8 files changed, 12 insertions, 346 deletions
diff --git a/debian/changelog b/debian/changelog
index 5543e0b1..2aa9cd0d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+pam (1.1.0-1) UNRELEASED; urgency=low
+
+  * New upstream version.
+    - pam_access no longer does DNS lookups when we know we're comparing
+      with a tty name or a service name.  Closes: #376209.
+  * Drop patches pam_unix_thread-safe_save_old_password.patch,
+    pam_env_ignore_garbage.patch, dont_freeze_password_chain,
+    pam_1.0.4_mindays, pam_mail-fix-quiet, and
+    cve-2009-0887-libpam-pam_misc.patch, which are included upstream.
+
+ -- Steve Langasek <vorlon@debian.org>  Mon, 24 Aug 2009 01:23:18 -0700
+
 pam (1.0.1-11) unstable; urgency=low
 
   * debian/libpam-runtime.postinst: bump the --force version check to
diff --git a/debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch b/debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch
deleted file mode 100644
index e44bc91a..00000000
--- a/debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Patch for cve-2009-0887
-int rather than unsigned char is used to index an array.
-
-upstream status: fixed upstream
-
-Index: sid/libpam/pam_misc.c
-===================================================================
---- sid.orig/libpam/pam_misc.c	2009-07-24 12:22:34.000000000 -0400
-+++ sid/libpam/pam_misc.c	2009-07-24 12:22:45.000000000 -0400
-@@ -59,10 +59,11 @@
- 
-      /* initialize table */
-      for (i=1; i<256; table[i++] = '\0');
--     for (i=0; format[i] ; table[(int)format[i++]] = 'y');
-+     for (i=0; format[i] ;
-+	  table[(unsigned char)format[i++]] = 'y');
- 
-      /* look for first non-format char */
--     while (*from && table[(int)*from]) {
-+     while (*from && table[(unsigned char)*from]) {
- 	  ++from;
-      }
- 
-@@ -92,7 +93,7 @@
-             remains */
-      } else if (*from) {
- 	 /* simply look for next blank char */
--	 for (end=from; *end && !table[(int)*end]; ++end);
-+	 for (end=from; *end && !table[(unsigned char)*end]; ++end);
-      } else {
- 	 return (*next = NULL);                    /* no tokens left */
-      }
diff --git a/debian/patches-applied/dont_freeze_password_chain b/debian/patches-applied/dont_freeze_password_chain
deleted file mode 100644
index 2f1cf43e..00000000
--- a/debian/patches-applied/dont_freeze_password_chain
+++ /dev/null
@@ -1,118 +0,0 @@
-Don't freeze the chain for chauthtok.
-
-bugzilla.novell.com#470337, LP: #303515.
-
-Author: Thorsten Kukuk  <kukuk@thkukuk.de>
-
-Upstream status: cherry-picked from upstream.
-
-=== modified file 'doc/man/pam_sm_chauthtok.3.xml'
-Index: doc/man/pam_sm_chauthtok.3.xml
-===================================================================
---- doc/man/pam_sm_chauthtok.3.xml.orig	2009-04-17 12:44:11.000000000 -0700
-+++ doc/man/pam_sm_chauthtok.3.xml	2009-04-17 12:47:40.000000000 -0700
-@@ -40,7 +40,7 @@
-       </citerefentry> interface.
-     </para>
-     <para>
--      This function is used to (re-)set the authentication token of the user. 
-+      This function is used to (re-)set the authentication token of the user.
-     </para>
-     <para>
-        Valid flags, which may be logically OR'd with
-@@ -60,10 +60,10 @@
-         <listitem>
-           <para>
-             This argument indicates to the module that the users
--            authentication token (password) should only be changed if 
--            it has expired. This flag is optional and 
--            <emphasis>must</emphasis> be combined with one of the 
--            following two flags. Note, however, the following two options 
-+            authentication token (password) should only be changed if
-+            it has expired. This flag is optional and
-+            <emphasis>must</emphasis> be combined with one of the
-+            following two flags. Note, however, the following two options
-             are <emphasis>mutually exclusive</emphasis>.
