15 files changed, 438 insertions, 40 deletions

diff --git a/debian/changelog b/debian/changelog
index 568a61c5..73dedf05 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
-pam (1.1.8-4) UNRELEASED; urgency=medium
+pam (1.1.8-3.3) unstable; urgency=low
 
+  * Non-maintainer upload.
+  [ Steve Langasek ]
   * Updated Swedish translation to correct a typo, thanks to Anders Jonsson
     and Martin Bagge.  Closes: #743875
   * Updated Turkish translation, thanks to Mert Dirik <mertdirik@gmail.com>.
@@ -7,8 +9,50 @@ pam (1.1.8-4) UNRELEASED; urgency=medium
   * d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default
     soft nofile limit read from pid 1 to FD_SETSIZE.  Thanks to Robie Basak
     <robie.basak@ubuntu.com> for the patch.  Closes: #783105.
+  * Acknowledge security NMU.
+  * pam-auth-update: don't mishandle trailing whitespace in profiles.
+    LP: #1487103.
+
+  [ Laurent Bigonville ]
+  * debian/control: Fix Vcs-* and Homepage fields (Closes: #752343)
+  * debian/watch: Update watch file and point it to http://www.linux-pam.org
+  * debian/patches-applied/pam_namespace_fix_bashism.patch: Fix bashism in
+    namespace.init script (Closes: #624842)
+  * debian/control: Build-depends against debhelper (>= 9) to match the
+    defined debhelper compatibility
+  * Rename the cve-2011-4708.patch to cve-2010-4708.patch to match reality,
+    thanks to Jakub Wilk <jwilk@debian.org> for noticing (Closes: #761594)
+  * debian/control: Bump Standards-Version to 3.9.8 (no further changes)
+  * debian/libpam-doc.doc-base.applications-guide: Fix spelling
+  * debian/libpam0g-dev.examples: Do not use shell brace expansion
+  * debian/patches-applied/pam-loginuid-in-containers: Updated with the version
+    from Ubuntu, this should fix logins in containers (Closes: #726661)
+  * debian/patches-applied/update-motd: Updated with the version from Ubuntu:
+    use /run/motd.dynamic instead of /var/run/motd, nothing in the archive
+    uses the later (Closes: #743286)
+  * debian/patches-applied/make_documentation_reproducible.patch: Make the
+    build reproducible, removes differences when building with different
+    locale values (Closes: #792127)
+
+ -- Laurent Bigonville <bigon@debian.org>  Wed, 18 May 2016 02:04:29 +0200
+
+pam (1.1.8-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix
+    module (Closes: #789986)
+
+ -- Tianon Gravi <tianon@debian.org>  Wed, 06 Jan 2016 15:53:31 -0800
+
+pam (1.1.8-3.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2013-7041: case-insensitive comparison used for verifying
+    passwords in the pam_userdb module (closes: #731368).
+  * Fix CVE-2014-2583: multiple directory traversal issues in the
+    pam_timestamp module (closes: 757555)
 
- -- Steve Langasek <vorlon@debian.org>  Wed, 09 Apr 2014 14:04:10 -0700
+ -- Michael Gilbert <mgilbert@debian.org>  Sat, 09 Aug 2014 09:50:42 +0000
 
 pam (1.1.8-3) unstable; urgency=low
 
diff --git a/debian/control b/debian/control
index d7a68308..85d0e792 100644
--- a/debian/control
+++ b/debian/control
@@ -3,13 +3,14 @@ Section: libs
 Priority: optional
 Uploaders: Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org>
 Maintainer: Steve Langasek <vorlon@debian.org>
-Standards-Version: 3.9.1
-Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 8.9.4), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config
+Standards-Version: 3.9.8
+Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 9), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config
 Build-Depends-Indep: xsltproc, libxml2-utils, docbook-xml, docbook-xsl, w3m
 Build-Conflicts-Indep: fop
 Build-Conflicts: libdb4.2-dev, libxcrypt-dev
-Vcs-Bzr: http://bzr.debian.org/bzr/pkg-pam/debian/sid/
-Homepage: http://pam.sourceforge.net/
+Vcs-Bzr: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid
+Vcs-Browser: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid/files
+Homepage: http://www.linux-pam.org/
 
