summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2009-08-24 13:45:51 -0700
committerSteve Langasek <vorlon@debian.org>2019-01-08 21:25:56 -0800
commit9894df123059a56d9ca5ab0bcb06aed7e19cda05 (patch)
treee824cd0dfb91b2602491573bc3d815ac650f5d07
parent78915f5a06936cc24cf7776c8b53d08b6ea3616c (diff)
Drop patches pam_unix_thread-safe_save_old_password.patch,
pam_env_ignore_garbage.patch, dont_freeze_password_chain, pam_1.0.4_mindays, pam_mail-fix-quiet, and cve-2009-0887-libpam-pam_misc.patch, which are included upstream.
-rw-r--r--debian/changelog12
-rw-r--r--debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch32
-rw-r--r--debian/patches-applied/dont_freeze_password_chain118
-rw-r--r--debian/patches-applied/pam_1.0.4_mindays36
-rw-r--r--debian/patches-applied/pam_env_ignore_garbage.patch46
-rw-r--r--debian/patches-applied/pam_mail-fix-quiet37
-rw-r--r--debian/patches-applied/pam_unix_thread-safe_save_old_password.patch70
-rw-r--r--debian/patches-applied/series7
8 files changed, 12 insertions, 346 deletions
diff --git a/debian/changelog b/debian/changelog
index 5543e0b1..2aa9cd0d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+pam (1.1.0-1) UNRELEASED; urgency=low
+
+ * New upstream version.
+ - pam_access no longer does DNS lookups when we know we're comparing
+ with a tty name or a service name. Closes: #376209.
+ * Drop patches pam_unix_thread-safe_save_old_password.patch,
+ pam_env_ignore_garbage.patch, dont_freeze_password_chain,
+ pam_1.0.4_mindays, pam_mail-fix-quiet, and
+ cve-2009-0887-libpam-pam_misc.patch, which are included upstream.
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 24 Aug 2009 01:23:18 -0700
+
pam (1.0.1-11) unstable; urgency=low
* debian/libpam-runtime.postinst: bump the --force version check to
diff --git a/debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch b/debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch
deleted file mode 100644
index e44bc91a..00000000
--- a/debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Patch for cve-2009-0887
-int rather than unsigned char is used to index an array.
-
-upstream status: fixed upstream
-
-Index: sid/libpam/pam_misc.c
-===================================================================
---- sid.orig/libpam/pam_misc.c 2009-07-24 12:22:34.000000000 -0400
-+++ sid/libpam/pam_misc.c 2009-07-24 12:22:45.000000000 -0400
-@@ -59,10 +59,11 @@
-
- /* initialize table */
- for (i=1; i<256; table[i++] = '\0');
-- for (i=0; format[i] ; table[(int)format[i++]] = 'y');
-+ for (i=0; format[i] ;
-+ table[(unsigned char)format[i++]] = 'y');
-
- /* look for first non-format char */
-- while (*from && table[(int)*from]) {
-+ while (*from && table[(unsigned char)*from]) {
- ++from;
- }
-
-@@ -92,7 +93,7 @@
- remains */
- } else if (*from) {
- /* simply look for next blank char */
-- for (end=from; *end && !table[(int)*end]; ++end);
-+ for (end=from; *end && !table[(unsigned char)*end]; ++end);
- } else {
- return (*next = NULL); /* no tokens left */
- }
diff --git a/debian/patches-applied/dont_freeze_password_chain b/debian/patches-applied/dont_freeze_password_chain
deleted file mode 100644
index 2f1cf43e..00000000
--- a/debian/patches-applied/dont_freeze_password_chain
+++ /dev/null
@@ -1,118 +0,0 @@
-Don't freeze the chain for chauthtok.
-
-bugzilla.novell.com#470337, LP: #303515.
-
-Author: Thorsten Kukuk <kukuk@thkukuk.de>
-
-Upstream status: cherry-picked from upstream.
-
-=== modified file 'doc/man/pam_sm_chauthtok.3.xml'
-Index: doc/man/pam_sm_chauthtok.3.xml
-===================================================================
---- doc/man/pam_sm_chauthtok.3.xml.orig 2009-04-17 12:44:11.000000000 -0700
-+++ doc/man/pam_sm_chauthtok.3.xml 2009-04-17 12:47:40.000000000 -0700
-@@ -40,7 +40,7 @@
- </citerefentry> interface.
