New patch dont_freeze_password_chain, cherry-picked from upstream:

don't always follow the same path through the password stack on
the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
pass; this Linux-PAM deviation from the original PAM spec causes a
number of problems, in particular causing wrong return values when
using the refactored pam-auth-update stack.  LP: #303515, #305882.

3 files changed, 126 insertions, 2 deletions

diff --git a/debian/changelog b/debian/changelog
index be7407ca..d6ed50ca 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,8 +2,14 @@ pam (1.0.1-6) UNRELEASED; urgency=low
 
   * Updated debconf translations:
     - Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>
-
- -- Steve Langasek <vorlon@debian.org>  Mon, 26 Jan 2009 21:09:16 -0800
+  * New patch dont_freeze_password_chain, cherry-picked from upstream:
+    don't always follow the same path through the password stack on
+    the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
+    pass; this Linux-PAM deviation from the original PAM spec causes a
+    number of problems, in particular causing wrong return values when
+    using the refactored pam-auth-update stack.  LP: #303515, #305882.
+
+ -- Steve Langasek <vorlon@debian.org>  Fri, 27 Feb 2009 16:20:24 -0800
 
 pam (1.0.1-5) unstable; urgency=low
 
diff --git a/debian/patches-applied/dont_freeze_password_chain b/debian/patches-applied/dont_freeze_password_chain
new file mode 100644
index 00000000..799d0a0e
--- /dev/null
+++ b/debian/patches-applied/dont_freeze_password_chain
@@ -0,0 +1,117 @@
+Don't freeze the chain for chauthtok.
+
+bugzilla.novell.com#470337, LP: #303515.
+
+Author: Thorsten Kukuk  <kukuk@thkukuk.de>
+
+Upstream status: cherry-picked from upstream.
+
+=== modified file 'doc/man/pam_sm_chauthtok.3.xml'
+--- doc/man/pam_sm_chauthtok.3.xml	2006-06-28 14:22:40 +0000
++++ doc/man/pam_sm_chauthtok.3.xml	2009-02-18 00:34:47 +0000
+@@ -40,7 +40,7 @@
+       </citerefentry> interface.
+     </para>
+     <para>
+-      This function is used to (re-)set the authentication token of the user. 
++      This function is used to (re-)set the authentication token of the user.
+     </para>
+     <para>
+        Valid flags, which may be logically OR'd with
+@@ -60,10 +60,10 @@
+         <listitem>
+           <para>
+             This argument indicates to the module that the users
+-            authentication token (password) should only be changed if 
+-            it has expired. This flag is optional and 
+-            <emphasis>must</emphasis> be combined with one of the 
+-            following two flags. Note, however, the following two options 
++            authentication token (password) should only be changed if
++            it has expired. This flag is optional and
++            <emphasis>must</emphasis> be combined with one of the
++            following two flags. Note, however, the following two options
+             are <emphasis>mutually exclusive</emphasis>.
+           </para>
+         </listitem>
+@@ -72,15 +72,20 @@
+         <term>PAM_PRELIM_CHECK</term>
+         <listitem>
+           <para>
+-            This indicates that the modules are being probed as to 
+-            their ready status for altering the user's authentication 
+-            token. If the module requires access to another system over 
+-            some network it should attempt to verify it can connect to 
+-            this system on receiving this flag. If a module cannot establish 
+-            it is ready to update the user's authentication token it should 
++            This indicates that the modules are being probed as to
++            their ready status for altering the user's authentication
++            token. If the module requires access to another system over
++            some network it should attempt to verify it can connect to
++            this system on receiving this flag. If a module cannot establish
++            it is ready to update the user's authentication token it should
+             return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this
+             information will be passed back to the application.
+           </para>
++          <para>
++             If the control value <emphasis>sufficient</emphasis> is used in
++             the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section
++             of the modules following that control value is not always executed.
++          </para>
+         </listitem>
+       </varlistentry>
+       <varlistentry>
+@@ -89,18 +94,18 @@
+           <para>
+             This informs the module that this is the call it should change
+             the authorization tokens. If the flag is logically OR'd with
+-            <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the 
++            <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
+             token is only changed if it has actually expired.
+           </para>
+         </listitem>
+       </varlistentry>
+     </variablelist>
+     <para>
+-      The PAM library calls this function twice in succession. The first 
+-      time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then, 
+-      if the module does not return 
++      The PAM library calls this function twice in succession. The first
++      time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
++      if the module does not return
+       <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with
+-      <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on 
++      <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
+       the second call that the authorization token is (possibly) changed.
+     </para>
+   </refsect1>
+
+=== modified file 'libpam/pam_dispatch.c'
+--- libpam/pam_dispatch.c	2008-12-03 22:16:33 +0000
++++ libpam/pam_dispatch.c	2009-02-18 00:34:47 +0000
+@@ -132,11 +132,10 @@
+ 	}
+ 
+ 	/*
+-	 * use_cached_chain is how we ensure that the setcred/close_session
+-	 * and chauthtok(2) modules are called in the same order as they did
+-	 * when they were invoked as auth/open_session/chauthtok(1). This
+-	 * feature was added in 0.75 to make the behavior of pam_setcred
+-	 * sane. It was debugged by release 0.76.
++	 * use_cached_chain is how we ensure that the setcred and
++         * close_session modules are called in the same order as they did
++	 * when they were invoked as auth/open_session. This feature was
++	 * added in 0.75 to make the behavior of pam_setcred sane.
+ 	 */
+ 	if (use_cached_chain != _PAM_PLEASE_FREEZE) {
+ 
+@@ -358,9 +357,6 @@
+ 	break;
+     case PAM_CHAUTHTOK:
+ 	h = pamh->handlers.conf.chauthtok;
+-	if (flags & PAM_UPDATE_AUTHTOK) {
+-	    use_cached_chain = _PAM_MUST_BE_FROZEN;
+-	}
+ 	break;
+     default:
+ 	pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
+
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 8035591b..a1e163ed 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -21,3 +21,4 @@ pam_env_ignore_garbage.patch -p2
 pam.d-manpage-section
 pam_unix-chkpwd-wait
 autoconf.patch 
+dont_freeze_password_chain -p0