Import Debian changes 1.1.8-3.3

pam (1.1.8-3.3) unstable; urgency=low * Non-maintainer upload. [ Steve Langasek ] * Updated Swedish translation to correct a typo, thanks to Anders Jonsson and Martin Bagge. Closes: #743875 * Updated Turkish translation, thanks to Mert Dirik <mertdirik@gmail.com>. (closes: #756756) * d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default soft nofile limit read from pid 1 to FD_SETSIZE. Thanks to Robie Basak <robie.basak@ubuntu.com> for the patch. Closes: #783105. * Acknowledge security NMU. * pam-auth-update: don't mishandle trailing whitespace in profiles. LP: #1487103. [ Laurent Bigonville ] * debian/control: Fix Vcs-* and Homepage fields (Closes: #752343) * debian/watch: Update watch file and point it to http://www.linux-pam.org * debian/patches-applied/pam_namespace_fix_bashism.patch: Fix bashism in namespace.init script (Closes: #624842) * debian/control: Build-depends against debhelper (>= 9) to match the defined debhelper compatibility * Rename the cve-2011-4708.patch to cve-2010-4708.patch to match reality, thanks to Jakub Wilk <jwilk@debian.org> for noticing (Closes: #761594) * debian/control: Bump Standards-Version to 3.9.8 (no further changes) * debian/libpam-doc.doc-base.applications-guide: Fix spelling * debian/libpam0g-dev.examples: Do not use shell brace expansion * debian/patches-applied/pam-loginuid-in-containers: Updated with the version from Ubuntu, this should fix logins in containers (Closes: #726661) * debian/patches-applied/update-motd: Updated with the version from Ubuntu: use /run/motd.dynamic instead of /var/run/motd, nothing in the archive uses the later (Closes: #743286) * debian/patches-applied/make_documentation_reproducible.patch: Make the build reproducible, removes differences when building with different locale values (Closes: #792127)
author: Laurent Bigonville <bigon@debian.org> 2016-05-17 17:04:29 -0700
committer: Steve Langasek <vorlon@debian.org> 2019-01-08 22:12:40 -0800
commit: fa4a5c961c7705f80c2026f424ec9a012ceefa55 (patch)
tree: 09773e1fdbb5033e1d0d3a890eb056e8eecc35e4 /debian/patches-applied
parent: 145032103cf7230bc0be74157885e5cf035ac006 (diff)
parent: 3fb0d1c3c727bd5b2e01fdc3e59e8d48bc384ce3 (diff)
7 files changed, 189 insertions, 29 deletions
diff --git a/debian/patches-applied/cve-2011-4708.patch b/debian/patches-applied/cve-2010-4708.patch
index c0fbb1ee..cf23e318 100644
--- a/debian/patches-applied/cve-2011-4708.patch
+++ b/debian/patches-applied/cve-2010-4708.patch
@@ -1,4 +1,4 @@
-Description: fix cve-2011-4708: .pam_environment privilege issue
+Description: fix cve-2010-4708: .pam_environment privilege issue
 Index: pam.debian/modules/pam_env/pam_env.c
 ===================================================================
 --- pam.debian.orig/modules/pam_env/pam_env.c
diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch
new file mode 100644
index 00000000..26f16503
--- /dev/null
+++ b/debian/patches-applied/make_documentation_reproducible.patch
@@ -0,0 +1,28 @@
+Description: Make documentation reproducible
+ Add LC_ALL=C to w3m to avoid changes in the output when build the
+ documentation with different locales.
+Author: Juan Picca <jumapico@gmail.com>
+Last-Update: 2015-07-11
+
+--- pam.orig/configure
++++ pam/configure
+@@ -15162,7 +15162,7 @@ fi
+ 
+ 
+ if test ! -z "$BROWSER"; then
+-     BROWSER="$BROWSER -T text/html -dump"
++     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+      enable_docu=no
+ fi
+--- pam.orig/configure.in
++++ pam/configure.in