- </para>
- <para>
-- This function is used to (re-)set the authentication token of the user.
-+ This function is used to (re-)set the authentication token of the user.
- </para>
- <para>
- Valid flags, which may be logically OR'd with
-@@ -60,10 +60,10 @@
- <listitem>
- <para>
- This argument indicates to the module that the users
-- authentication token (password) should only be changed if
-- it has expired. This flag is optional and
-- <emphasis>must</emphasis> be combined with one of the
-- following two flags. Note, however, the following two options
-+ authentication token (password) should only be changed if
-+ it has expired. This flag is optional and
-+ <emphasis>must</emphasis> be combined with one of the
-+ following two flags. Note, however, the following two options
- are <emphasis>mutually exclusive</emphasis>.
- </para>
- </listitem>
-@@ -72,15 +72,20 @@
- <term>PAM_PRELIM_CHECK</term>
- <listitem>
- <para>
-- This indicates that the modules are being probed as to
-- their ready status for altering the user's authentication
-- token. If the module requires access to another system over
-- some network it should attempt to verify it can connect to
-- this system on receiving this flag. If a module cannot establish
-- it is ready to update the user's authentication token it should
-+ This indicates that the modules are being probed as to
-+ their ready status for altering the user's authentication
-+ token. If the module requires access to another system over
-+ some network it should attempt to verify it can connect to
-+ this system on receiving this flag. If a module cannot establish
-+ it is ready to update the user's authentication token it should
- return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this
- information will be passed back to the application.
- </para>
-+ <para>
-+ If the control value <emphasis>sufficient</emphasis> is used in
-+ the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section
-+ of the modules following that control value is not always executed.
-+ </para>
- </listitem>
- </varlistentry>
- <varlistentry>
-@@ -89,18 +94,18 @@
- <para>
- This informs the module that this is the call it should change
- the authorization tokens. If the flag is logically OR'd with
-- <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
-+ <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
- token is only changed if it has actually expired.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- <para>
-- The PAM library calls this function twice in succession. The first
-- time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
-- if the module does not return
-+ The PAM library calls this function twice in succession. The first
-+ time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
-+ if the module does not return
- <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with
-- <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
-+ <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
- the second call that the authorization token is (possibly) changed.
- </para>
- </refsect1>
-Index: libpam/pam_dispatch.c
-===================================================================
---- libpam/pam_dispatch.c.orig 2009-04-17 12:47:17.000000000 -0700
-+++ libpam/pam_dispatch.c 2009-04-17 12:47:40.000000000 -0700
-@@ -128,11 +128,10 @@
- }
-
- /*
-- * use_cached_chain is how we ensure that the setcred/close_session
-- * and chauthtok(2) modules are called in the same order as they did
-- * when they were invoked as auth/open_session/chauthtok(1). This
-- * feature was added in 0.75 to make the behavior of pam_setcred
-- * sane. It was debugged by release 0.76.
-+ * use_cached_chain is how we ensure that the setcred and
-+ * close_session modules are called in the same order as they did
-+ * when they were invoked as auth/open_session. This feature was
-+ * added in 0.75 to make the behavior of pam_setcred sane.