 Package: libpam0g
 Priority: required
diff --git a/debian/libpam-doc.doc-base.applications-guide b/debian/libpam-doc.doc-base.applications-guide
index f38ef1e5..89768d7e 100644
--- a/debian/libpam-doc.doc-base.applications-guide
+++ b/debian/libpam-doc.doc-base.applications-guide
@@ -4,7 +4,7 @@ Author: Andrew G. Morgan <morgan@linux.kernel.org>
 Abstract: This manual documents what an application developer needs to know
  about the Linux-PAM library. It describes how an application might use
  the Linux-PAM library to authenticate users. In addition it contains a
- description of the funtions to be found in libpam_misc library, that can
+ description of the functions to be found in libpam_misc library, that can
  be used in general applications. Finally, it contains some comments on PAM
  related security issues for the application developer.
 Section: Programming
diff --git a/debian/libpam0g-dev.examples b/debian/libpam0g-dev.examples
index c1b7e77e..351b20ee 100644
--- a/debian/libpam0g-dev.examples
+++ b/debian/libpam0g-dev.examples
@@ -2,4 +2,6 @@ examples/blank.c
 examples/check_user.c
 examples/vpass.c
 examples/xsh.c
-libpamc/test/{agents,modules,regress}
+libpamc/test/agents
+libpamc/test/modules
+libpamc/test/regress
diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
index 17d3fc66..60eb1e8f 100644
--- a/debian/local/pam-auth-update
+++ b/debian/local/pam-auth-update
@@ -671,7 +671,7 @@ sub parse_pam_profile
 	my %profile;
 	open(PROFILE, $profile) || die "could not read profile $profile: $!";
 	while (<PROFILE>) {
-		if (/^(\S+):\s+(.*)$/) {
+		if (/^(\S+):\s+(.*)\s*$/) {
 			$fieldname = $1;
 			# compatibility with the first implementation round;
 			# "Auth-Final" is now just called "Auth"
@@ -686,6 +686,7 @@ sub parse_pam_profile
 		} else {
 			chomp;
 			s/^\s+//;
+			s/\s+$//;
 			$profile{$fieldname} .= "\n$_" if ($_);
 			$profile{$fieldname} =~ s/^[\n\s]+//;
 		}
diff --git a/debian/patches-applied/cve-2011-4708.patch b/debian/patches-applied/cve-2010-4708.patch
index c0fbb1ee..cf23e318 100644
--- a/debian/patches-applied/cve-2011-4708.patch
+++ b/debian/patches-applied/cve-2010-4708.patch
@@ -1,4 +1,4 @@
-Description: fix cve-2011-4708: .pam_environment privilege issue
+Description: fix cve-2010-4708: .pam_environment privilege issue
 Index: pam.debian/modules/pam_env/pam_env.c
 ===================================================================
 --- pam.debian.orig/modules/pam_env/pam_env.c
diff --git a/debian/patches-applied/cve-2013-7041.patch b/debian/patches-applied/cve-2013-7041.patch
new file mode 100644
index 00000000..dac35b25
--- /dev/null
+++ b/debian/patches-applied/cve-2013-7041.patch
@@ -0,0 +1,44 @@
+From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Fri, 24 Jan 2014 22:18:32 +0000
+Subject: pam_userdb: fix password hash comparison
+
+Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
+passwords support in pam_userdb, hashes are compared case-insensitively.
+This bug leads to accepting hashes for completely different passwords in
+addition to those that should be accepted.
+
+Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
+modern password hashes with different lengths and settings, did not
+update the hash comparison accordingly, which leads to accepting
+computed hashes longer than stored hashes when the latter is a prefix
+of the former.
+
+* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
+hash whose length differs from the stored hash length.
+Compare computed and stored hashes case-sensitively.
+Fixes CVE-2013-7041.
+
+Bug-Debian: http://bugs.debian.org/731368
+
+--- a/modules/pam_userdb/pam_userdb.c
++++ b/modules/pam_userdb/pam_userdb.c
+@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
+ 	  } else {
+ 	    cryptpw = crypt (pass, data.dptr);
+ 
+-	    if (cryptpw) {
+-	      compare = strncasecmp (data.dptr, cryptpw, data.dsize);
++	    if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
++	      compare = memcmp(data.dptr, cryptpw, data.dsize);
+ 	    } else {
+ 	      compare = -2;
+ 	      if (ctrl & PAM_DEBUG_ARG) {
+-		pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
++		if (cryptpw)
++		  pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
++		else
++		  pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+ 	      }
+ 	    };
+ 
diff --git a/debian/patches-applied/cve-2014-2583.patch b/debian/patches-applied/cve-2014-2583.patch
