6 files changed, 320 insertions, 61 deletions
diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix
index 5dae4064..d88bb979 100644
--- a/debian/patches-applied/007_modules_pam_unix
+++ b/debian/patches-applied/007_modules_pam_unix
@@ -460,3 +460,71 @@ Index: pam.debian/modules/pam_unix/pam_unix.8
  .RE
  .PP
  Invalid arguments are logged with
+diff --git a/modules/pam_unix/README b/modules/pam_unix/README
+index 26c06e23..a1289409 100644
+--- a/modules/pam_unix/README
++++ b/modules/pam_unix/README
+@@ -12,9 +12,9 @@ shadow file as well if shadow is enabled.
+ The account component performs the task of establishing the status of the
+ user's account and password based on the following shadow elements: expire,
+ last_change, max_change, min_change, warn_change. In the case of the latter, it
+-may offer advice to the user on changing their password or, through the
++may offer advice to the user on changing their password or, through the 
+ PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have
+-established a new password. The entries listed above are documented in the
++established a new password. The entries listed above are documented in the 
+ shadow(5) manual page. Should the user's record not contain one or more of
+ these entries, the corresponding shadow check is not performed.
+ 
+@@ -100,7 +100,7 @@ remember=n
+ 
+     The last n passwords for each user are saved in /etc/security/opasswd in
+     order to force password change history and keep the user from alternating
+-    between the same password too frequently. Instead of this option the
++    between the same password too frequently. Instead of this option the 
+     pam_pwhistory module should be used.
+ 
+ shadow
+@@ -146,8 +146,40 @@ broken_shadow
+ 
+ minlen=n
+ 
+-    Set a minimum password length of n characters. The max. for DES crypt based
+-    passwords are 8 characters.
++    Set a minimum password length of n characters. The default value is 6. The
++    maximum for DES crypt-based passwords is 8 characters.
++
++obscure
++
++    Enable some extra checks on password strength. These checks are based on
++    the "obscure" checks in the original shadow package. The behavior is
++    similar to the pam_cracklib module, but for non-dictionary-based checks.
++    The following checks are implemented:
++
++    Palindrome
++
++        Verifies that the new password is not a palindrome of (i.e., the
++        reverse of) the previous one.
++
++    Case Change Only
++
++        Verifies that the new password isn't the same as the old one with a
++        change of case.
++
++    Similar
++
++        Verifies that the new password isn't too much like the previous one.
++
++    Simple
++
++        Is the new password too simple? This is based on the length of the
++        password and the number of different types of characters (alpha,
++        numeric, etc.) used.
++
++    Rotated
++
++        Is the new password a rotated version of the old password? (E.g.,
++        "billy" and "illyb")
+ 
+ Invalid arguments are logged with syslog(3).
+ 
diff --git a/debian/patches-applied/README-rebuild b/debian/patches-applied/README-rebuild
new file mode 100644
index 00000000..8a95f8cc
--- /dev/null
+++ b/debian/patches-applied/README-rebuild
@@ -0,0 +1,146 @@
+Description: rebuild README files with current docs toolchain
+ This incorporates certain insignificant changes to whitespace handling
+ in the toolchain for documentation generation, which allows us to have a
+ clean ./debian/rules build; ./debian/rules clean round-trip.
+Author: Steve Langasek <vorlon@debian.org>
+Last-Updated: 2018-01-08
+Forwarded: not-needed
+
+diff --git a/modules/pam_access/README b/modules/pam_access/README
+index 3ab46871..8ee1b2f4 100644
+--- a/modules/pam_access/README
++++ b/modules/pam_access/README
+@@ -83,7 +83,7 @@ instead. The same meaning of 192.168.201. is 192.168.201.0/24 or 192.168.201.0/
+ 
+ + : root : 192.168.201.
+ 
+-User root should be able to have access from hosts foo1.bar.org and
++User root should be able to have access from hosts foo1.bar.org and 
+ foo2.bar.org (uses string matching also).
+ 
+ + : root : foo1.bar.org foo2.bar.org
+diff --git a/modules/pam_filter/README b/modules/pam_filter/README
+index 4d4e2194..2978e546 100644
+--- a/modules/pam_filter/README
++++ b/modules/pam_filter/README
+@@ -45,17 +45,17 @@ runX
+     have read the pam(3) manual page. Basically, for each management group
+     there are up to two ways of calling the module's functions. In the case of
+     the authentication and session components there are actually two separate
+-    functions. For the case of authentication, these functions are
++    functions. For the case of authentication, these functions are 
+     pam_authenticate(3) and pam_setcred(3), here run1 means run the filter from
+     the pam_authenticate function and run2 means run the filter from
+     pam_setcred. In the case of the session modules, run1 implies that the
+-    filter is invoked at the pam_open_session(3) stage, and run2 for
++    filter is invoked at the pam_open_session(3) stage, and run2 for 
+     pam_close_session(3).
+ 
+     For the case of the account component. Either run1 or run2 may be used.
+ 
+     For the case of the password component, run1 is used to indicate that the
+-    filter is run on the first occasion of pam_chauthtok(3) (the
++    filter is run on the first occasion of pam_chauthtok(3) (the 
+     PAM_PRELIM_CHECK phase) and run2 is used to indicate that the filter is run
