diff --git a/bug-641008_pam_krb5-2.3.11-setcred-log.diff b/bug-641008_pam_krb5-2.3.11-setcred-log.diff index eb3823b..b75d435 100644 --- a/bug-641008_pam_krb5-2.3.11-setcred-log.diff +++ b/bug-641008_pam_krb5-2.3.11-setcred-log.diff @@ -1,26 +1,27 @@ -Index: pam_krb5-2.4.4/src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- pam_krb5-2.4.4.orig/src/auth.c -+++ pam_krb5-2.4.4/src/auth.c -@@ -434,13 +434,32 @@ int - pam_sm_setcred(pam_handle_t *pamh, int flags, +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c +@@ -435,13 +435,33 @@ pam_sm_setcred(pam_handle_t *pamh, int f int argc, PAM_KRB5_MAYBE_CONST char **argv) { + const char *why = ""; + krb5_context ctx; + struct _pam_krb5_options *options; struct _pam_krb5_perms *saved_perms; - notice("pam_setcred (%s) called", -- (flags & PAM_ESTABLISH_CRED)?"establish credential": -- (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -- (flags & PAM_REFRESH_CRED)?"refresh credential": -- (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); +- (flags & PAM_ESTABLISH_CRED)?"establish credential": +- (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": +- (flags & PAM_REFRESH_CRED)?"refresh credential": +- (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); + + if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) { + warn("error initializing Kerberos"); + return PAM_SERVICE_ERR; + } + -+ options = _pam_krb5_options_init(pamh, argc, argv, ctx); ++ options = _pam_krb5_options_init(pamh, argc, argv, ctx, ++ _pam_krb5_option_role_general); + if (options == NULL) { + warn("error parsing options (shouldn't happen)"); + krb5_free_context(ctx); @@ -40,7 +41,7 @@ Index: pam_krb5-2.4.4/src/auth.c return _pam_krb5_open_session(pamh, flags, argc, argv, "pam_setcred(PAM_ESTABLISH_CRED)", _pam_krb5_session_caller_setcred); -@@ -455,21 +474,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f +@@ -464,20 +484,30 @@ pam_sm_setcred(pam_handle_t *pamh, int f } saved_perms = NULL; @@ -55,7 +56,6 @@ Index: pam_krb5-2.4.4/src/auth.c if (saved_perms != NULL) { _pam_krb5_restore_perms_r2e(saved_perms); } - saved_perms = NULL; + _pam_krb5_options_free(pamh, ctx, options); + krb5_free_context(ctx); return PAM_IGNORE; diff --git a/pam_krb5-2.2.3-1-setcred-assume-establish.dif b/pam_krb5-2.2.3-1-setcred-assume-establish.dif index a99e013..eadee8b 100644 --- a/pam_krb5-2.2.3-1-setcred-assume-establish.dif +++ b/pam_krb5-2.2.3-1-setcred-assume-establish.dif @@ -1,8 +1,8 @@ -Index: src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- src/auth.c.orig -+++ src/auth.c -@@ -470,6 +470,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c +@@ -478,6 +478,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f "pam_setcred(PAM_DELETE_CRED)", _pam_krb5_session_caller_setcred); } diff --git a/pam_krb5-2.3.1-log-choise.dif b/pam_krb5-2.3.1-log-choise.dif index 5041673..19e57cb 100644 --- a/pam_krb5-2.3.1-log-choise.dif +++ b/pam_krb5-2.3.1-log-choise.dif @@ -1,92 +1,90 @@ -Index: pam_krb5-2.4.4/src/acct.c +Index: pam_krb5-2.4.13/src/acct.c =================================================================== ---- pam_krb5-2.4.4.orig/src/acct.c -+++ pam_krb5-2.4.4/src/acct.c -@@ -89,6 +89,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int +--- pam_krb5-2.4.13.orig/src/acct.c ++++ pam_krb5-2.4.13/src/acct.c +@@ -90,6 +90,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int _pam_krb5_free_ctx(ctx); return PAM_SERVICE_ERR; } + if (options->debug) { + debug("pam_acct_mgmt called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); + } /* Get information about the