new file mode 100644
index 00000000..3eb91702
--- /dev/null
+++ b/debian/patches-applied/cve-2014-2583.patch
@@ -0,0 +1,47 @@
+From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Wed, 26 Mar 2014 22:17:23 +0000
+Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
+
+pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
+the timestamp pathname it creates, so extra care should be taken to
+avoid potential directory traversal issues.
+
+* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
+"." and ".." tty values as invalid.
+(get_ruser): Treat "." and ".." ruser values, as well as any ruser
+value containing '/', as invalid.
+
+Fixes CVE-2014-2583.
+
+Reported-by: Sebastian Krahmer <krahmer@suse.de>
+
+--- a/modules/pam_timestamp/pam_timestamp.c
++++ b/modules/pam_timestamp/pam_timestamp.c
+@@ -158,7 +158,7 @@ check_tty(const char *tty)
+ 		tty = strrchr(tty, '/') + 1;
+ 	}
+ 	/* Make sure the tty wasn't actually a directory (no basename). */
+-	if (strlen(tty) == 0) {
++	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
+ 		return NULL;
+ 	}
+ 	return tty;
+@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
+ 		if (pwd != NULL) {
+ 			ruser = pwd->pw_name;
+ 		}
++	} else {
++		/*
++		 * This ruser is used by format_timestamp_name as a component
++		 * of constructed timestamp pathname, so ".", "..", and '/'
++		 * are disallowed to avoid potential path traversal issues.
++		 */
++		if (!strcmp(ruser, ".") ||
++		    !strcmp(ruser, "..") ||
++		    strchr(ruser, '/')) {
++			ruser = NULL;
++		}
+ 	}
+ 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
+ 		*ruserbuf = '\0';
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
new file mode 100644
index 00000000..7c75ee5c
--- /dev/null
+++ b/debian/patches-applied/cve-2015-3238.patch
@@ -0,0 +1,154 @@
+From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@thkukuk.de>
+Date: Mon, 22 Jun 2015 14:53:01 +0200
+Subject: Release version 1.2.1
+
+Security fix: CVE-2015-3238
+
+If the process executing pam_sm_authenticate or pam_sm_chauthtok method
+of pam_unix is not privileged enough to check the password, e.g.
+if selinux is enabled, the _unix_run_helper_binary function is called.
+When a long enough password is supplied (16 pages or more, i.e. 65536+
+bytes on a system with 4K pages), this helper function hangs
+indefinitely, blocked in the write(2) call while writing to a blocking
+pipe that has a limited capacity.
+With this fix, the verifiable password length will be limited to
+PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
+
+diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
+index 2379366..d1b00a2 100644
+--- a/modules/pam_exec/pam_exec.8.xml
++++ b/modules/pam_exec/pam_exec.8.xml
+@@ -106,7 +106,8 @@
+               During authentication the calling command can read
+               the password from <citerefentry>
+               <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
+-              </citerefentry>.
++              </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++              bytes of a password are provided to the command.
+             </para>
+           </listitem>
+         </varlistentry>
+diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
+index 5ab9630..17ba6ca 100644
+--- a/modules/pam_exec/pam_exec.c
++++ b/modules/pam_exec/pam_exec.c
+@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
+ 		}
+ 
+ 	      pam_set_item (pamh, PAM_AUTHTOK, resp);
+-	      authtok = strdupa (resp);
++	      authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
+ 	      _pam_drop (resp);
+ 	    }
+ 	  else
+-	    authtok = void_pass;
++	    authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
+ 
+ 	  if (pipe(fds) != 0)
+ 	    {
+diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
+index 4008402..a8b64bb 100644
+--- a/modules/pam_unix/pam_unix.8.xml
++++ b/modules/pam_unix/pam_unix.8.xml
+@@ -80,6 +80,13 @@
+     </para>
+ 
+     <para>
++      The maximum length of a password supported by the pam_unix module
++      via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++      - currently 512 bytes. The rest of the password provided by the
++      conversation function to the module will be ignored.
++    </para>
++
++    <para>
+       The password component of this module performs the task of updating