+     on the second occasion (the PAM_UPDATE_AUTHTOK phase).
+ 
+diff --git a/modules/pam_ftp/README b/modules/pam_ftp/README
+index 15f4130e..b9ef7857 100644
+--- a/modules/pam_ftp/README
++++ b/modules/pam_ftp/README
+@@ -7,7 +7,7 @@ DESCRIPTION
+ pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of
+ access.
+ 
+-This module intercepts the user's name and password. If the name is ftp or
++This module intercepts the user's name and password. If the name is ftp or 
+ anonymous, the user's password is broken up at the @ delimiter into a PAM_RUSER
+ and a PAM_RHOST part; these pam-items being set accordingly. The username (
+ PAM_USER) is set to ftp. In this case the module succeeds. Alternatively, the
+diff --git a/modules/pam_listfile/README b/modules/pam_listfile/README
+index e1aaf8cc..5f926bdf 100644
+--- a/modules/pam_listfile/README
++++ b/modules/pam_listfile/README
+@@ -7,7 +7,7 @@ DESCRIPTION
+ pam_listfile is a PAM module which provides a way to deny or allow services
+ based on an arbitrary file.
+ 
+-The module gets the item of the type specified -- user specifies the username,
++The module gets the item of the type specified -- user specifies the username, 
+ PAM_USER; tty specifies the name of the terminal over which the request has
+ been made, PAM_TTY; rhost specifies the name of the remote host (if any) from
+ which the request was made, PAM_RHOST; and ruser specifies the name of the
+@@ -24,7 +24,7 @@ appropriate) will be returned.
+ 
+ An additional argument, apply=, can be used to restrict the application of the
+ above to a specific user (apply=username) or a given group (apply=@groupname).
+-This added restriction is only meaningful when used with the tty, rhost and
++This added restriction is only meaningful when used with the tty, rhost and 
+ shell items.
+ 
+ Besides this last one, all arguments should be specified; do not count on any
+diff --git a/modules/pam_mail/README b/modules/pam_mail/README
+index a0a0b7d9..8fe8721c 100644
+--- a/modules/pam_mail/README
++++ b/modules/pam_mail/README
+@@ -45,7 +45,7 @@ noenv
+ 
+ nopen
+ 
+-    Don't print any mail information on login. This flag is useful to get the
++    Don't print any mail information on login. This flag is useful to get the 
+     MAIL environment variable set, but to not display any information about it.
+ 
+ quiet
+diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README
+index 41cc5403..6c580d6a 100644
+--- a/modules/pam_namespace/README
++++ b/modules/pam_namespace/README
+@@ -173,7 +173,7 @@ the tmpfs instance that is created by the mount call. See mount(8) for details.
+ 
+ The directory where polyinstantiated instances are to be created, must exist
+ and must have, by default, the mode of 0000. The requirement that the instance
+-parent be of mode 0000 can be overridden with the command line option
++parent be of mode 0000 can be overridden with the command line option 
+ ignore_instance_parent_mode
+ 
+ In case of context or level polyinstantiation the SELinux context which is used
+diff --git a/modules/pam_rhosts/README b/modules/pam_rhosts/README
+index b1911785..aedc0f5d 100644
+--- a/modules/pam_rhosts/README
++++ b/modules/pam_rhosts/README
+@@ -17,7 +17,7 @@ identical to their local one, or if their remote account has an entry in their
+ personal configuration file.
+ 
+ The module authenticates a remote user (internally specified by the item
+-PAM_RUSER connecting from the remote host (internally specified by the item
++PAM_RUSER connecting from the remote host (internally specified by the item 
+ PAM_RHOST). Accordingly, for applications to be compatible this authentication
+ module they must set these items prior to calling pam_authenticate(). The
+ module is not capable of independently probing the network connection for such
+diff --git a/modules/pam_tally/README b/modules/pam_tally/README
+index 06e8f092..85aa1607 100644
+--- a/modules/pam_tally/README
++++ b/modules/pam_tally/README
+@@ -32,7 +32,7 @@ GLOBAL OPTIONS
+ 
+     onerr=[fail|succeed]
+ 
+-        If something weird happens (like unable to open the file), return with
++        If something weird happens (like unable to open the file), return with 
+         PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM
+         error code.
+ 
+diff --git a/modules/pam_userdb/README b/modules/pam_userdb/README
+index 8e1a5ffd..0c256a90 100644
+--- a/modules/pam_userdb/README
++++ b/modules/pam_userdb/README
+@@ -13,7 +13,7 @@ OPTIONS
+ crypt=[crypt|none]
+ 
+     Indicates whether encrypted or plaintext passwords are stored in the
+-    database. If it is crypt, passwords should be stored in the database in
++    database. If it is crypt, passwords should be stored in the database in 
+     crypt(3) form. If none is selected, passwords should be stored in the
+     database as plaintext.
+ 
diff --git a/debian/patches-applied/cve-2010-4708.patch b/debian/patches-applied/cve-2010-4708.patch
index cf23e318..10128284 100644
--- a/debian/patches-applied/cve-2010-4708.patch
+++ b/debian/patches-applied/cve-2010-4708.patch
@@ -1,8 +1,8 @@
 Description: fix cve-2010-4708: .pam_environment privilege issue
-Index: pam.debian/modules/pam_env/pam_env.c
+Index: pam/modules/pam_env/pam_env.c
 ===================================================================
---- pam.debian.orig/modules/pam_env/pam_env.c
-+++ pam.debian/modules/pam_env/pam_env.c
+--- pam.orig/modules/pam_env/pam_env.c
++++ pam/modules/pam_env/pam_env.c
 @@ -10,7 +10,7 @@
  #define DEFAULT_READ_ENVFILE    1
  