user and the user's principal name. */ userinfo = _pam_krb5_user_info_init(ctx, user, options); -Index: pam_krb5-2.4.4/src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- pam_krb5-2.4.4.orig/src/auth.c -+++ pam_krb5-2.4.4/src/auth.c -@@ -108,9 +108,10 @@ pam_sm_authenticate(pam_handle_t *pamh, +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c +@@ -109,8 +109,8 @@ pam_sm_authenticate(pam_handle_t *pamh, return PAM_SERVICE_ERR; } if (options->debug) { -- debug("called to authenticate '%s', realm '%s'", user, -- options->realm); +- debug("called to authenticate '%s', configured realm '%s'", +- user, options->realm); + debug("pam_authenticate called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); } -+ _pam_krb5_set_init_opts(ctx, gic_options, options); - /* Prompt for the password, as we might need to. */ -@@ -432,6 +433,11 @@ int - pam_sm_setcred(pam_handle_t *pamh, int flags, +@@ -434,6 +434,11 @@ pam_sm_setcred(pam_handle_t *pamh, int f int argc, PAM_KRB5_MAYBE_CONST char **argv) { + const char *why = ""; + notice("pam_setcred (%s) called", -+ (flags & PAM_ESTABLISH_CRED)?"establish credential": -+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -+ (flags & PAM_REFRESH_CRED)?"refresh credential": -+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); ++ (flags & PAM_ESTABLISH_CRED)?"establish credential": ++ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": ++ (flags & PAM_REFRESH_CRED)?"refresh credential": ++ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); if (flags & PAM_ESTABLISH_CRED) { return _pam_krb5_open_session(pamh, flags, argc, argv, "pam_setcred(PAM_ESTABLISH_CRED)", -Index: pam_krb5-2.4.4/src/password.c +Index: pam_krb5-2.4.13/src/password.c =================================================================== ---- pam_krb5-2.4.4.orig/src/password.c -+++ pam_krb5-2.4.4/src/password.c -@@ -110,6 +110,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int +--- pam_krb5-2.4.13.orig/src/password.c ++++ pam_krb5-2.4.13/src/password.c +@@ -111,6 +111,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int _pam_krb5_free_ctx(ctx); return PAM_SERVICE_ERR; } + if (options->debug) { + debug("pam_chauthtok called (%s) for '%s', realm '%s'", -+ (flags & PAM_PRELIM_CHECK) ? -+ "preliminary check" : -+ ((flags & PAM_UPDATE_AUTHTOK) ? -+ "updating authtok": -+ "unknown phase"), -+ user, -+ options->realm); ++ (flags & PAM_PRELIM_CHECK) ? ++ "preliminary check" : ++ ((flags & PAM_UPDATE_AUTHTOK) ? ++ "updating authtok": ++ "unknown phase"), ++ user, ++ options->realm); + } _pam_krb5_set_init_opts(ctx, gic_options, options); /* Get information about the user and the user's principal name. */ -Index: pam_krb5-2.4.4/src/session.c +Index: pam_krb5-2.4.13/src/session.c =================================================================== ---- pam_krb5-2.4.4.orig/src/session.c -+++ pam_krb5-2.4.4/src/session.c -@@ -97,6 +97,10 @@ _pam_krb5_open_session(pam_handle_t *pam +--- pam_krb5-2.4.13.orig/src/session.c ++++ pam_krb5-2.4.13/src/session.c +@@ -98,6 +98,10 @@ _pam_krb5_open_session(pam_handle_t *pam _pam_krb5_free_ctx(ctx); return PAM_SERVICE_ERR; } + if (options->debug) { + debug("pam_open_session called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); + } /* If we're in a no-cred-session situation, return. */ if ((!options->cred_session) && -@@ -301,7 +305,10 @@ _pam_krb5_close_session(pam_handle_t *pa +@@ -295,7 +299,10 @@ _pam_krb5_close_session(pam_handle_t *pa _pam_krb5_free_ctx(ctx); - return PAM_SUCCESS; + return PAM_SERVICE_ERR; } - + if (options->debug) { + debug("pam_close_session called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); + } - /* Get information about the user and the user's principal name. */ - userinfo = _pam_krb5_user_info_init(ctx, user, options); - if (userinfo == NULL) { + /* If we're in a no-cred-session situation, return. */ + if ((!options->cred_session) && + (caller_type == _pam_krb5_session_caller_setcred)) { diff --git a/pam_krb5-2.3.1-switch-perms-on-refresh.dif b/pam_krb5-2.3.1-switch-perms-on-refresh.dif index 92882a3..0c32d69 100644 --- a/pam_krb5-2.3.1-switch-perms-on-refresh.dif +++ b/pam_krb5-2.3.1-switch-perms-on-refresh.dif @@ -1,7 +1,7 @@ -Index: pam_krb5-2.4.4/src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- pam_krb5-2.4.4.orig/src/auth.c -+++ pam_krb5-2.4.4/src/auth.c +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c @@ -56,6 +56,7 @@ #include "items.h" #include "kuserok.h" @@ -10,24 +10,30 @@ Index: pam_krb5-2.4.4/src/auth.c #include "options.h" #include "prompter.h" #include "session.h" -@@ -433,6 +434,7 @@ int - pam_sm_setcred(pam_handle_t *pamh, int flags, +@@ -434,6 +435,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f int argc, PAM_KRB5_MAYBE_CONST char **argv) { + const char *why = ""; + struct _pam_krb5_perms *saved_perms; notice("pam_setcred (%s) called", - (flags & PAM_ESTABLISH_CRED)?"establish credential": - (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -@@ -444,10 +446,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f + (flags & PAM_ESTABLISH_CRED)?"establish credential": + (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": +@@ -445,6 +447,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f _pam_krb5_session_caller_setcred); } if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { + saved_perms = _pam_krb5_switch_perms_r2e(); + + if (flags & PAM_REINITIALIZE_CRED) { + why = "pam_setcred(PAM_REINITIALIZE_CRED)"; + if (flags & PAM_REFRESH_CRED) { +@@ -454,9 +458,18 @@ pam_sm_setcred(pam_handle_t *pamh, int f + why = "pam_setcred(PAM_REFRESH_CRED)"; + } if (_pam_krb5_sly_looks_unsafe() == 0) { -- return _pam_krb5_sly_maybe_refresh(pamh, flags, +- return _pam_krb5_sly_maybe_refresh(pamh, flags, why, - argc, argv); -+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv); ++ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, why, argc, argv); + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } @@ -39,14 +45,13 @@ Index: pam_krb5-2.4.4/src/auth.c + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } -+ saved_perms = NULL; return PAM_IGNORE; } } -Index: pam_krb5-2.4.4/src/perms.c +Index: pam_krb5-2.4.13/src/perms.c =================================================================== ---- pam_krb5-2.4.4.orig/src/perms.c -+++ pam_krb5-2.4.4/src/perms.c +--- pam_krb5-2.4.13.orig/src/perms.c ++++ pam_krb5-2.4.13/src/perms.c @@ -89,3 +89,49 @@ _pam_krb5_restore_perms(struct _pam_krb5 } return ret; @@ -90,17 +95,17 @@ Index: pam_krb5-2.4.4/src/perms.c + int ret = -1; + if (saved != NULL) { + if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) && -+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { ++ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { + ret = 0; + } + free(saved); + } + return ret; +} -Index: pam_krb5-2.4.4/src/perms.h +Index: pam_krb5-2.4.13/src/perms.h =================================================================== ---- pam_krb5-2.4.4.orig/src/perms.h -+++ pam_krb5-2.4.4/src/perms.h +--- pam_krb5-2.4.13.orig/src/perms.h ++++ pam_krb5-2.4.13/src/perms.h @@ -37,4 +37,7 @@ struct _pam_krb5_perms; struct _pam_krb5_perms *_pam_krb5_switch_perms(void); int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); diff --git a/pam_krb5-2.4.13.tar.bz2 b/pam_krb5-2.4.13.tar.bz2 new file mode 100644 index 0000000..8811b05 --- /dev/null +++ b/pam_krb5-2.4.13.