+       the user's password. The default encryption hash is taken from the
+       <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
+diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
+index 2d330e5..c2e5de5 100644
+--- a/modules/pam_unix/pam_unix_passwd.c
++++ b/modules/pam_unix/pam_unix_passwd.c
+@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
+ 	/* wait for child */
+ 	/* if the stored password is NULL */
+         int rc=0;
+-	if (fromwhat)
+-	  pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
+-	else
+-	  pam_modutil_write(fds[1], "", 1);
+-	if (towhat) {
+-	  pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
++	if (fromwhat) {
++	    int len = strlen(fromwhat);
++
++	    if (len > PAM_MAX_RESP_SIZE)
++	      len = PAM_MAX_RESP_SIZE;
++	    pam_modutil_write(fds[1], fromwhat, len);
+ 	}
+-	else
+-	  pam_modutil_write(fds[1], "", 1);
++        pam_modutil_write(fds[1], "", 1);
++	if (towhat) {
++	    int len = strlen(towhat);
++
++	    if (len > PAM_MAX_RESP_SIZE)
++	      len = PAM_MAX_RESP_SIZE;
++	    pam_modutil_write(fds[1], towhat, len);
++        }
++        pam_modutil_write(fds[1], "", 1);
+ 
+ 	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
+ 	close(fds[1]);
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index b325602..e79b55e 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -1115,12 +1115,15 @@ getuidname(uid_t uid)
+ int
+ read_passwords(int fd, int npass, char **passwords)
+ {
++        /* The passwords array must contain npass preallocated
++         * buffers of length MAXPASS + 1
++         */
+         int rbytes = 0;
+         int offset = 0;
+         int i = 0;
+         char *pptr;
+         while (npass > 0) {
+-                rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
++                rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset);
+ 
+                 if (rbytes < 0) {
+                         if (errno == EINTR) continue;
+diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
+index 3de6759..caf7ae8 100644
+--- a/modules/pam_unix/passverify.h
++++ b/modules/pam_unix/passverify.h
+@@ -8,7 +8,7 @@
+ 
+ #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
+ 
+-#define MAXPASS		200	/* the maximum length of a password */
++#define MAXPASS PAM_MAX_RESP_SIZE  /* the maximum length of a password */
+ 
+ #define OLD_PASSWORDS_FILE      "/etc/security/opasswd"
+ 
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index fdb45c2..abccd82 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	/* if the stored password is NULL */
+         int rc=0;
+ 	if (passwd != NULL) {            /* send the password to the child */
+-	    if (write(fds[1], passwd, strlen(passwd)+1) == -1) {
++	    int len = strlen(passwd);
++
++	    if (len > PAM_MAX_RESP_SIZE)
++	      len = PAM_MAX_RESP_SIZE;
++	    if (write(fds[1], passwd, len) == -1 ||
++	        write(fds[1], "", 1) == -1) {
+ 	      pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
+ 	      retval = PAM_AUTH_ERR;
+ 	    }
diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch
new file mode 100644
index 00000000..26f16503
--- /dev/null
+++ b/debian/patches-applied/make_documentation_reproducible.patch
@@ -0,0 +1,28 @@
+Description: Make documentation reproducible
+ Add LC_ALL=C to w3m to avoid changes in the output when build the
+ documentation with different locales.
+Author: Juan Picca <jumapico@gmail.com>
+Last-Update: 2015-07-11
+
+--- pam.orig/configure
++++ pam/configure
+@@ -15162,7 +15162,7 @@ fi
+ 
+ 
+ if test ! -z "$BROWSER"; then
+-     BROWSER="$BROWSER -T text/html -dump"
++     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+      enable_docu=no
+ fi
+--- pam.orig/configure.in
++++ pam/configure.in
+@@ -554,7 +554,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sou
+ 
+ AC_PATH_PROG([BROWSER], [w3m])
+ if test ! -z "$BROWSER"; then
+-     BROWSER="$BROWSER -T text/html -dump"
++     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+      enable_docu=no
+ fi
diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers
index bea1e32f..1e965b2d 100644
--- a/debian/patches-applied/pam-loginuid-in-containers
+++ b/debian/patches-applied/pam-loginuid-in-containers
@@ -29,11 +29,11 @@ Description: pam_loginuid: Ignore failure in user namespaces
     Signed-off-by: Steve Langasek <vorlon@debian.org>
     Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
 
-Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
+Index: ubuntu/modules/pam_loginuid/pam_loginuid.c
 ===================================================================
---- pam.deb.orig/modules/pam_loginuid/pam_loginuid.c
-+++ pam.deb/modules/pam_loginuid/pam_loginuid.c
-@@ -46,25 +46,49 @@
+--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c	2014-01-31 21:07:08.665185675 +0000
++++ ubuntu/modules/pam_loginuid/pam_loginuid.c	2014-01-31 21:05:05.000000000 +0000
+@@ -47,25 +47,56 @@
  
  /*
   * This function writes the loginuid to the /proc system. It returns
@@ -50,48 +50,58 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
 +	char loginuid[24], buf[24];
 +	static const char host_uid_map[] = "         0          0 4294967295\n";
 +	char uid_map[sizeof(host_uid_map)];
++
++	/* loginuid in user namespaces currently isn't writable and in some
++	   case, not even readable, so consider any failure as ignorable (but try
++	   anyway, in case we hit a kernel which supports it). */
++	fd = open("/proc/self/uid_map", O_RDONLY);
++	if (fd >= 0) {
++		count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
++		if (strncmp(uid_map, host_uid_map, count) != 0)
++			rc = PAM_IGNORE;
++		close(fd);
++	}
  
- 	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+-	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
 -	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
 +	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
  	if (fd < 0) {
 -		if (errno != ENOENT) {
 -			rc = 1;
+-			pam_syslog(pamh, LOG_ERR,
+-				   "Cannot open /proc/self/loginuid: %m");
 +		if (errno == ENOENT) {
 +			rc = PAM_IGNORE;
-+		} else if (errno == EACCES) {
-+			fd = open("/proc/self/uid_map", O_RDONLY);
-+			if (fd >= 0) {
-+				count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
-+				if (strncmp(uid_map, host_uid_map, count) != 0)
-+					rc = PAM_IGNORE;
-+				close(fd);
-+			}
-+			if (rc != PAM_IGNORE)
-+				errno = EACCES;
 +		}
 +		if (rc != PAM_IGNORE) {
- 			pam_syslog(pamh, LOG_ERR,
- 				   "Cannot open /proc/self/loginuid: %m");
++			pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
++				   "/proc/self/loginuid");
  		}
  		return rc;
  	}
 -	if (pam_modutil_write(fd, loginuid, count) != count)
 -		rc = 1;
 +
++	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
 +	if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
 +	    memcmp(buf, loginuid, count) == 0) {
 +		rc = PAM_SUCCESS;
 +		goto done;	/* already correct */
 +	}
 +	if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
-+	    pam_modutil_write(fd, loginuid, count) == count)
++	    pam_modutil_write(fd, loginuid, count) == count) {
 +		rc = PAM_SUCCESS;
++	} else {
++		if (rc != PAM_IGNORE) {
++			pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
++				   "/proc/self/loginuid");
++		}
++	}
 + done:
  	close(fd);
  	return rc;
  }
-@@ -164,6 +188,7 @@
+@@ -165,6 +196,7 @@
  {
          const char *user = NULL;
  	struct passwd *pwd;
@@ -99,7 +109,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
  #ifdef HAVE_LIBAUDIT
  	int require_auditd = 0;
  #endif
-@@ -182,9 +207,14 @@
+@@ -183,9 +215,14 @@
  		return PAM_SESSION_ERR;
  	}
  
@@ -117,7 +127,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
  	}
  
  #ifdef HAVE_LIBAUDIT
-@@ -194,11 +224,12 @@
+@@ -195,11 +232,12 @@
  		argv++;
  	}
  