+@@ -554,7 +554,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sou
+ 
+ AC_PATH_PROG([BROWSER], [w3m])
+ if test ! -z "$BROWSER"; then
+-     BROWSER="$BROWSER -T text/html -dump"
++     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+      enable_docu=no
+ fi
diff --git a/debian/patches-applied/pam-limits-nofile-fd-setsize-cap b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
new file mode 100644
index 00000000..176d7845
--- /dev/null
+++ b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
@@ -0,0 +1,58 @@
+From: Robie Basak <robie.basak@ubuntu.com>
+Subject: pam_limits: cap the default soft nofile limit read from pid 1 to FD_SETSIZE
+
+Cap the default soft nofile limit read from pid 1 to FD_SETSIZE since
+larger values can cause problems with fd_set overflow and systemd sets
+itself higher.
+
+See:
+https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html
+http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/
+https://sourceware.org/bugzilla/show_bug.cgi?id=10352
+https://github.com/systemd/systemd/commit/4096d6f5879aef73e20dd7b62a01f447629945b0
+
+pam_limits reads the default limits from /proc/1/limits. Previously,
+using upstart, this resulted in a 1024 nofile soft limit on Ubuntu
+systems by default. Using systemd, this results in a limit of 65536
+instead. This is not the intention of systemd upstream. See systemd
+commit 4096d6f for an explanation of systemd's behaviour.
+
+If we want to make such a change to the default distribution soft limit
+in PAM, we should do it deliberately and carefully, not accidentally. A
+change should consider what uses select(2) and might inadvertently (and
+incorrectly) assume that file descriptors will always fit into an
+fd_set, what vulnerabilities or crashes the change could consequently
+create, and whether the protection now present with FORTIFY_SOURCE is
+suitably enabled in all relevant builds.
+
+So this keeps the soft limit at 1024 for now. The hard limit will rise
+to 65536 along with systemd. Anything that knows that it will not be
+buggy with respect to fd_set and FD_SETSIZE, such as by using poll(2) or
+epoll(7) instead of select(2), can always raise the soft limit itself
+without issue.
+
+20:54 <rbasak> slangasek: [...] I'm also not sure how to go about
+upstreaming this as pam_limits seems to be heavily patched already.
+
+Forwarded: no
+Reviewed-by: Adam Conrad <adconrad@ubuntu.com>
+Reviewed-by: Martin Pitt <martin.pitt@ubuntu.com>
+Last-Update: 2015-04-22
+
+--- a/modules/pam_limits/pam_limits.c
++++ b/modules/pam_limits/pam_limits.c
+@@ -439,6 +439,14 @@ static void parse_kernel_limits(pam_hand
+         pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
+     }
+     fclose(limitsfile);
++
++    /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE
++     * since larger values can cause problems with fd_set overflow and
++     * systemd sets itself higher. */
++    if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL &&
++        pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) {
++      pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE;
++    }
+ }
+ 
+ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers
index bea1e32f..1e965b2d 100644
--- a/debian/patches-applied/pam-loginuid-in-containers
+++ b/debian/patches-applied/pam-loginuid-in-containers
@@ -29,11 +29,11 @@ Description: pam_loginuid: Ignore failure in user namespaces
     Signed-off-by: Steve Langasek <vorlon@debian.org>
     Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
 
-Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
+Index: ubuntu/modules/pam_loginuid/pam_loginuid.c
 ===================================================================
---- pam.deb.orig/modules/pam_loginuid/pam_loginuid.c
-+++ pam.deb/modules/pam_loginuid/pam_loginuid.c
-@@ -46,25 +46,49 @@
+--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c	2014-01-31 21:07:08.665185675 +0000
++++ ubuntu/modules/pam_loginuid/pam_loginuid.c	2014-01-31 21:05:05.000000000 +0000
+@@ -47,25 +47,56 @@
  
  /*
   * This function writes the loginuid to the /proc system. It returns
@@ -50,48 +50,58 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
 +	char loginuid[24], buf[24];
 +	static const char host_uid_map[] = "         0          0 4294967295\n";
 +	char uid_map[sizeof(host_uid_map)];
++
++	/* loginuid in user namespaces currently isn't writable and in some
++	   case, not even readable, so consider any failure as ignorable (but try
++	   anyway, in case we hit a kernel which supports it). */
++	fd = open("/proc/self/uid_map", O_RDONLY);
++	if (fd >= 0) {
++		count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
++		if (strncmp(uid_map, host_uid_map, count) != 0)
++			rc = PAM_IGNORE;
++		close(fd);
++	}
  
- 	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+-	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
 -	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
 +	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
  	if (fd < 0) {
 -		if (errno != ENOENT) {
 -			rc = 1;
+-			pam_syslog(pamh, LOG_ERR,
+-				   "Cannot open /proc/self/loginuid: %m");
 +		if (errno == ENOENT) {
 +			rc = PAM_IGNORE;
-+		} else if (errno == EACCES) {
-+			fd = open("/proc/self/uid_map", O_RDONLY);
-+			if (fd >= 0) {
-+				count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
-+				if (strncmp(uid_map, host_uid_map, count) != 0)
-+					rc = PAM_IGNORE;
-+				close(fd);
-+			}
-+			if (rc != PAM_IGNORE)
-+				errno = EACCES;
 +		}
 +		if (rc != PAM_IGNORE) {
- 			pam_syslog(pamh, LOG_ERR,
- 				   "Cannot open /proc/self/loginuid: %m");
++			pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
++				   "/proc/self/loginuid");
  		}
  		return rc;
  	}
 -	if (pam_modutil_write(fd, loginuid, count) != count)
 -		rc = 1;
 +
++	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
 +	if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
 +	    memcmp(buf, loginuid, count) == 0) {
 +		rc = PAM_SUCCESS;
 +		goto done;	/* already correct */
 +	}
 +	if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
-+	    pam_modutil_write(fd, loginuid, count) == count)
++	    pam_modutil_write(fd, loginuid, count) == count) {
 +		rc = PAM_SUCCESS;
++	} else {
++		if (rc != PAM_IGNORE) {
++			pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
++				   "/proc/self/loginuid");
++		}
++	}
 + done:
  	close(fd);
  	return rc;
  }
-@@ -164,6 +188,7 @@
+@@ -165,6 +196,7 @@
  {
          const char *user = NULL;
  	struct passwd *pwd;
@@ -99,7 +109,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
  #ifdef HAVE_LIBAUDIT
  	int require_auditd = 0;
  #endif
-@@ -182,9 +207,14 @@
+@@ -183,9 +215,14 @@
  		return PAM_SESSION_ERR;
  	}
  
@@ -117,7 +127,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
  	}
  
  #ifdef HAVE_LIBAUDIT
-@@ -194,11 +224,12 @@
+@@ -195,11 +232,12 @@
  		argv++;
  	}
  