-           </para>
-         </listitem>
-@@ -72,15 +72,20 @@
-         <term>PAM_PRELIM_CHECK</term>
-         <listitem>
-           <para>
--            This indicates that the modules are being probed as to 
--            their ready status for altering the user's authentication 
--            token. If the module requires access to another system over 
--            some network it should attempt to verify it can connect to 
--            this system on receiving this flag. If a module cannot establish 
--            it is ready to update the user's authentication token it should 
-+            This indicates that the modules are being probed as to
-+            their ready status for altering the user's authentication
-+            token. If the module requires access to another system over
-+            some network it should attempt to verify it can connect to
-+            this system on receiving this flag. If a module cannot establish
-+            it is ready to update the user's authentication token it should
-             return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this
-             information will be passed back to the application.
-           </para>
-+          <para>
-+             If the control value <emphasis>sufficient</emphasis> is used in
-+             the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section
-+             of the modules following that control value is not always executed.
-+          </para>
-         </listitem>
-       </varlistentry>
-       <varlistentry>
-@@ -89,18 +94,18 @@
-           <para>
-             This informs the module that this is the call it should change
-             the authorization tokens. If the flag is logically OR'd with
--            <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the 
-+            <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
-             token is only changed if it has actually expired.
-           </para>
-         </listitem>
-       </varlistentry>
-     </variablelist>
-     <para>
--      The PAM library calls this function twice in succession. The first 
--      time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then, 
--      if the module does not return 
-+      The PAM library calls this function twice in succession. The first
-+      time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
-+      if the module does not return
-       <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with
--      <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on 
-+      <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
-       the second call that the authorization token is (possibly) changed.
-     </para>
-   </refsect1>
-Index: libpam/pam_dispatch.c
-===================================================================
---- libpam/pam_dispatch.c.orig	2009-04-17 12:47:17.000000000 -0700
-+++ libpam/pam_dispatch.c	2009-04-17 12:47:40.000000000 -0700
-@@ -128,11 +128,10 @@
- 	}
- 
- 	/*
--	 * use_cached_chain is how we ensure that the setcred/close_session
--	 * and chauthtok(2) modules are called in the same order as they did
--	 * when they were invoked as auth/open_session/chauthtok(1). This
--	 * feature was added in 0.75 to make the behavior of pam_setcred
--	 * sane. It was debugged by release 0.76.
-+	 * use_cached_chain is how we ensure that the setcred and
-+         * close_session modules are called in the same order as they did
-+	 * when they were invoked as auth/open_session. This feature was
-+	 * added in 0.75 to make the behavior of pam_setcred sane.
- 	 */
- 	if (use_cached_chain != _PAM_PLEASE_FREEZE) {
- 
-@@ -342,9 +341,6 @@
- 	break;
-     case PAM_CHAUTHTOK:
- 	h = pamh->handlers.conf.chauthtok;
--	if (flags & PAM_UPDATE_AUTHTOK) {
--	    use_cached_chain = _PAM_MUST_BE_FROZEN;
--	}
- 	break;
-     default:
- 	pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
diff --git a/debian/patches-applied/pam_1.0.4_mindays b/debian/patches-applied/pam_1.0.4_mindays
deleted file mode 100644
index 0f766e91..00000000
--- a/debian/patches-applied/pam_1.0.4_mindays
+++ /dev/null
@@ -1,36 +0,0 @@
-Index: debian-pkg-pam/modules/pam_unix/pam_unix_acct.c
-===================================================================
---- debian-pkg-pam.orig/modules/pam_unix/pam_unix_acct.c	2009-04-17 11:30:15.000000000 -0700
-+++ debian-pkg-pam/modules/pam_unix/pam_unix_acct.c	2009-04-17 11:31:25.000000000 -0700
-@@ -250,6 +250,9 @@
- 		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
- 			_("Your account has expired; please contact your system administrator"));
- 		break;
-+	case PAM_AUTHTOK_ERR:
-+		retval = PAM_SUCCESS;
-+		/* fallthrough */
- 	case PAM_SUCCESS:
- 		if (daysleft >= 0) {
- 			pam_syslog(pamh, LOG_DEBUG,
-Index: debian-pkg-pam/modules/pam_unix/passverify.c
-===================================================================
---- debian-pkg-pam.orig/modules/pam_unix/passverify.c	2009-04-17 11:30:07.000000000 -0700
-+++ debian-pkg-pam/modules/pam_unix/passverify.c	2009-04-17 11:30:59.000000000 -0700
-@@ -301,8 +301,16 @@
- 		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
- 		D(("warn before expiry"));
- 	}
-+	if ((curdays - spent->sp_lstchg < spent->sp_min)
-+	    && (spent->sp_min != -1)) {
-+		/* 
-+		 * The last password change was too recent. This error will be ignored
-+		 * if no password change is attempted.
