From 9894df123059a56d9ca5ab0bcb06aed7e19cda05 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Mon, 24 Aug 2009 13:45:51 -0700 Subject: Drop patches pam_unix_thread-safe_save_old_password.patch, pam_env_ignore_garbage.patch, dont_freeze_password_chain, pam_1.0.4_mindays, pam_mail-fix-quiet, and cve-2009-0887-libpam-pam_misc.patch, which are included upstream. --- debian/changelog | 12 +++ .../cve-2009-0887-libpam-pam_misc.patch | 32 ------ debian/patches-applied/dont_freeze_password_chain | 118 --------------------- debian/patches-applied/pam_1.0.4_mindays | 36 ------- .../patches-applied/pam_env_ignore_garbage.patch | 46 -------- debian/patches-applied/pam_mail-fix-quiet | 37 ------- .../pam_unix_thread-safe_save_old_password.patch | 70 ------------ debian/patches-applied/series | 7 -- 8 files changed, 12 insertions(+), 346 deletions(-) delete mode 100644 debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch delete mode 100644 debian/patches-applied/dont_freeze_password_chain delete mode 100644 debian/patches-applied/pam_1.0.4_mindays delete mode 100644 debian/patches-applied/pam_env_ignore_garbage.patch delete mode 100644 debian/patches-applied/pam_mail-fix-quiet delete mode 100644 debian/patches-applied/pam_unix_thread-safe_save_old_password.patch diff --git a/debian/changelog b/debian/changelog index 5543e0b1..2aa9cd0d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +pam (1.1.0-1) UNRELEASED; urgency=low + + * New upstream version. + - pam_access no longer does DNS lookups when we know we're comparing + with a tty name or a service name. Closes: #376209. + * Drop patches pam_unix_thread-safe_save_old_password.patch, + pam_env_ignore_garbage.patch, dont_freeze_password_chain, + pam_1.0.4_mindays, pam_mail-fix-quiet, and + cve-2009-0887-libpam-pam_misc.patch, which are included upstream. + + -- Steve Langasek Mon, 24 Aug 2009 01:23:18 -0700 + pam (1.0.1-11) unstable; urgency=low * debian/libpam-runtime.postinst: bump the --force version check to diff --git a/debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch b/debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch deleted file mode 100644 index e44bc91a..00000000 --- a/debian/patches-applied/cve-2009-0887-libpam-pam_misc.patch +++ /dev/null @@ -1,32 +0,0 @@ -Patch for cve-2009-0887 -int rather than unsigned char is used to index an array. - -upstream status: fixed upstream - -Index: sid/libpam/pam_misc.c -=================================================================== ---- sid.orig/libpam/pam_misc.c 2009-07-24 12:22:34.000000000 -0400 -+++ sid/libpam/pam_misc.c 2009-07-24 12:22:45.000000000 -0400 -@@ -59,10 +59,11 @@ - - /* initialize table */ - for (i=1; i<256; table[i++] = '\0'); -- for (i=0; format[i] ; table[(int)format[i++]] = 'y'); -+ for (i=0; format[i] ; -+ table[(unsigned char)format[i++]] = 'y'); - - /* look for first non-format char */ -- while (*from && table[(int)*from]) { -+ while (*from && table[(unsigned char)*from]) { - ++from; - } - -@@ -92,7 +93,7 @@ - remains */ - } else if (*from) { - /* simply look for next blank char */ -- for (end=from; *end && !table[(int)*end]; ++end); -+ for (end=from; *end && !table[(unsigned char)*end]; ++end); - } else { - return (*next = NULL); /* no tokens left */ - } diff --git a/debian/patches-applied/dont_freeze_password_chain b/debian/patches-applied/dont_freeze_password_chain deleted file mode 100644 index 2f1cf43e..00000000 --- a/debian/patches-applied/dont_freeze_password_chain +++ /dev/null @@ -1,118 +0,0 @@ -Don't freeze the chain for chauthtok. - -bugzilla.novell.com#470337, LP: #303515. - -Author: Thorsten Kukuk - -Upstream status: cherry-picked from upstream. - -=== modified file 'doc/man/pam_sm_chauthtok.3.xml' -Index: doc/man/pam_sm_chauthtok.3.xml -=================================================================== ---- doc/man/pam_sm_chauthtok.3.xml.orig 2009-04-17 12:44:11.000000000 -0700 -+++ doc/man/pam_sm_chauthtok.3.xml 2009-04-17 12:47:40.000000000 -0700 -@@ -40,7 +40,7 @@ - interface. - - -- This function is used to (re-)set the authentication token of the user. -+ This function is used to (re-)set the authentication token of the user. - - - Valid flags, which may be logically OR'd with -@@ -60,10 +60,10 @@ - - - This argument indicates to the module that the users -- authentication token (password) should only be changed if -- it has expired. This flag is optional and -- must be combined with one of the -- following two flags. Note, however, the following two options -+ authentication token (password) should only be changed if -+ it has expired. This flag is optional and -+ must be combined with one of the -+ following two flags. Note, however, the following two options - are mutually exclusive. - - -@@ -72,15 +72,20 @@ - PAM_PRELIM_CHECK - - -- This indicates that the modules are being probed as to -- their ready status for altering the user's authentication -- token. If the module requires access to another system over -- some network it should attempt to verify it can connect to -- this system on receiving this flag. If a module cannot establish -- it is ready to update the user's authentication token it should -+ This indicates that the modules are being probed as to -+ their ready status for altering the user's authentication -+ token. If the module requires access to another system over -+ some network it should attempt to verify it can connect to -+ this system on receiving this flag. If a module cannot establish -+ it is ready to update the user's authentication token it should - return PAM_TRY_AGAIN, this - information will be passed back to the application. - -+ -+ If the control value sufficient is used in -+ the password stack, the PAM_PRELIM_CHECK section -+ of the modules following that control value is not always executed. -+ - - - -@@ -89,18 +94,18 @@ - - This informs the module that this is the call it should change - the authorization tokens. If the flag is logically OR'd with -- PAM_CHANGE_EXPIRED_AUTHTOK, the -+ PAM_CHANGE_EXPIRED_AUTHTOK, the - token is only changed if it has actually expired. - - - - - -- The PAM library calls this function twice in succession. The first -- time with PAM_PRELIM_CHECK and then, -- if the module does not return -+ The PAM library calls this function twice in succession. The first -+ time with PAM_PRELIM_CHECK and then, -+ if the module does not return - PAM_TRY_AGAIN, subsequently with -- PAM_UPDATE_AUTHTOK. It is only on -+ PAM_UPDATE_AUTHTOK. It is only on - the second call that the authorization token is (possibly) changed. - - -Index: libpam/pam_dispatch.c -=================================================================== ---- libpam/pam_dispatch.c.orig 2009-04-17 12:47:17.000000000 -0700 -+++ libpam/pam_dispatch.c 2009-04-17 12:47:40.000000000 -0700 -@@ -128,11 +128,10 @@ - } - - /* -- * use_cached_chain is how we ensure that the setcred/close_session -- * and chauthtok(2) modules are called in the same order as they did -- * when they were invoked as auth/open_session/chauthtok(1). This -- * feature was added in 0.75 to make the behavior of pam_setcred -- * sane. It was debugged by release 0.76. -+ * use_cached_chain is how we ensure that the setcred and -+ * close_session modules are called in the same order as they did -+ * when they were invoked as auth/open_session. This feature was -+ * added in 0.75 to make the behavior of pam_setcred sane. - */ - if (use_cached_chain != _PAM_PLEASE_FREEZE) { - -@@ -342,9 +341,6 @@ - break; - case PAM_CHAUTHTOK: - h = pamh->handlers.conf.chauthtok; -- if (flags & PAM_UPDATE_AUTHTOK) { -- use_cached_chain = _PAM_MUST_BE_FROZEN; -- } - break; - default: - pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); diff --git a/debian/patches-applied/pam_1.0.4_mindays b/debian/patches-applied/pam_1.0.4_mindays deleted file mode 100644 index 0f766e91..00000000 --- a/debian/patches-applied/pam_1.0.4_mindays +++ /dev/null @@ -1,36 +0,0 @@ -Index: debian-pkg-pam/modules/pam_unix/pam_unix_acct.c -=================================================================== ---- debian-pkg-pam.orig/modules/pam_unix/pam_unix_acct.c 2009-04-17 11:30:15.000000000 -0700 -+++ debian-pkg-pam/modules/pam_unix/pam_unix_acct.c 2009-04-17 11:31:25.000000000 -0700 -@@ -250,6 +250,9 @@ - _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("Your account has expired; please contact your system administrator")); - break; -+ case PAM_AUTHTOK_ERR: -+ retval = PAM_SUCCESS; -+ /* fallthrough */ - case PAM_SUCCESS: - if (daysleft >= 0) { - pam_syslog(pamh, LOG_DEBUG, -Index: debian-pkg-pam/modules/pam_unix/passverify.c -=================================================================== ---- debian-pkg-pam.orig/modules/pam_unix/passverify.c 2009-04-17 11:30:07.000000000 -0700 -+++ debian-pkg-pam/modules/pam_unix/passverify.c 2009-04-17 11:30:59.000000000 -0700 -@@ -301,8 +301,16 @@ - *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); - D(("warn before expiry")); - } -+ if ((curdays - spent->sp_lstchg < spent->sp_min) -+ && (spent->sp_min != -1)) { -+ /* -+ * The last password change was too recent. This error will be ignored -+ * if no password change is attempted. -+ */ -+ D(("password change too recent")); -+ return PAM_AUTHTOK_ERR; -+ } - return PAM_SUCCESS; -- - } - - /* passwd/salt conversion macros */ diff --git a/debian/patches-applied/pam_env_ignore_garbage.patch b/debian/patches-applied/pam_env_ignore_garbage.patch deleted file mode 100644 index 3df76a07..00000000 --- a/debian/patches-applied/pam_env_ignore_garbage.patch +++ /dev/null @@ -1,46 +0,0 @@ -Patch for Debian bug #439984 - -pam_env was not correctly skipping over non-alphanumeric variable names, -and was not handling the PAM_BAD_ITEM error return from pam_putenv() -when clearing an unset variable. - -Authors: Steve Langasek - -Upstream status: committed to CVS - -Index: pam/Linux-PAM/modules/pam_env/pam_env.c -=================================================================== ---- pam.orig/Linux-PAM/modules/pam_env/pam_env.c -+++ pam/Linux-PAM/modules/pam_env/pam_env.c -@@ -232,9 +232,14 @@ - - for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ ) - if (!isalnum(key[i]) && key[i] != '_') { -- D(("key is not alpha numeric - '%s', ignoring", key)); -- continue; -+ pam_syslog(pamh, LOG_ERR, -+ "non-alphanumeric key '%s' in %s', ignoring", -+ key, file); -+ break; - } -+ /* non-alphanumeric key, ignore this line */ -+ if (key[i] != '=' && key[i] != '\0') -+ continue; - - /* now we try to be smart about quotes around the value, - but not too smart, we can't get all fancy with escaped -@@ -248,6 +253,14 @@ - key[i] = '\0'; - } - -+ /* if this is a request to delete a variable, check that it's -+ actually set first, so we don't get a vague error back from -+ pam_putenv() */ -+ for (i = 0; key[i] != '=' && key[i] != '\0'; i++); -+ -+ if (key[i] == '\0' && !pam_getenv(pamh,key)) -+ continue; -+ - /* set the env var, if it fails, we break out of the loop */ - retval = pam_putenv(pamh, key); - if (retval != PAM_SUCCESS) { diff --git a/debian/patches-applied/pam_mail-fix-quiet b/debian/patches-applied/pam_mail-fix-quiet deleted file mode 100644 index b85637ca..00000000 --- a/debian/patches-applied/pam_mail-fix-quiet +++ /dev/null @@ -1,37 +0,0 @@ -Make quiet option of pam_mail work. Fixes http://bugs.debian.org/439268 - -Author: Andreas Henriksson -Upstream status: applied in upstream CVS September 2008 - -Index: sid/modules/pam_mail/pam_mail.c -=================================================================== ---- sid.orig/modules/pam_mail/pam_mail.c 2009-07-21 04:31:54.000000000 -0400 -+++ sid/modules/pam_mail/pam_mail.c 2009-07-24 12:16:47.000000000 -0400 -@@ -303,8 +303,13 @@ - { - int retval; - -- if (!