--- libpam/pam_dispatch.c	3 Dec 2008 14:16:33 -0000	1.13
+++ libpam/pam_dispatch.c	4 Feb 2009 13:48:02 -0000
@@ -132,11 +132,10 @@
 	}
 
 	/*
-	 * use_cached_chain is how we ensure that the setcred/close_session
-	 * and chauthtok(2) modules are called in the same order as they did
-	 * when they were invoked as auth/open_session/chauthtok(1). This
-	 * feature was added in 0.75 to make the behavior of pam_setcred
-	 * sane. It was debugged by release 0.76.
+	 * use_cached_chain is how we ensure that the setcred and
+         * close_session modules are called in the same order as they did
+	 * when they were invoked as auth/open_session. This feature was
+	 * added in 0.75 to make the behavior of pam_setcred sane.
 	 */
 	if (use_cached_chain != _PAM_PLEASE_FREEZE) {
 
@@ -358,9 +357,6 @@
 	break;
     case PAM_CHAUTHTOK:
 	h = pamh->handlers.conf.chauthtok;
-	if (flags & PAM_UPDATE_AUTHTOK) {
-	    use_cached_chain = _PAM_MUST_BE_FROZEN;
-	}
 	break;
     default:
 	pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
--- libpam/pam_password.c	24 Jul 2006 15:47:40 -0000	1.5
+++ libpam/pam_password.c	4 Feb 2009 13:48:02 -0000
@@ -24,6 +24,13 @@
 	return PAM_SYSTEM_ERR;
     }
 
+    /* applications are not allowed to set this flags */
+    if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
+      syslog(LOG_ERR, _PAM_SYSTEM_LOG_PREFIX
+	     "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application");
+      return PAM_SYSTEM_ERR;
+    }
+
     if (pamh->former.choice == PAM_NOT_STACKED) {
 	_pam_start_timer(pamh);    /* we try to make the time for a failure
 				      independent of the time it takes to
@@ -58,4 +67,3 @@
 
     return retval;
 }
-