- */
- if (use_cached_chain != _PAM_PLEASE_FREEZE) {
-
-@@ -342,9 +341,6 @@
- break;
- case PAM_CHAUTHTOK:
- h = pamh->handlers.conf.chauthtok;
-- if (flags & PAM_UPDATE_AUTHTOK) {
-- use_cached_chain = _PAM_MUST_BE_FROZEN;
-- }
- break;
- default:
- pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
diff --git a/debian/patches-applied/pam_1.0.4_mindays b/debian/patches-applied/pam_1.0.4_mindays
deleted file mode 100644
index 0f766e91..00000000
--- a/debian/patches-applied/pam_1.0.4_mindays
+++ /dev/null
@@ -1,36 +0,0 @@
-Index: debian-pkg-pam/modules/pam_unix/pam_unix_acct.c
-===================================================================
---- debian-pkg-pam.orig/modules/pam_unix/pam_unix_acct.c 2009-04-17 11:30:15.000000000 -0700
-+++ debian-pkg-pam/modules/pam_unix/pam_unix_acct.c 2009-04-17 11:31:25.000000000 -0700
-@@ -250,6 +250,9 @@
- _make_remark(pamh, ctrl, PAM_ERROR_MSG,
- _("Your account has expired; please contact your system administrator"));
- break;
-+ case PAM_AUTHTOK_ERR:
-+ retval = PAM_SUCCESS;
-+ /* fallthrough */
- case PAM_SUCCESS:
- if (daysleft >= 0) {
- pam_syslog(pamh, LOG_DEBUG,
-Index: debian-pkg-pam/modules/pam_unix/passverify.c
-===================================================================
---- debian-pkg-pam.orig/modules/pam_unix/passverify.c 2009-04-17 11:30:07.000000000 -0700
-+++ debian-pkg-pam/modules/pam_unix/passverify.c 2009-04-17 11:30:59.000000000 -0700
-@@ -301,8 +301,16 @@
- *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
- D(("warn before expiry"));
- }
-+ if ((curdays - spent->sp_lstchg < spent->sp_min)
-+ && (spent->sp_min != -1)) {
-+ /*
-+ * The last password change was too recent. This error will be ignored
-+ * if no password change is attempted.
-+ */
-+ D(("password change too recent"));
-+ return PAM_AUTHTOK_ERR;
-+ }
- return PAM_SUCCESS;
--
- }
-
- /* passwd/salt conversion macros */
diff --git a/debian/patches-applied/pam_env_ignore_garbage.patch b/debian/patches-applied/pam_env_ignore_garbage.patch
deleted file mode 100644
index 3df76a07..00000000
--- a/debian/patches-applied/pam_env_ignore_garbage.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Patch for Debian bug #439984
-
-pam_env was not correctly skipping over non-alphanumeric variable names,
-and was not handling the PAM_BAD_ITEM error return from pam_putenv()
-when clearing an unset variable.
-
-Authors: Steve Langasek <vorlon@debian.org>
-
-Upstream status: committed to CVS
-
-Index: pam/Linux-PAM/modules/pam_env/pam_env.c
-===================================================================
---- pam.orig/Linux-PAM/modules/pam_env/pam_env.c
-+++ pam/Linux-PAM/modules/pam_env/pam_env.c
-@@ -232,9 +232,14 @@
-
- for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ )
- if (!isalnum(key[i]) && key[i] != '_') {
-- D(("key is not alpha numeric - '%s', ignoring", key));
-- continue;
-+ pam_syslog(pamh, LOG_ERR,
-+ "non-alphanumeric key '%s' in %s', ignoring",
-+ key, file);
-+ break;
- }
-+ /* non-alphanumeric key, ignore this line */
-+ if (key[i] != '=' && key[i] != '\0')
-+ continue;
-
- /* now we try to be smart about quotes around the value,
- but not too smart, we can't get all fancy with escaped
-@@ -248,6 +253,14 @@
- key[i] = '\0';
- }
-
-+ /* if this is a request to delete a variable, check that it's
-+ actually set first, so we don't get a vague error back from
-+ pam_putenv() */
-+ for (i = 0; key[i] != '=' && key[i] != '\0'; i++);
-+
-+ if (key[i] == '\0' && !pam_getenv(pamh,key))
-+ continue;
-+
- /* set the env var, if it fails, we break out of the loop */
- retval = pam_putenv(pamh, key);
- if (retval != PAM_SUCCESS) {
diff --git a/debian/patches-applied/pam_mail-fix-quiet b/debian/patches-applied/pam_mail-fix-quiet
deleted file mode 100644
index b85637ca..00000000
--- a/debian/patches-applied/pam_mail-fix-quiet
