3 files changed, 24 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 19aac216..3701e1fd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -21,6 +21,8 @@ pam (0.99.10.0-1) UNRELEASED; urgency=low
     now is really just "pam_group_miscfixes".
   * Patch 007_modules_pam_unix partially superseded upstream; stripping
     hpux-style expiry information off of password fields is now supported.
+  * New patch thread-safe_save_old_password.patch, to make sure all our
+    getpwnam() use in pam_unix is thread-safe (fixes an upstream regression)
   * The password-changing helper functionality for SELinux systems has been
     split out into a separate unix_update binary, so at long last we can
     change unix_chkpwd to be sgid shadow instead of suid root.
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 1cd60c79..df46ff97 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -18,3 +18,4 @@ hurd_no_setfsuid
 PAM-manpage-section 
 pam_env_ignore_garbage.patch -p2
 autoconf.patch 
+thread-safe_save_old_password.patch
diff --git a/debian/patches-applied/thread-safe_save_old_password.patch b/debian/patches-applied/thread-safe_save_old_password.patch
new file mode 100644
index 00000000..cc3fc5e4
--- /dev/null
+++ b/debian/patches-applied/thread-safe_save_old_password.patch
@@ -0,0 +1,21 @@
+Patch to keep save_old_password() thread-safe when called by the PAM
+module, since nothing blocks other threads from calling getpwnam in
+parallel
+
+Authors: Steve Langasek <steve.langasek@canonical.com>
+
+Upstream status: to be submitted
+
+Index: pam.deb/modules/pam_unix/passverify.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/passverify.c
++++ pam.deb/modules/pam_unix/passverify.c
+@@ -653,7 +653,7 @@
+     fclose(opwfile);
+ 
+     if (!found) {
+-	pwd = getpwnam(forwho);
++	pwd = pam_modutil_getpwnam(pamh, forwho);
+ 	if (pwd == NULL) {
+ 	    err = 1;
+ 	} else {