-+		 */
-+		D(("password change too recent"));
-+		return PAM_AUTHTOK_ERR;
-+	}
- 	return PAM_SUCCESS;
--
- }
- 
- /* passwd/salt conversion macros */
diff --git a/debian/patches-applied/pam_env_ignore_garbage.patch b/debian/patches-applied/pam_env_ignore_garbage.patch
deleted file mode 100644
index 3df76a07..00000000
--- a/debian/patches-applied/pam_env_ignore_garbage.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Patch for Debian bug #439984
-
-pam_env was not correctly skipping over non-alphanumeric variable names,
-and was not handling the PAM_BAD_ITEM error return from pam_putenv()
-when clearing an unset variable.
-
-Authors: Steve Langasek <vorlon@debian.org>
-
-Upstream status: committed to CVS
-
-Index: pam/Linux-PAM/modules/pam_env/pam_env.c
-===================================================================
---- pam.orig/Linux-PAM/modules/pam_env/pam_env.c
-+++ pam/Linux-PAM/modules/pam_env/pam_env.c
-@@ -232,9 +232,14 @@
- 
- 	for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ )
- 	    if (!isalnum(key[i]) && key[i] != '_') {
--		D(("key is not alpha numeric - '%s', ignoring", key));
--		continue;
-+		pam_syslog(pamh, LOG_ERR,
-+		           "non-alphanumeric key '%s' in %s', ignoring",
-+		           key, file);
-+		break;
- 	    }
-+	/* non-alphanumeric key, ignore this line */
-+	if (key[i] != '=' && key[i] != '\0')
-+	    continue;
- 
- 	/* now we try to be smart about quotes around the value,
- 	   but not too smart, we can't get all fancy with escaped
-@@ -248,6 +253,14 @@
- 	    key[i] = '\0';
- 	}
- 
-+	/* if this is a request to delete a variable, check that it's
-+	   actually set first, so we don't get a vague error back from
-+	   pam_putenv() */
-+	for (i = 0; key[i] != '=' && key[i] != '\0'; i++);
-+
-+	if (key[i] == '\0' && !pam_getenv(pamh,key))
-+	    continue;
-+
- 	/* set the env var, if it fails, we break out of the loop */
- 	retval = pam_putenv(pamh, key);
- 	if (retval != PAM_SUCCESS) {
diff --git a/debian/patches-applied/pam_mail-fix-quiet b/debian/patches-applied/pam_mail-fix-quiet
deleted file mode 100644
index b85637ca..00000000
--- a/debian/patches-applied/pam_mail-fix-quiet
+++ /dev/null
@@ -1,37 +0,0 @@
-Make quiet option of pam_mail work. Fixes http://bugs.debian.org/439268
-
-Author: Andreas Henriksson <andreas@fatal.se>
-Upstream status: applied in upstream CVS September 2008
-
-Index: sid/modules/pam_mail/pam_mail.c
-===================================================================
---- sid.orig/modules/pam_mail/pam_mail.c	2009-07-21 04:31:54.000000000 -0400
-+++ sid/modules/pam_mail/pam_mail.c	2009-07-24 12:16:47.000000000 -0400
-@@ -303,8 +303,13 @@
- {
-     int retval;
- 
--    if (!(ctrl & PAM_MAIL_SILENT) ||
--	((ctrl & PAM_QUIET_MAIL) && type == HAVE_NEW_MAIL))
-+    if ((ctrl & PAM_MAIL_SILENT) ||
-+	((ctrl & PAM_QUIET_MAIL) && type != HAVE_NEW_MAIL))
-+      {
-+	D(("keeping quiet"));
-+	retval = PAM_SUCCESS;
-+      }
-+    else
-       {
- 	if (ctrl & PAM_STANDARD_MAIL)
- 	  switch (type)
-@@ -345,11 +350,6 @@
- 	      break;