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d780e5699454e13e1d7ccc9ba6b0c0f1a20b0759143e2cf8a9a17a7d04ec3713 +size 445749 diff --git a/pam_krb5-2.4.4.tar.gz b/pam_krb5-2.4.4.tar.gz deleted file mode 100644 index a291ffe..0000000 --- a/pam_krb5-2.4.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:46f7f549048c2a82622bef726008b13687a655cda24e2b9ad72a667b3964940f -size 556439 diff --git a/pam_krb5-LINGUAS.dif b/pam_krb5-LINGUAS.dif deleted file mode 100644 index 01d527e..0000000 --- a/pam_krb5-LINGUAS.dif +++ /dev/null @@ -1,18 +0,0 @@ -Index: po/LINGUAS -=================================================================== ---- po/LINGUAS.orig -+++ po/LINGUAS -@@ -33,3 +33,13 @@ te - uk - zh_CN - zh_TW -+ar -+bg -+fi -+hr -+ka -+km -+nb -+pt -+th -+wa diff --git a/pam_krb5-po.tar.bz2 b/pam_krb5-po.tar.bz2 new file mode 100644 index 0000000..e5b3149 --- /dev/null +++ b/pam_krb5-po.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3a7bbfd0b1b2b22b5884817e3096fa1b34aa0617b53f3280526dd3420c6ea8ac +size 4013 diff --git a/pam_krb5-po.tar.gz b/pam_krb5-po.tar.gz deleted file mode 100644 index b817f91..0000000 --- a/pam_krb5-po.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7bd07c953ca39ed6df1bf9455de24865e424f8ce0ccb0200816b65d81dc4d0cd -size 3906 diff --git a/pam_krb5.changes b/pam_krb5.changes index e8b4973..43150f2 100644 --- a/pam_krb5.changes +++ b/pam_krb5.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Wed Jul 26 07:04:12 UTC 2017 - josef.moellers@suse.com + +- Update to 2.4.13: + * Fix a memory leak on FAST-capable clients + * Learn to run 'kdc' and 'kpasswdd', if appropriate + * Add the ability to specify a server principal + * Drop _pam_krb5_stash_chown_keyring functionality + * Fix a configure syntax error + * Handle ccname templates that don't include a type + * Fix a memory leak (static analysis) + * default to subsequent_prompt=false for chauthtok + * Don't close descriptors for fork-without-exec + * Handle PKINIT without duplicate prompting + * Add support for rxkad-k5-kdf + [pam_krb5-LINGUAS.dif] + ------------------------------------------------------------------- Wed May 28 15:24:21 UTC 2014 - ckornacker@suse.com diff --git a/pam_krb5.spec b/pam_krb5.spec index f290bd3..995c32a 100644 --- a/pam_krb5.spec +++ b/pam_krb5.spec @@ -1,7 +1,7 @@ # # spec file for package pam_krb5 # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,17 +30,16 @@ Provides: pam_krb Obsoletes: pam_krb5-64bit %endif # -Version: 2.4.4 +Version: 2.4.13 Release: 0 Summary: A Pluggable Authentication Module for Kerberos 5 License: BSD-3-Clause or LGPL-2.1+ Group: Productivity/Networking/Security -Url: https://fedorahosted.org/pam_krb5/ -Source: https://fedorahosted.org/released/pam_krb5/pam_krb5-%{version}.tar.gz -Source2: pam_krb5-po.tar.gz +Url: https://pagure.io/pam_krb5 +Source: pam_krb5-%{version}.tar.bz2 +Source2: pam_krb5-po.tar.bz2 Source3: baselibs.conf Patch1: pam_krb5-2.3.1-log-choise.dif -Patch2: pam_krb5-LINGUAS.dif Patch3: pam_krb5-2.3.1-switch-perms-on-refresh.dif Patch4: pam_krb5-2.2.3-1-setcred-assume-establish.dif Patch5: bug-641008_pam_krb5-2.3.11-setcred-log.diff @@ -54,9 +53,8 @@ supports updating your Kerberos password. %setup -q -n pam_krb5-%{version} %setup -a 2 -T -D -n pam_krb5-%{version} %patch1 -p1 -%patch2 %patch3 -p1 -%patch4 +%patch4 -p1 %patch5 -p1 %build