+++ /dev/null
@@ -1,37 +0,0 @@
-Make quiet option of pam_mail work. Fixes http://bugs.debian.org/439268
-
-Author: Andreas Henriksson <andreas@fatal.se>
-Upstream status: applied in upstream CVS September 2008
-
-Index: sid/modules/pam_mail/pam_mail.c
-===================================================================
---- sid.orig/modules/pam_mail/pam_mail.c 2009-07-21 04:31:54.000000000 -0400
-+++ sid/modules/pam_mail/pam_mail.c 2009-07-24 12:16:47.000000000 -0400
-@@ -303,8 +303,13 @@
- {
- int retval;
-
-- if (!(ctrl & PAM_MAIL_SILENT) ||
-- ((ctrl & PAM_QUIET_MAIL) && type == HAVE_NEW_MAIL))
-+ if ((ctrl & PAM_MAIL_SILENT) ||
-+ ((ctrl & PAM_QUIET_MAIL) && type != HAVE_NEW_MAIL))
-+ {
-+ D(("keeping quiet"));
-+ retval = PAM_SUCCESS;
-+ }
-+ else
- {
- if (ctrl & PAM_STANDARD_MAIL)
- switch (type)
-@@ -345,11 +350,6 @@
- break;
- }
- }
-- else
-- {
-- D(("keeping quiet"));
-- retval = PAM_SUCCESS;
-- }
-
- D(("returning %s", pam_strerror(pamh, retval)));
- return retval;
diff --git a/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch b/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch
deleted file mode 100644
index 67957d41..00000000
--- a/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-Patch to keep save_old_password() thread-safe when called by the PAM
-module, since nothing blocks other threads from calling getpwnam in
-parallel
-
-Authors: Steve Langasek <vorlon@debian.org>
-
-Upstream status: committed to CVS
-
-Index: pam.deb/modules/pam_unix/passverify.c
-===================================================================
---- pam.deb.orig/modules/pam_unix/passverify.c
-+++ pam.deb/modules/pam_unix/passverify.c
-@@ -535,9 +535,15 @@
- }
- #endif
-
-+#ifdef HELPER_COMPILE
- int
- save_old_password(const char *forwho, const char *oldpass,
- int howmany)
-+#else
-+int
-+save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
-+ int howmany)
-+#endif
- {
- static char buf[16384];
- static char nbuf[16384];
-@@ -653,7 +659,7 @@
- fclose(opwfile);
-
- if (!found) {
-- pwd = getpwnam(forwho);
-+ pwd = pam_modutil_getpwnam(pamh, forwho);
- if (pwd == NULL) {
- err = 1;
- } else {
-Index: pam.deb/modules/pam_unix/passverify.h
-===================================================================
---- pam.deb.orig/modules/pam_unix/passverify.h
-+++ pam.deb/modules/pam_unix/passverify.h
-@@ -33,9 +33,15 @@
- void
- unlock_pwdf(void);
-
-+#ifdef HELPER_COMPILE
- int
- save_old_password(const char *forwho, const char *oldpass,
- int howmany);
-+#else
-+int
-+save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
-+ int howmany);
-+#endif
-
- #ifdef HELPER_COMPILE
- void
-Index: pam.deb/modules/pam_unix/pam_unix_passwd.c
-===================================================================
---- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c
-+++ pam.deb/modules/pam_unix/pam_unix_passwd.c
-@@ -378,7 +378,7 @@
- return _unix_run_update_binary(pamh, ctrl, forwho, fromwhat, towhat, remember);
- #endif
- /* first, save old password */
-- if (save_old_password(forwho, fromwhat, remember)) {
-+ if (save_old_password(pamh, forwho, fromwhat, remember)) {
- retval = PAM_AUTHTOK_ERR;
- goto done;
- }
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index f9ba7482..e556fe11 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -1,4 +1,3 @@
-pam_unix_thread-safe_save_old_password.patch
pam_unix_fix_sgid_shadow_auth.patch
pam_unix_dont_trust_chkpwd_caller.patch
007_modules_pam_unix
@@ -17,13 +16,7 @@ hurd_no_setfsuid
054_pam_security_abstract_securetty_handling
055_pam_unix_nullok_secure
PAM-manpage-section
-pam_env_ignore_garbage.patch -p2
pam.d-manpage-section
pam_unix-chkpwd-wait
autoconf.patch
-dont_freeze_password_chain -p0
-pam_1.0.4_mindays
update-motd
-pam_mail-fix-quiet
-
-cve-2009-0887-libpam-pam_misc.patch