c4348108)
There are others I've not yet checked like: yptools, popa3d, etc. I will post things
as I discover them.