summaryrefslogtreecommitdiff
path: root/debian/patches-applied
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2019-01-08 01:43:00 +0000
committerSteve Langasek <vorlon@debian.org>2019-01-08 22:12:52 -0800
commit8b35e983dc8b4fa7d5a27b928999950c3b6ffc3e (patch)
tree42f064dd708977f425c3f42728e73797a04dc5a9 /debian/patches-applied
parent4b9ee4f1ec73d87668ce40f0a362ecbc58159d9f (diff)
Consistently include documentation changes in patches, for clean source package
Diffstat (limited to 'debian/patches-applied')
-rw-r--r--debian/patches-applied/007_modules_pam_unix68
-rw-r--r--debian/patches-applied/cve-2010-4708.patch40
-rw-r--r--debian/patches-applied/cve-2015-3238.patch105
3 files changed, 168 insertions, 45 deletions
diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix
index 5dae4064..d88bb979 100644
--- a/debian/patches-applied/007_modules_pam_unix
+++ b/debian/patches-applied/007_modules_pam_unix
@@ -460,3 +460,71 @@ Index: pam.debian/modules/pam_unix/pam_unix.8
.RE
.PP
Invalid arguments are logged with
+diff --git a/modules/pam_unix/README b/modules/pam_unix/README
+index 26c06e23..a1289409 100644
+--- a/modules/pam_unix/README
++++ b/modules/pam_unix/README
+@@ -12,9 +12,9 @@ shadow file as well if shadow is enabled.
+ The account component performs the task of establishing the status of the
+ user's account and password based on the following shadow elements: expire,
+ last_change, max_change, min_change, warn_change. In the case of the latter, it
+-may offer advice to the user on changing their password or, through the
++may offer advice to the user on changing their password or, through the
+ PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have
+-established a new password. The entries listed above are documented in the
++established a new password. The entries listed above are documented in the
+ shadow(5) manual page. Should the user's record not contain one or more of
+ these entries, the corresponding shadow check is not performed.
+
+@@ -100,7 +100,7 @@ remember=n
+
+ The last n passwords for each user are saved in /etc/security/opasswd in
+ order to force password change history and keep the user from alternating
+- between the same password too frequently. Instead of this option the
++ between the same password too frequently. Instead of this option the
+ pam_pwhistory module should be used.
+
+ shadow
+@@ -146,8 +146,40 @@ broken_shadow
+
+ minlen=n
+
+- Set a minimum password length of n characters. The max. for DES crypt based
+- passwords are 8 characters.
++ Set a minimum password length of n characters. The default value is 6. The
++ maximum for DES crypt-based passwords is 8 characters.
++
++obscure
++
++ Enable some extra checks on password strength. These checks are based on
++ the "obscure" checks in the original shadow package. The behavior is
++ similar to the pam_cracklib module, but for non-dictionary-based checks.
++ The following checks are implemented:
++
++ Palindrome
++
++ Verifies that the new password is not a palindrome of (i.e., the
++ reverse of) the previous one.
++
++ Case Change Only
++
++ Verifies that the new password isn't the same as the old one with a
++ change of case.
++
++ Similar
++
++ Verifies that the new password isn't too much like the previous one.
++
++ Simple
++
++ Is the new password too simple? This is based on the length of the
++ password and the number of different types of characters (alpha,
++ numeric, etc.) used.
++
++ Rotated
++
++ Is the new password a rotated version of the old password? (E.g.,
++ "billy" and "illyb")
+
+ Invalid arguments are logged with syslog(3).
