- Add post 1.6.0 release fixes for pam_env:

- pam_env-fix-enable-vendordir-fallback.patch
  - pam_env-fix_vendordir.patch
  - pam_env-remove-escaped-newlines.patch

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=285

disable-pam_env-test.patch

@@ -1,11 +0,0 @@
---- Linux-PAM-1.6.0/modules/pam_env/Makefile.am.old	2024-01-17 11:29:36.000000000 +0100
-+++ Linux-PAM-1.6.0/modules/pam_env/Makefile.am	2024-01-18 16:45:11.923011145 +0100
-@@ -12,7 +12,7 @@
- endif
- XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml
- dist_check_SCRIPTS = tst-pam_env
--TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS)
-+TESTS = $(dist_check_SCRIPTS)
- 
- securelibdir = $(SECUREDIR)
- if HAVE_VENDORDIR

pam.changes

@@ -1,12 +1,10 @@
 -------------------------------------------------------------------
-Thu Jan 18 15:45:53 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
-
-- disable-pam_env-test.patch: disable tst-pam_env-retval.c as it is
-  broken
-
--------------------------------------------------------------------
-Thu Jan 18 08:28:14 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 
+- Add post 1.6.0 release fixes for pam_env:
+  - pam_env-fix-enable-vendordir-fallback.patch
+  - pam_env-fix_vendordir.patch
+  - pam_env-remove-escaped-newlines.patch
 - Update to version 1.6.0
   - Added support of configuration files with arbitrarily long lines.
   - build: fixed build outside of the source tree.

pam.spec

@@ -96,7 +96,12 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
-Patch2:         disable-pam_env-test.patch
+# https://github.com/linux-pam/linux-pam/pull/739
+Patch2:         pam_env-fix_vendordir.patch
+# https://github.com/linux-pam/linux-pam/pull/740
+Patch3:		pam_env-fix-enable-vendordir-fallback.patch
+# https://github.com/linux-pam/linux-pam/pull/741
+Patch4:         pam_env-remove-escaped-newlines.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
@@ -210,6 +215,8 @@ building both PAM-aware applications and modules for use with PAM.
 cp -a %{SOURCE12} .
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
 bash ./pam-login_defs-check.sh

pam_env-fix-enable-vendordir-fallback.patch

@@ -0,0 +1,51 @@
+From 28894b319488e8302899ee569b6e0911905f374e Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@strace.io>
+Date: Thu, 18 Jan 2024 17:00:00 +0000
+Subject: [PATCH] pam_env: fix --enable-vendordir fallback logic
+
+* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF &&
+VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file
+if the config file is specified via module arguments.
+
+Link: https://github.com/linux-pam/linux-pam/issues/738
+Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
+---
+ modules/pam_env/pam_env.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
+index a0b812fff..8b40b6a5a 100644
+--- a/modules/pam_env/pam_env.c
++++ b/modules/pam_env/pam_env.c
+@@ -850,20 +850,20 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
+ #ifdef USE_ECONF
+     /* If "file" is not NULL, only this file will be parsed. */
+     retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list);
+-#else
++#else /* !USE_ECONF */
+     /* Only one file will be parsed. So, file has to be set. */
+-    if (file == NULL) /* No filename has been set via argv. */
++    if (file == NULL) { /* No filename has been set via argv. */
+       file = DEFAULT_CONF_FILE;
+-#ifdef VENDOR_DEFAULT_CONF_FILE
+-    /*
+-    * Check whether file is available.
+-    * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
+-    */
+-    struct stat stat_buffer;
+-    if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
+-      file = VENDOR_DEFAULT_CONF_FILE;
++# ifdef VENDOR_DEFAULT_CONF_FILE
++      /*
++       * Check whether DEFAULT_CONF_FILE file is available.
++       * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
++       */
++      struct stat stat_buffer;
++      if (stat(file, &stat_buffer) != 0 && errno == ENOENT)
++        file = VENDOR_DEFAULT_CONF_FILE;
++# endif
+     }
+-#endif
+     retval = read_file(pamh, file, &conf_list);
+ #endif
+ 

pam_env-fix_vendordir.patch

@@ -0,0 +1,51 @@
+From 0703453bec6ac54ad31d7245be4529796a3ef764 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 18 Jan 2024 18:08:05 +0100
+Subject: [PATCH] pam_env: check VENDORDIR after config.h inclusion
+
+The VENDORDIR define has to be checked after config.h
+inclusion, otherwise the ifdef test always yields false.
+
+Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ modules/pam_env/pam_env.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
+index 59adc942c..a0b812fff 100644
+--- a/modules/pam_env/pam_env.c
++++ b/modules/pam_env/pam_env.c
+@@ -6,15 +6,6 @@
+  * template for this file (via pam_mail)
+  */
+ 
+-#define DEFAULT_ETC_ENVFILE     "/etc/environment"
+-#ifdef VENDORDIR
+-#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
+-#endif
+-#define DEFAULT_READ_ENVFILE    1
+-
+-#define DEFAULT_USER_ENVFILE    ".pam_environment"
+-#define DEFAULT_USER_READ_ENVFILE 0
+-
+ #include "config.h"
+ 
+ #include <ctype.h>
+@@ -52,6 +43,15 @@ typedef struct var {
+   char *override;
+ } VAR;
+ 
++#define DEFAULT_ETC_ENVFILE     "/etc/environment"
++#ifdef VENDORDIR
++#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
++#endif
++#define DEFAULT_READ_ENVFILE    1
++
++#define DEFAULT_USER_ENVFILE    ".pam_environment"
++#define DEFAULT_USER_READ_ENVFILE 0
++
+ #define DEFAULT_CONF_FILE	(SCONFIGDIR "/pam_env.conf")
+ #ifdef VENDOR_SCONFIGDIR
+ #define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf")

pam_env-remove-escaped-newlines.patch

@@ -0,0 +1,54 @@
+From ef51c51523b4c6ce6275b2863a0de1a3a6dff1e5 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 18 Jan 2024 20:25:20 +0100
+Subject: [PATCH] pam_env: remove escaped newlines from econf lines
+
+The libeconf routines do not remove escaped newlines the way we want to
+process them later on. Manually remove them from values.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ modules/pam_env/pam_env.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
+index a0b812fff..5f53fbb10 100644
+--- a/modules/pam_env/pam_env.c
++++ b/modules/pam_env/pam_env.c
+@@ -160,6 +160,28 @@ isDirectory(const char *path) {
+    return S_ISDIR(statbuf.st_mode);
+ }
+ 
++/*
++ * Remove escaped newline from string.
++ *
++ * All occurrences of "\\n" will be removed from string.
++ */
++static void
++econf_unescnl(char *val)
++{
++    char *dest, *p;
++
++    dest = p = val;
++
++    while (*p != '\0') {
++      if (p[0] == '\\' && p[1] == '\n') {
++	p += 2;
++      } else {
++	*dest++ = *p++;
++      }
++    }
++    *dest = '\0';
++}
++
+ static int
+ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim,
+ 			   const char *name, const char *suffix, const char *subpath,
+@@ -270,6 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
+ 		   keys[i],
+ 		   econf_errString(error));
+       } else {
++        econf_unescnl(val);
+         if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) {
+ 	  pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+           econf_free(keys);