- 	    }
-       }
--    else
--      {
--	D(("keeping quiet"));
--	retval = PAM_SUCCESS;
--      }
- 
-     D(("returning %s", pam_strerror(pamh, retval)));
-     return retval;
diff --git a/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch b/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch
deleted file mode 100644
index 67957d41..00000000
--- a/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-Patch to keep save_old_password() thread-safe when called by the PAM
-module, since nothing blocks other threads from calling getpwnam in
-parallel
-
-Authors: Steve Langasek <vorlon@debian.org>
-
-Upstream status: committed to CVS
-
-Index: pam.deb/modules/pam_unix/passverify.c
-===================================================================
---- pam.deb.orig/modules/pam_unix/passverify.c
-+++ pam.deb/modules/pam_unix/passverify.c
-@@ -535,9 +535,15 @@
- }
- #endif
- 
-+#ifdef HELPER_COMPILE
- int
- save_old_password(const char *forwho, const char *oldpass,
- 		  int howmany)
-+#else
-+int
-+save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
-+		  int howmany)
-+#endif
- {
-     static char buf[16384];
-     static char nbuf[16384];
-@@ -653,7 +659,7 @@
-     fclose(opwfile);
- 
-     if (!found) {
--	pwd = getpwnam(forwho);
-+	pwd = pam_modutil_getpwnam(pamh, forwho);
- 	if (pwd == NULL) {
- 	    err = 1;
- 	} else {
-Index: pam.deb/modules/pam_unix/passverify.h
-===================================================================
---- pam.deb.orig/modules/pam_unix/passverify.h
-+++ pam.deb/modules/pam_unix/passverify.h
-@@ -33,9 +33,15 @@
- void
- unlock_pwdf(void);
- 
-+#ifdef HELPER_COMPILE
- int
- save_old_password(const char *forwho, const char *oldpass,
- 		  int howmany);
-+#else
-+int
-+save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
-+		  int howmany);
-+#endif
- 
- #ifdef HELPER_COMPILE
- void
-Index: pam.deb/modules/pam_unix/pam_unix_passwd.c
-===================================================================
---- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c
-+++ pam.deb/modules/pam_unix/pam_unix_passwd.c
-@@ -378,7 +378,7 @@
- 			  return _unix_run_update_binary(pamh, ctrl, forwho, fromwhat, towhat, remember);
- #endif
- 		/* first, save old password */
--		if (save_old_password(forwho, fromwhat, remember)) {
-+		if (save_old_password(pamh, forwho, fromwhat, remember)) {
- 			retval = PAM_AUTHTOK_ERR;
- 			goto done;
- 		}
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index f9ba7482..e556fe11 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -1,4 +1,3 @@
-pam_unix_thread-safe_save_old_password.patch
 pam_unix_fix_sgid_shadow_auth.patch
 pam_unix_dont_trust_chkpwd_caller.patch
 007_modules_pam_unix
@@ -17,13 +16,7 @@ hurd_no_setfsuid
 054_pam_security_abstract_securetty_handling
 055_pam_unix_nullok_secure
 PAM-manpage-section 
-pam_env_ignore_garbage.patch -p2
 pam.d-manpage-section
 pam_unix-chkpwd-wait
 autoconf.patch 
-dont_freeze_password_chain -p0
-pam_1.0.4_mindays
 update-motd
-pam_mail-fix-quiet
-
-cve-2009-0887-libpam-pam_misc.patch