@@ -12,10 +12,10 @@ Index: pam.debian/modules/pam_env/pam_env.c
  
  #include "config.h"
  
-Index: pam.debian/modules/pam_env/pam_env.8.xml
+Index: pam/modules/pam_env/pam_env.8.xml
 ===================================================================
---- pam.debian.orig/modules/pam_env/pam_env.8.xml
-+++ pam.debian/modules/pam_env/pam_env.8.xml
+--- pam.orig/modules/pam_env/pam_env.8.xml
++++ pam/modules/pam_env/pam_env.8.xml
 @@ -147,7 +147,7 @@
          <listitem>
            <para>
@@ -25,10 +25,10 @@ Index: pam.debian/modules/pam_env/pam_env.8.xml
            </para>
          </listitem>
        </varlistentry>
-Index: pam.debian/modules/pam_env/pam_env.8
+Index: pam/modules/pam_env/pam_env.8
 ===================================================================
---- pam.debian.orig/modules/pam_env/pam_env.8
-+++ pam.debian/modules/pam_env/pam_env.8
+--- pam.orig/modules/pam_env/pam_env.8
++++ pam/modules/pam_env/pam_env.8
 @@ -2,12 +2,12 @@
  .\"     Title: pam_env
  .\"    Author: [see the "AUTHOR" section]
@@ -62,3 +62,25 @@ Index: pam.debian/modules/pam_env/pam_env.8
  .SH "AUTHOR"
  .PP
  pam_env was written by Dave Kinchlea <kinch@kinch\&.ark\&.com>\&.
+Index: pam/modules/pam_env/README
+===================================================================
+--- pam.orig/modules/pam_env/README
++++ pam/modules/pam_env/README
+@@ -5,7 +5,7 @@
+ DESCRIPTION
+ 
+ The pam_env PAM module allows the (un)setting of environment variables.
+-Supported is the use of previously set environment variables as well as
++Supported is the use of previously set environment variables as well as 
+ PAM_ITEMs such as PAM_RHOST.
+ 
+ By default rules for (un)setting of variables is taken from the config file /
+@@ -50,7 +50,7 @@
+ user_readenv=0|1
+ 
+     Turns on or off the reading of the user specific environment file. 0 is
+-    off, 1 is on. By default this option is on.
++    off, 1 is on. By default this option is off.
+ 
+ EXAMPLES
+ 
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
index cb5e8c06..50dd746e 100644
--- a/debian/patches-applied/cve-2015-3238.patch
+++ b/debian/patches-applied/cve-2015-3238.patch
@@ -15,10 +15,10 @@ pipe that has a limited capacity.
 With this fix, the verifiable password length will be limited to
 PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
 
-diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
-index 2379366..d1b00a2 100644
---- a/modules/pam_exec/pam_exec.8.xml
-+++ b/modules/pam_exec/pam_exec.8.xml
+Index: pam/modules/pam_exec/pam_exec.8.xml
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8.xml
++++ pam/modules/pam_exec/pam_exec.8.xml
 @@ -106,7 +106,8 @@
                During authentication the calling command can read
                the password from <citerefentry>
@@ -29,11 +29,11 @@ index 2379366..d1b00a2 100644
              </para>
            </listitem>
          </varlistentry>
-diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
-index 5ab9630..17ba6ca 100644
---- a/modules/pam_exec/pam_exec.c
-+++ b/modules/pam_exec/pam_exec.c
-@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
+Index: pam/modules/pam_exec/pam_exec.c
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.c
++++ pam/modules/pam_exec/pam_exec.c
+@@ -178,11 +178,11 @@
  		}
  
  	      pam_set_item (pamh, PAM_AUTHTOK, resp);
@@ -47,10 +47,10 @@ index 5ab9630..17ba6ca 100644
  
  	  if (pipe(fds) != 0)
  	    {
-diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
-index 4008402..a8b64bb 100644
---- a/modules/pam_unix/pam_unix.8.xml
-+++ b/modules/pam_unix/pam_unix.8.xml
+Index: pam/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8.xml
++++ pam/modules/pam_unix/pam_unix.8.xml
 @@ -80,6 +80,13 @@
      </para>
  
@@ -65,11 +65,11 @@ index 4008402..a8b64bb 100644
        The password component of this module performs the task of updating
        the user's password. The default encryption hash is taken from the
        <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
-diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
-index 2d330e5..c2e5de5 100644
---- a/modules/pam_unix/pam_unix_passwd.c
-+++ b/modules/pam_unix/pam_unix_passwd.c
-@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
+Index: pam/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam/modules/pam_unix/pam_unix_passwd.c
+@@ -245,15 +245,22 @@
  	/* wait for child */
  	/* if the stored password is NULL */
          int rc=0;
@@ -100,11 +100,11 @@ index 2d330e5..c2e5de5 100644
  
  	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
  	close(fds[1]);
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index b325602..e79b55e 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -1115,12 +1115,15 @@ getuidname(uid_t uid)
+Index: pam/modules/pam_unix/passverify.c
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.c
++++ pam/modules/pam_unix/passverify.c
+@@ -1086,12 +1086,15 @@
  int
  read_passwords(int fd, int npass, char **passwords)
  {
@@ -121,10 +121,10 @@ index b325602..e79b55e 100644
  
                  if (rbytes < 0) {
                          if (errno == EINTR) continue;
-diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
-index 3de6759..caf7ae8 100644
---- a/modules/pam_unix/passverify.h
-+++ b/modules/pam_unix/passverify.h
+Index: pam/modules/pam_unix/passverify.h
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.h
++++ pam/modules/pam_unix/passverify.h
 @@ -8,7 +8,7 @@
  
  #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
@@ -134,11 +134,11 @@ index 3de6759..caf7ae8 100644
  
  #define OLD_PASSWORDS_FILE      "/etc/security/opasswd"
  
-diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index fdb45c2..abccd82 100644
---- a/modules/pam_unix/support.c
-+++ b/modules/pam_unix/support.c
-@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+Index: pam/modules/pam_unix/support.c
+===================================================================
+--- pam.orig/modules/pam_unix/support.c
++++ pam/modules/pam_unix/support.c
+@@ -632,7 +632,12 @@
  	/* if the stored password is NULL */
          int rc=0;
  	if (passwd != NULL) {            /* send the password to the child */
@@ -152,8 +152,10 @@ index fdb45c2..abccd82 100644
  	      pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
  	      retval = PAM_AUTH_ERR;
  	    }
---- a/modules/pam_unix/pam_unix.8	2017-05-27 15:38:27.000000000 +0000
-+++ b/modules/pam_unix/pam_unix.8	2017-05-27 15:34:49.000000000 +0000
+Index: pam/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8
++++ pam/modules/pam_unix/pam_unix.8
 @@ -56,6 +56,10 @@
  \fBnoreap\fR
  module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&.
@@ -165,8 +167,10 @@ index fdb45c2..abccd82 100644
  The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the
  \fBENCRYPT_METHOD\fR
  variable from
---- a/modules/pam_exec/pam_exec.8	2017-05-27 15:38:27.000000000 +0000
-+++ b/modules/pam_exec/pam_exec.8	2017-05-27 15:56:25.000000000 +0000
+Index: pam/modules/pam_exec/pam_exec.8
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8
++++ pam/modules/pam_exec/pam_exec.8
 @@ -65,7 +65,9 @@
  \fBexpose_authtok\fR
  .RS 4
@@ -178,3 +182,32 @@ index fdb45c2..abccd82 100644
  .RE
  .PP
  \fBlog=\fR\fB\fIfile\fR\fR
+Index: pam/modules/pam_exec/README
+===================================================================
+--- pam.orig/modules/pam_exec/README
++++ pam/modules/pam_exec/README
+@@ -24,7 +24,8 @@
+ expose_authtok
+ 
+     During authentication the calling command can read the password from stdin
+-    (3).
++    (3). Only first PAM_MAX_RESP_SIZE bytes of a password are provided to the
++    command.
+ 
+ log=file
+ 
+Index: pam/modules/pam_unix/README
+===================================================================
+--- pam.orig/modules/pam_unix/README
++++ pam/modules/pam_unix/README
+@@ -34,6 +34,10 @@
+ suppress this temporary shielding and may be needed for use with certain
+ applications.
+ 
++The maximum length of a password supported by the pam_unix module via the
++helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the
++password provided by the conversation function to the module will be ignored.
++
+ The password component of this module performs the task of updating the user's
+ password. The default encryption hash is taken from the ENCRYPT_METHOD variable
+ from /etc/login.defs
diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch
index 26f16503..04c5f02d 100644
--- a/debian/patches-applied/make_documentation_reproducible.patch
+++ b/debian/patches-applied/make_documentation_reproducible.patch
@@ -1,20 +1,9 @@
 Description: Make documentation reproducible
- Add LC_ALL=C to w3m to avoid changes in the output when build the
+ Add LC_ALL=C.UTF-8 to w3m to avoid changes in the output when build the
  documentation with different locales.
-Author: Juan Picca <jumapico@gmail.com>
-Last-Update: 2015-07-11
+Author: Juan Picca <jumapico@gmail.com>, Steve Langasek <vorlon@debian.org>
+Last-Update: 2019-01-06
 
---- pam.orig/configure
-+++ pam/configure
-@@ -15162,7 +15162,7 @@ fi
- 
- 
- if test ! -z "$BROWSER"; then
--     BROWSER="$BROWSER -T text/html -dump"
-+     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
- else
-      enable_docu=no
- fi
 --- pam.orig/configure.in
 +++ pam/configure.in
 @@ -554,7 +554,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sou
@@ -22,7 +11,7 @@ Last-Update: 2015-07-11
  AC_PATH_PROG([BROWSER], [w3m])
  if test ! -z "$BROWSER"; then
 -     BROWSER="$BROWSER -T text/html -dump"
-+     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
++     BROWSER="LC_ALL=C.UTF-8 $BROWSER -T text/html -dump"
  else
       enable_docu=no
  fi
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 51598ca8..29ba63b0 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -1,5 +1,7 @@
 pam_unix_fix_sgid_shadow_auth.patch
 pam_unix_dont_trust_chkpwd_caller.patch
+make_documentation_reproducible.patch
+README-rebuild
 007_modules_pam_unix
 008_modules_pam_limits_chroot
 021_nis_cleanup
@@ -26,4 +28,3 @@ cve-2014-2583.patch
 cve-2015-3238.patch
 pam-limits-nofile-fd-setsize-cap
 pam_namespace_fix_bashism.patch
-make_documentation_reproducible.patch