Accepting request 515934 from Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/515934
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_krb5?expand=0&rev=58

bug-641008_pam_krb5-2.3.11-setcred-log.diff

@@ -1,26 +1,27 @@
-Index: pam_krb5-2.4.4/src/auth.c
+Index: pam_krb5-2.4.13/src/auth.c
 ===================================================================
---- pam_krb5-2.4.4.orig/src/auth.c
+--- pam_krb5-2.4.13.orig/src/auth.c
-+++ pam_krb5-2.4.4/src/auth.c
++++ pam_krb5-2.4.13/src/auth.c
-@@ -434,13 +434,32 @@ int
+@@ -435,13 +435,33 @@ pam_sm_setcred(pam_handle_t *pamh, int f
- pam_sm_setcred(pam_handle_t *pamh, int flags,
  	       int argc, PAM_KRB5_MAYBE_CONST char **argv)
  {
+ 	const char *why = "";
 +	krb5_context ctx;
 +	struct _pam_krb5_options *options;
  	struct _pam_krb5_perms *saved_perms;
 -	notice("pam_setcred (%s) called",
--		   (flags & PAM_ESTABLISH_CRED)?"establish credential":
+-		(flags & PAM_ESTABLISH_CRED)?"establish credential":
--		   (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
+-		(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
--		   (flags & PAM_REFRESH_CRED)?"refresh credential":
+-		(flags & PAM_REFRESH_CRED)?"refresh credential":
--		   (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
+-		(flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
 +
 +	if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
 +		warn("error initializing Kerberos");
 +		return PAM_SERVICE_ERR;
 +	}
 +
-+	options = _pam_krb5_options_init(pamh, argc, argv, ctx);
++	options = _pam_krb5_options_init(pamh, argc, argv, ctx,
++					 _pam_krb5_option_role_general);
 +	if (options == NULL) {
 +		warn("error parsing options (shouldn't happen)");
 +		krb5_free_context(ctx);
@@ -40,7 +41,7 @@ Index: pam_krb5-2.4.4/src/auth.c
  		return _pam_krb5_open_session(pamh, flags, argc, argv,
  					      "pam_setcred(PAM_ESTABLISH_CRED)",
  					      _pam_krb5_session_caller_setcred);
-@@ -455,21 +474,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f
+@@ -464,20 +484,30 @@ pam_sm_setcred(pam_handle_t *pamh, int f
  			}
  			saved_perms = NULL;
  
@@ -55,7 +56,6 @@ Index: pam_krb5-2.4.4/src/auth.c
  			if (saved_perms != NULL) {
  				_pam_krb5_restore_perms_r2e(saved_perms);
  			}
- 			saved_perms = NULL;
 +			_pam_krb5_options_free(pamh, ctx, options);
 +			krb5_free_context(ctx);
  			return PAM_IGNORE;

pam_krb5-2.2.3-1-setcred-assume-establish.dif

@@ -1,8 +1,8 @@
-Index: src/auth.c
+Index: pam_krb5-2.4.13/src/auth.c
 ===================================================================
---- src/auth.c.orig
+--- pam_krb5-2.4.13.orig/src/auth.c
-+++ src/auth.c
++++ pam_krb5-2.4.13/src/auth.c
-@@ -470,6 +470,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
+@@ -478,6 +478,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
  					       "pam_setcred(PAM_DELETE_CRED)",
  					       _pam_krb5_session_caller_setcred);
  	}

pam_krb5-2.3.1-log-choise.dif

@@ -1,92 +1,90 @@
-Index: pam_krb5-2.4.4/src/acct.c
+Index: pam_krb5-2.4.13/src/acct.c
 ===================================================================
---- pam_krb5-2.4.4.orig/src/acct.c
+--- pam_krb5-2.4.13.orig/src/acct.c
-+++ pam_krb5-2.4.4/src/acct.c
++++ pam_krb5-2.4.13/src/acct.c
-@@ -89,6 +89,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
+@@ -90,6 +90,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
  		_pam_krb5_free_ctx(ctx);
  		return PAM_SERVICE_ERR;
  	}
 +	if (options->debug) {
 +		debug("pam_acct_mgmt called for '%s', realm '%s'", user,
-+			  options->realm);
++			options->realm);
 +	}
  