diff --git a/debian/patches-applied/pam_namespace_fix_bashism.patch b/debian/patches-applied/pam_namespace_fix_bashism.patch
new file mode 100644
index 00000000..6c6f1861
--- /dev/null
+++ b/debian/patches-applied/pam_namespace_fix_bashism.patch
@@ -0,0 +1,61 @@
+From fbc65c39d6853af268c9a093923afc876d0b138e Mon Sep 17 00:00:00 2001
+From: Steve Langasek <vorlon@debian.org>
+Date: Tue, 14 Jan 2014 19:48:51 -0800
+Subject: pam_namespace: don't use bashisms in default namespace.init script
+
+* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
+namespace init script, so that scripts run with maximum privilege regardless
+of the shell implementation.
+* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
+shebang line
+
+This is not a POSIX standard option, it's a bashism.  The bash manpage says
+that it's used to prevent the effective user id from being reset to the real
+user id on startup, and to ignore certain unsafe variables from the
+environment.
+
+In the case of pam_namespace, the -p is not necessary for environment
+sanitizing because the PAM module (properly) sanitizes the environment
+before execing the script.
+
+The stated reason given in CVS history for passing -p is to "preserve euid
+when called from setuid apps (su, newrole)."  This should be done more
+portably, by calling setuid() before spawning the shell.
+
+Signed-off-by: Steve Langasek <vorlon@debian.org>
+Bug-Debian: http://bugs.debian.org/624842
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
+---
+ modules/pam_namespace/namespace.init  | 2 +-
+ modules/pam_namespace/pam_namespace.c | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init
+index 9ab5806..67d4aa2 100755
+--- a/modules/pam_namespace/namespace.init
++++ b/modules/pam_namespace/namespace.init
+@@ -1,4 +1,4 @@
+-#!/bin/sh -p
++#!/bin/sh
+ # It receives polydir path as $1, the instance path as $2,
+ # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
+ # and user name in $4.
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index e0d5e30..92883f5 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1205,6 +1205,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath,
+ 						_exit(1);
+ 				}
+ #endif
++				/* Pass maximum privs when we exec() */
++				if (setuid(geteuid()) < 0) {
++					/* ignore failures, they don't matter */
++				}
++
+ 				if (execle(init_script, init_script,
+ 					polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0)
+ 					_exit(1);
+-- 
+cgit v0.12
+
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 2108e861..51598ca8 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -15,7 +15,7 @@ hurd_no_setfsuid
 045_pam_dispatch_jump_is_ignore
 054_pam_security_abstract_securetty_handling
 055_pam_unix_nullok_secure
-cve-2011-4708.patch
+cve-2010-4708.patch
 PAM-manpage-section 
 update-motd
 no_PATH_MAX_on_hurd
@@ -24,3 +24,6 @@ pam-loginuid-in-containers
 cve-2013-7041.patch
 cve-2014-2583.patch
 cve-2015-3238.patch
+pam-limits-nofile-fd-setsize-cap
+pam_namespace_fix_bashism.patch
+make_documentation_reproducible.patch
diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd
index a89655df..6c2af5bb 100644
--- a/debian/patches-applied/update-motd
+++ b/debian/patches-applied/update-motd
@@ -86,16 +86,16 @@ Index: pam.debian/modules/pam_motd/pam_motd.c
 -
 -	pam_info (pamh, "%s", mtmp);
 -	break;
-+    /* Run the update-motd dynamic motd scripts, outputting to /var/run/motd.
-+       If /etc/motd -> /var/run/motd, the displayed MOTD will be dynamic.
-+       Otherwise, the admin can force a static MOTD by breaking that symlink
-+       and publishing into an /etc/motd text file. */
++    /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic.
++       This will be displayed only when calling pam_motd with
++       motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd
++       display both this file and /etc/motd. */
 +    if (do_update && (stat("/etc/update-motd.d", &st) == 0)
 +        && S_ISDIR(st.st_mode))
 +    {
 +	mode_t old_mask = umask(0022);
-+	if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /var/run/motd.new"))
-+	    rename("/var/run/motd.new", "/var/run/motd");
++	if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"))
++	    rename("/run/motd.dynamic.new", "/run/motd.dynamic");
 +	umask(old_mask);
      }
author	Laurent Bigonville <bigon@debian.org>	2016-05-17 17:04:29 -0700
committer	Steve Langasek <vorlon@debian.org>	2019-01-08 22:12:40 -0800
commit	fa4a5c961c7705f80c2026f424ec9a012ceefa55 (patch)
tree	09773e1fdbb5033e1d0d3a890eb056e8eecc35e4 /debian/patches-applied
parent	145032103cf7230bc0be74157885e5cf035ac006 (diff)
parent	3fb0d1c3c727bd5b2e01fdc3e59e8d48bc384ce3 (diff)