diff --git a/debian/patches-applied/pam_namespace_fix_bashism.patch b/debian/patches-applied/pam_namespace_fix_bashism.patch
new file mode 100644
index 00000000..6c6f1861
--- /dev/null
+++ b/debian/patches-applied/pam_namespace_fix_bashism.patch
@@ -0,0 +1,61 @@
+From fbc65c39d6853af268c9a093923afc876d0b138e Mon Sep 17 00:00:00 2001
+From: Steve Langasek <vorlon@debian.org>
+Date: Tue, 14 Jan 2014 19:48:51 -0800
+Subject: pam_namespace: don't use bashisms in default namespace.init script
+
+* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
+namespace init script, so that scripts run with maximum privilege regardless
+of the shell implementation.
+* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
+shebang line
+
+This is not a POSIX standard option, it's a bashism.  The bash manpage says
+that it's used to prevent the effective user id from being reset to the real
+user id on startup, and to ignore certain unsafe variables from the
+environment.
+
+In the case of pam_namespace, the -p is not necessary for environment
+sanitizing because the PAM module (properly) sanitizes the environment
+before execing the script.
+
+The stated reason given in CVS history for passing -p is to "preserve euid
+when called from setuid apps (su, newrole)."  This should be done more
+portably, by calling setuid() before spawning the shell.
+
+Signed-off-by: Steve Langasek <vorlon@debian.org>
+Bug-Debian: http://bugs.debian.org/624842
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
+---
+ modules/pam_namespace/namespace.init  | 2 +-
+ modules/pam_namespace/pam_namespace.c | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init
+index 9ab5806..67d4aa2 100755
+--- a/modules/pam_namespace/namespace.init
++++ b/modules/pam_namespace/namespace.init
+@@ -1,4 +1,4 @@
+-#!/bin/sh -p
++#!/bin/sh
+ # It receives polydir path as $1, the instance path as $2,
+ # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
+ # and user name in $4.
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index e0d5e30..92883f5 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1205,6 +1205,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath,
+ 						_exit(1);
+ 				}
+ #endif
++				/* Pass maximum privs when we exec() */
++				if (setuid(geteuid()) < 0) {
++					/* ignore failures, they don't matter */
++				}
++
+ 				if (execle(init_script, init_script,
+ 					polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0)
+ 					_exit(1);
+-- 
+cgit v0.12
+
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 346e6106..51598ca8 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -15,10 +15,15 @@ hurd_no_setfsuid
 045_pam_dispatch_jump_is_ignore
 054_pam_security_abstract_securetty_handling
 055_pam_unix_nullok_secure
-cve-2011-4708.patch
+cve-2010-4708.patch
 PAM-manpage-section 
 update-motd
 no_PATH_MAX_on_hurd
 lib_security_multiarch_compat
 pam-loginuid-in-containers
+cve-2013-7041.patch
+cve-2014-2583.patch
+cve-2015-3238.patch
 pam-limits-nofile-fd-setsize-cap
+pam_namespace_fix_bashism.patch
+make_documentation_reproducible.patch
diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd
index a89655df..6c2af5bb 100644
--- a/debian/patches-applied/update-motd
+++ b/debian/patches-applied/update-motd
@@ -86,16 +86,16 @@ Index: pam.debian/modules/pam_motd/pam_motd.c
 -
 -	pam_info (pamh, "%s", mtmp);
 -	break;
-+    /* Run the update-motd dynamic motd scripts, outputting to /var/run/motd.
-+       If /etc/motd -> /var/run/motd, the displayed MOTD will be dynamic.
-+       Otherwise, the admin can force a static MOTD by breaking that symlink
-+       and publishing into an /etc/motd text file. */
++    /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic.
++       This will be displayed only when calling pam_motd with
++       motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd
++       display both this file and /etc/motd. */
 +    if (do_update && (stat("/etc/update-motd.d", &st) == 0)
 +        && S_ISDIR(st.st_mode))
 +    {
 +	mode_t old_mask = umask(0022);
-+	if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /var/run/motd.new"))
-+	    rename("/var/run/motd.new", "/var/run/motd");
++	if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"))
++	    rename("/run/motd.dynamic.new", "/run/motd.dynamic");
 +	umask(old_mask);
      }
  
diff --git a/debian/watch b/debian/watch
index da5e1ef6..e137cd73 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,4 @@
 version=3
-opts=pasv ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-(.*).tar.gz
-
+opts=uversionmangle=s/^(\S+-doc)/0.0.$1/ \
+http://www.linux-pam.org/library/ \
+(?:|.*/)Linux-PAM(?:[_\-]v?|)(\d[^\s/]*)\.(?:tar\.xz|txz|tar\.bz2|tbz2|tar\.gz|tgz)