  	/* Get information about the user and the user's principal name. */
  	userinfo = _pam_krb5_user_info_init(ctx, user, options);
-Index: pam_krb5-2.4.4/src/auth.c
+Index: pam_krb5-2.4.13/src/auth.c
 ===================================================================
---- pam_krb5-2.4.4.orig/src/auth.c
+--- pam_krb5-2.4.13.orig/src/auth.c
-+++ pam_krb5-2.4.4/src/auth.c
++++ pam_krb5-2.4.13/src/auth.c
-@@ -108,9 +108,10 @@ pam_sm_authenticate(pam_handle_t *pamh,
+@@ -109,8 +109,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
  		return PAM_SERVICE_ERR;
  	}
  	if (options->debug) {
--		debug("called to authenticate '%s', realm '%s'", user,
+-		debug("called to authenticate '%s', configured realm '%s'",
--		      options->realm);
+-		      user, options->realm);
 +		debug("pam_authenticate called for '%s', realm '%s'", user,
-+			  options->realm);
++			options->realm);
  	}
-+
  	_pam_krb5_set_init_opts(ctx, gic_options, options);
  
- 	/* Prompt for the password, as we might need to. */
+@@ -434,6 +434,11 @@ pam_sm_setcred(pam_handle_t *pamh, int f
-@@ -432,6 +433,11 @@ int
- pam_sm_setcred(pam_handle_t *pamh, int flags,
  	       int argc, PAM_KRB5_MAYBE_CONST char **argv)
  {
+ 	const char *why = "";
 +	notice("pam_setcred (%s) called",
-+		   (flags & PAM_ESTABLISH_CRED)?"establish credential":
++		(flags & PAM_ESTABLISH_CRED)?"establish credential":
-+		   (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
++		(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
-+		   (flags & PAM_REFRESH_CRED)?"refresh credential":
++		(flags & PAM_REFRESH_CRED)?"refresh credential":
-+		   (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
++		(flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
  	if (flags & PAM_ESTABLISH_CRED) {
  		return _pam_krb5_open_session(pamh, flags, argc, argv,
  					      "pam_setcred(PAM_ESTABLISH_CRED)",
-Index: pam_krb5-2.4.4/src/password.c
+Index: pam_krb5-2.4.13/src/password.c
 ===================================================================
---- pam_krb5-2.4.4.orig/src/password.c
+--- pam_krb5-2.4.13.orig/src/password.c
-+++ pam_krb5-2.4.4/src/password.c
++++ pam_krb5-2.4.13/src/password.c
-@@ -110,6 +110,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
+@@ -111,6 +111,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
  		_pam_krb5_free_ctx(ctx);
  		return PAM_SERVICE_ERR;
  	}
 +	if (options->debug) {
 +		debug("pam_chauthtok called (%s) for '%s', realm '%s'",
-+			   (flags & PAM_PRELIM_CHECK) ?
++			(flags & PAM_PRELIM_CHECK) ?
-+			   "preliminary check" :
++			"preliminary check" :
-+			   ((flags & PAM_UPDATE_AUTHTOK) ?
++			((flags & PAM_UPDATE_AUTHTOK) ?
-+				"updating authtok":
++			    "updating authtok":
-+				"unknown phase"),
++			    "unknown phase"),
-+			   user,
++			user,
-+			   options->realm);
++			options->realm);
 +	}
  	_pam_krb5_set_init_opts(ctx, gic_options, options);
  
  	/* Get information about the user and the user's principal name. */
-Index: pam_krb5-2.4.4/src/session.c
+Index: pam_krb5-2.4.13/src/session.c
 ===================================================================
---- pam_krb5-2.4.4.orig/src/session.c
+--- pam_krb5-2.4.13.orig/src/session.c
-+++ pam_krb5-2.4.4/src/session.c
++++ pam_krb5-2.4.13/src/session.c
-@@ -97,6 +97,10 @@ _pam_krb5_open_session(pam_handle_t *pam
+@@ -98,6 +98,10 @@ _pam_krb5_open_session(pam_handle_t *pam
  		_pam_krb5_free_ctx(ctx);
  		return PAM_SERVICE_ERR;
  	}
 +	if (options->debug) {
 +		debug("pam_open_session called for '%s', realm '%s'", user,
-+			  options->realm);
++			options->realm);
 +	}
  