+
diff --git a/debian/patches-applied/cve-2010-4708.patch b/debian/patches-applied/cve-2010-4708.patch
index cf23e318..10128284 100644
--- a/debian/patches-applied/cve-2010-4708.patch
+++ b/debian/patches-applied/cve-2010-4708.patch
@@ -1,8 +1,8 @@
Description: fix cve-2010-4708: .pam_environment privilege issue
-Index: pam.debian/modules/pam_env/pam_env.c
+Index: pam/modules/pam_env/pam_env.c
===================================================================
---- pam.debian.orig/modules/pam_env/pam_env.c
-+++ pam.debian/modules/pam_env/pam_env.c
+--- pam.orig/modules/pam_env/pam_env.c
++++ pam/modules/pam_env/pam_env.c
@@ -10,7 +10,7 @@
#define DEFAULT_READ_ENVFILE 1
@@ -12,10 +12,10 @@ Index: pam.debian/modules/pam_env/pam_env.c
#include "config.h"
-Index: pam.debian/modules/pam_env/pam_env.8.xml
+Index: pam/modules/pam_env/pam_env.8.xml
===================================================================
---- pam.debian.orig/modules/pam_env/pam_env.8.xml
-+++ pam.debian/modules/pam_env/pam_env.8.xml
+--- pam.orig/modules/pam_env/pam_env.8.xml
++++ pam/modules/pam_env/pam_env.8.xml
@@ -147,7 +147,7 @@
<listitem>
<para>
@@ -25,10 +25,10 @@ Index: pam.debian/modules/pam_env/pam_env.8.xml
</para>
</listitem>
</varlistentry>
-Index: pam.debian/modules/pam_env/pam_env.8
+Index: pam/modules/pam_env/pam_env.8
===================================================================
---- pam.debian.orig/modules/pam_env/pam_env.8
-+++ pam.debian/modules/pam_env/pam_env.8
+--- pam.orig/modules/pam_env/pam_env.8
++++ pam/modules/pam_env/pam_env.8
@@ -2,12 +2,12 @@
.\" Title: pam_env
.\" Author: [see the "AUTHOR" section]
@@ -62,3 +62,25 @@ Index: pam.debian/modules/pam_env/pam_env.8
.SH "AUTHOR"
.PP
pam_env was written by Dave Kinchlea <kinch@kinch\&.ark\&.com>\&.
+Index: pam/modules/pam_env/README
+===================================================================
+--- pam.orig/modules/pam_env/README
++++ pam/modules/pam_env/README
+@@ -5,7 +5,7 @@
+ DESCRIPTION
+
+ The pam_env PAM module allows the (un)setting of environment variables.
+-Supported is the use of previously set environment variables as well as
++Supported is the use of previously set environment variables as well as
+ PAM_ITEMs such as PAM_RHOST.
+
+ By default rules for (un)setting of variables is taken from the config file /
+@@ -50,7 +50,7 @@
+ user_readenv=0|1
+
+ Turns on or off the reading of the user specific environment file. 0 is
+- off, 1 is on. By default this option is on.
++ off, 1 is on. By default this option is off.
+
+ EXAMPLES
+
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
index cb5e8c06..50dd746e 100644
--- a/debian/patches-applied/cve-2015-3238.patch
+++ b/debian/patches-applied/cve-2015-3238.patch
@@ -15,10 +15,10 @@ pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
-diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
-index 2379366..d1b00a2 100644
---- a/modules/pam_exec/pam_exec.8.xml
-+++ b/modules/pam_exec/pam_exec.8.xml
+Index: pam/modules/pam_exec/pam_exec.8.xml
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8.xml
++++ pam/modules/pam_exec/pam_exec.8.xml
@@ -106,7 +106,8 @@
During authentication the calling command can read
the password from <citerefentry>
@@ -29,11 +29,11 @@ index 2379366..d1b00a2 100644
</para>
</listitem>
</varlistentry>
-diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
-index 5ab9630..17ba6ca 100644
---- a/modules/pam_exec/pam_exec.c
-+++ b/modules/pam_exec/pam_exec.c
-@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
+Index: pam/modules/pam_exec/pam_exec.c
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.c
++++ pam/modules/pam_exec/pam_exec.c
+@@ -178,11 +178,11 @@
}
pam_set_item (pamh, PAM_AUTHTOK, resp);
@@ -47,10 +47,10 @@ index 5ab9630..17ba6ca 100644
if (pipe(fds) != 0)
{
-diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
-index 4008402..a8b64bb 100644
---- a/modules/pam_unix/pam_unix.8.xml
-+++ b/modules/pam_unix/pam_unix.8.xml
+Index: pam/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8.xml
++++ pam/modules/pam_unix/pam_unix.8.xml
@@ -80,6 +80,13 @@
</para>
@@ -65,11 +65,11 @@ index 4008402..a8b64bb 100644
The password component of this module performs the task of updating
the user's password. The default encryption hash is taken from the
<emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
-diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
-index 2d330e5..c2e5de5 100644
---- a/modules/pam_unix/pam_unix_passwd.c
-+++ b/modules/pam_unix/pam_unix_passwd.c
-@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
+Index: pam/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam/modules/pam_unix/pam_unix_passwd.c
+@@ -245,15 +245,22 @@
/* wait for child */
/* if the stored password is NULL */
int rc=0;
@@ -100,11 +100,11 @@ index 2d330e5..c2e5de5 100644
close(fds[0]); /* close here to avoid possible SIGPIPE above */
close(fds[1]);
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index b325602..e79b55e 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -1115,12 +1115,15 @@ getuidname(uid_t uid)
+Index: pam/modules/pam_unix/passverify.c
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.c
++++ pam/modules/pam_unix/passverify.c
+@@ -1086,12 +1086,15 @@
int
read_passwords(int fd, int npass, char **passwords)
{
@@ -121,10 +121,10 @@ index b325602..e79b55e 100644
if (rbytes < 0) {
if (errno == EINTR) continue;
-diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
-index 3de6759..caf7ae8 100644
---- a/modules/pam_unix/passverify.h
-+++ b/modules/pam_unix/passverify.h
+Index: pam/modules/pam_unix/passverify.h
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.h
++++ pam/modules/pam_unix/passverify.h
@@ -8,7 +8,7 @@
#define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
@@ -134,11 +134,11 @@ index 3de6759..caf7ae8 100644
#define OLD_PASSWORDS_FILE "/etc/security/opasswd"
-diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index fdb45c2..abccd82 100644
---- a/modules/pam_unix/support.c
-+++ b/modules/pam_unix/support.c
-@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+Index: pam/modules/pam_unix/support.c
+===================================================================
+--- pam.orig/modules/pam_unix/support.c
++++ pam/modules/pam_unix/support.c
+@@ -632,7 +632,12 @@
/* if the stored password is NULL */
int rc=0;
if (passwd != NULL) { /* send the password to the child */
@@ -152,8 +152,10 @@ index fdb45c2..abccd82 100644
pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
retval = PAM_AUTH_ERR;
}
---- a/modules/pam_unix/pam_unix.8 2017-05-27 15:38:27.000000000 +0000
-+++ b/modules/pam_unix/pam_unix.8 2017-05-27 15:34:49.000000000 +0000
+Index: pam/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8
++++ pam/modules/pam_unix/pam_unix.8
@@ -56,6 +56,10 @@
\fBnoreap\fR
module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&.
@@ -165,8 +167,10 @@ index fdb45c2..abccd82 100644
The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the
\fBENCRYPT_METHOD\fR
variable from
---- a/modules/pam_exec/pam_exec.8 2017-05-27 15:38:27.000000000 +0000
-+++ b/modules/pam_exec/pam_exec.8 2017-05-27 15:56:25.000000000 +0000
+Index: pam/modules/pam_exec/pam_exec.8
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8
++++ pam/modules/pam_exec/pam_exec.8
@@ -65,7 +65,9 @@
\fBexpose_authtok\fR
.RS 4
@@ -178,3 +182,32 @@ index fdb45c2..abccd82 100644
.RE
.PP
\fBlog=\fR\fB\fIfile\fR\fR
+Index: pam/modules/pam_exec/README
+===================================================================
+--- pam.orig/modules/pam_exec/README
++++ pam/modules/pam_exec/README
+@@ -24,7 +24,8 @@
+ expose_authtok
+
+ During authentication the calling command can read the password from stdin
+- (3).
++ (3). Only first PAM_MAX_RESP_SIZE bytes of a password are provided to the
++ command.
+
+ log=file
+
+Index: pam/modules/pam_unix/README
+===================================================================
+--- pam.orig/modules/pam_unix/README
++++ pam/modules/pam_unix/README
+@@ -34,6 +34,10 @@
+ suppress this temporary shielding and may be needed for use with certain
+ applications.
+
++The maximum length of a password supported by the pam_unix module via the
++helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the
++password provided by the conversation function to the module will be ignored.
++
+ The password component of this module performs the task of updating the user's
+ password. The default encryption hash is taken from the ENCRYPT_METHOD variable
+ from /etc/login.defs