(ctrl & PAM_MAIL_SILENT) || -- ((ctrl & PAM_QUIET_MAIL) && type == HAVE_NEW_MAIL)) -+ if ((ctrl & PAM_MAIL_SILENT) || -+ ((ctrl & PAM_QUIET_MAIL) && type != HAVE_NEW_MAIL)) -+ { -+ D(("keeping quiet")); -+ retval = PAM_SUCCESS; -+ } -+ else - { - if (ctrl & PAM_STANDARD_MAIL) - switch (type) -@@ -345,11 +350,6 @@ - break; - } - } -- else -- { -- D(("keeping quiet")); -- retval = PAM_SUCCESS; -- } - - D(("returning %s", pam_strerror(pamh, retval))); - return retval; diff --git a/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch b/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch deleted file mode 100644 index 67957d41..00000000 --- a/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch +++ /dev/null @@ -1,70 +0,0 @@ -Patch to keep save_old_password() thread-safe when called by the PAM -module, since nothing blocks other threads from calling getpwnam in -parallel - -Authors: Steve Langasek - -Upstream status: committed to CVS - -Index: pam.deb/modules/pam_unix/passverify.c -=================================================================== ---- pam.deb.orig/modules/pam_unix/passverify.c -+++ pam.deb/modules/pam_unix/passverify.c -@@ -535,9 +535,15 @@ - } - #endif - -+#ifdef HELPER_COMPILE - int - save_old_password(const char *forwho, const char *oldpass, - int howmany) -+#else -+int -+save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, -+ int howmany) -+#endif - { - static char buf[16384]; - static char nbuf[16384]; -@@ -653,7 +659,7 @@ - fclose(opwfile); - - if (!found) { -- pwd = getpwnam(forwho); -+ pwd = pam_modutil_getpwnam(pamh, forwho); - if (pwd == NULL) { - err = 1; - } else { -Index: pam.deb/modules/pam_unix/passverify.h -=================================================================== ---- pam.deb.orig/modules/pam_unix/passverify.h -+++ pam.deb/modules/pam_unix/passverify.h -@@ -33,9 +33,15 @@ - void - unlock_pwdf(void); - -+#ifdef HELPER_COMPILE - int - save_old_password(const char *forwho, const char *oldpass, - int howmany); -+#else -+int -+save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, -+ int howmany); -+#endif - - #ifdef HELPER_COMPILE - void -Index: pam.deb/modules/pam_unix/pam_unix_passwd.c -=================================================================== ---- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c -+++ pam.deb/modules/pam_unix/pam_unix_passwd.c -@@ -378,7 +378,7 @@ - return _unix_run_update_binary(pamh, ctrl, forwho, fromwhat, towhat, remember); - #endif - /* first, save old password */ -- if (save_old_password(forwho, fromwhat, remember)) { -+ if (save_old_password(pamh, forwho, fromwhat, remember)) { - retval = PAM_AUTHTOK_ERR; - goto done; - } diff --git a/debian/patches-applied/series b/debian/patches-applied/series index f9ba7482..e556fe11 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -1,4 +1,3 @@ -pam_unix_thread-safe_save_old_password.patch pam_unix_fix_sgid_shadow_auth.patch pam_unix_dont_trust_chkpwd_caller.patch 007_modules_pam_unix @@ -17,13 +16,7 @@ hurd_no_setfsuid 054_pam_security_abstract_securetty_handling 055_pam_unix_nullok_secure PAM-manpage-section -pam_env_ignore_garbage.patch -p2 pam.d-manpage-section pam_unix-chkpwd-wait autoconf.patch -dont_freeze_password_chain -p0 -pam_1.0.4_mindays update-motd -pam_mail-fix-quiet - -cve-2009-0887-libpam-pam_misc.patch -- cgit v1.2.3