  	/* If we're in a no-cred-session situation, return. */
  	if ((!options->cred_session) &&
-@@ -301,7 +305,10 @@ _pam_krb5_close_session(pam_handle_t *pa
+@@ -295,7 +299,10 @@ _pam_krb5_close_session(pam_handle_t *pa
  		_pam_krb5_free_ctx(ctx);
- 		return PAM_SUCCESS;
+ 		return PAM_SERVICE_ERR;
  	}
 -
 +	if (options->debug) {
 +		debug("pam_close_session called for '%s', realm '%s'", user,
-+			  options->realm);
++			options->realm);
 +	}
- 	/* Get information about the user and the user's principal name. */
+ 	/* If we're in a no-cred-session situation, return. */
- 	userinfo = _pam_krb5_user_info_init(ctx, user, options);
+ 	if ((!options->cred_session) &&
- 	if (userinfo == NULL) {
+ 	    (caller_type == _pam_krb5_session_caller_setcred)) {

pam_krb5-2.3.1-switch-perms-on-refresh.dif

@@ -1,7 +1,7 @@
-Index: pam_krb5-2.4.4/src/auth.c
+Index: pam_krb5-2.4.13/src/auth.c
 ===================================================================
---- pam_krb5-2.4.4.orig/src/auth.c
+--- pam_krb5-2.4.13.orig/src/auth.c
-+++ pam_krb5-2.4.4/src/auth.c
++++ pam_krb5-2.4.13/src/auth.c
 @@ -56,6 +56,7 @@
  #include "items.h"
  #include "kuserok.h"
@@ -10,24 +10,30 @@ Index: pam_krb5-2.4.4/src/auth.c
  #include "options.h"
  #include "prompter.h"
  #include "session.h"
-@@ -433,6 +434,7 @@ int
+@@ -434,6 +435,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f
- pam_sm_setcred(pam_handle_t *pamh, int flags,
  	       int argc, PAM_KRB5_MAYBE_CONST char **argv)
  {
+ 	const char *why = "";
 +	struct _pam_krb5_perms *saved_perms;
  	notice("pam_setcred (%s) called",
- 		   (flags & PAM_ESTABLISH_CRED)?"establish credential":
+ 		(flags & PAM_ESTABLISH_CRED)?"establish credential":
- 		   (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
+ 		(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
-@@ -444,10 +446,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f
+@@ -445,6 +447,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
  					      _pam_krb5_session_caller_setcred);
  	}
  	if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
 +		saved_perms = _pam_krb5_switch_perms_r2e();
 +
+ 		if (flags & PAM_REINITIALIZE_CRED) {
+ 			why = "pam_setcred(PAM_REINITIALIZE_CRED)";
+ 			if (flags & PAM_REFRESH_CRED) {
+@@ -454,9 +458,18 @@ pam_sm_setcred(pam_handle_t *pamh, int f
+ 			why = "pam_setcred(PAM_REFRESH_CRED)";
+ 		}
  		if (_pam_krb5_sly_looks_unsafe() == 0) {
--			return _pam_krb5_sly_maybe_refresh(pamh, flags,
+-			return _pam_krb5_sly_maybe_refresh(pamh, flags, why,
 -							   argc, argv);
-+			int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv);
++			int i = _pam_krb5_sly_maybe_refresh(pamh, flags, why, argc, argv);
 +			if (saved_perms != NULL) {
 +				_pam_krb5_restore_perms_r2e(saved_perms);
 +			}
@@ -39,14 +45,13 @@ Index: pam_krb5-2.4.4/src/auth.c
 +			if (saved_perms != NULL) {
 +				_pam_krb5_restore_perms_r2e(saved_perms);
 +			}
-+			saved_perms = NULL;
  			return PAM_IGNORE;
  		}
  	}
-Index: pam_krb5-2.4.4/src/perms.c
+Index: pam_krb5-2.4.13/src/perms.c
 ===================================================================
---- pam_krb5-2.4.4.orig/src/perms.c
+--- pam_krb5-2.4.13.orig/src/perms.c
-+++ pam_krb5-2.4.4/src/perms.c
++++ pam_krb5-2.4.13/src/perms.c
 @@ -89,3 +89,49 @@ _pam_krb5_restore_perms(struct _pam_krb5
  	}
  	return ret;
@@ -90,17 +95,17 @@ Index: pam_krb5-2.4.4/src/perms.c
 +	int ret = -1;
 +	if (saved != NULL) {
 +		if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) &&
-+		    (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
++		   (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
 +			ret = 0;
 +		}
 +		free(saved);
 +	}
 +	return ret;
 +}
-Index: pam_krb5-2.4.4/src/perms.h
+Index: pam_krb5-2.4.13/src/perms.h
 ===================================================================
---- pam_krb5-2.4.4.orig/src/perms.h
+--- pam_krb5-2.4.13.orig/src/perms.h
-+++ pam_krb5-2.4.4/src/perms.h
++++ pam_krb5-2.4.13/src/perms.h
 @@ -37,4 +37,7 @@ struct _pam_krb5_perms;
  struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
  int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);

pam_krb5-2.4.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:46f7f549048c2a82622bef726008b13687a655cda24e2b9ad72a667b3964940f
-size 556439

pam_krb5-LINGUAS.dif

@@ -1,18 +0,0 @@
-Index: po/LINGUAS
-===================================================================
---- po/LINGUAS.orig
-+++ po/LINGUAS
-@@ -33,3 +33,13 @@ te
- uk
- zh_CN
- zh_TW
-+ar
-+bg
-+fi
-+hr
-+ka
-+km
-+nb
-+pt
-+th
-+wa

pam_krb5-po.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7bd07c953ca39ed6df1bf9455de24865e424f8ce0ccb0200816b65d81dc4d0cd
-size 3906

pam_krb5.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Wed Jul 26 07:04:12 UTC 2017 - josef.moellers@suse.com
+
+- Update to 2.4.13:
+  * Fix a memory leak on FAST-capable clients
+  * Learn to run 'kdc' and 'kpasswdd', if appropriate
+  * Add the ability to specify a server principal
+  * Drop _pam_krb5_stash_chown_keyring functionality
+  * Fix a configure syntax error
+  * Handle ccname templates that don't include a type
+  * Fix a memory leak (static analysis)
+  * default to subsequent_prompt=false for chauthtok
+  * Don't close descriptors for fork-without-exec
+  * Handle PKINIT without duplicate prompting
+  * Add support for rxkad-k5-kdf
+  [pam_krb5-LINGUAS.dif]
+
 -------------------------------------------------------------------
 Wed May 28 15:24:21 UTC 2014 - ckornacker@suse.com
 

pam_krb5.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package pam_krb5
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -30,17 +30,16 @@ Provides:       pam_krb
 Obsoletes:      pam_krb5-64bit
 %endif
 #
-Version:        2.4.4
+Version:        2.4.13
 Release:        0
 Summary:        A Pluggable Authentication Module for Kerberos 5
 License:        BSD-3-Clause or LGPL-2.1+
 Group:          Productivity/Networking/Security
-Url:            https://fedorahosted.org/pam_krb5/
+Url:            https://pagure.io/pam_krb5
-Source:         https://fedorahosted.org/released/pam_krb5/pam_krb5-%{version}.tar.gz
+Source:         pam_krb5-%{version}.tar.bz2
-Source2:        pam_krb5-po.tar.gz
+Source2:        pam_krb5-po.tar.bz2
 Source3:        baselibs.conf
 Patch1:         pam_krb5-2.3.1-log-choise.dif
-Patch2:         pam_krb5-LINGUAS.dif
 Patch3:         pam_krb5-2.3.1-switch-perms-on-refresh.dif
 Patch4:         pam_krb5-2.2.3-1-setcred-assume-establish.dif
 Patch5:         bug-641008_pam_krb5-2.3.11-setcred-log.diff
@@ -54,9 +53,8 @@ supports updating your Kerberos password.
 %setup -q -n pam_krb5-%{version}
 %setup -a 2 -T -D -n pam_krb5-%{version}
 %patch1 -p1
-%patch2
 %patch3 -p1
-%patch4
+%patch4 -p1
 %patch5 -p1
 
 %build