From bd49b5291dc62b92b91152682d930001d4b7d28338d3ff877c0b5d0cc3fc196a Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Fri, 15 Feb 2008 00:37:18 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/pam_krb5?expand=0&rev=12

---
 ...rb5-2.2.11-1-refresh-drop-restore-priv.dif |   2 +-
 pam_krb5-2.2.20-1-debug-log-choice.dif        |  18 +--
 pam_krb5-2.2.21-1.tar.bz2                     |   3 -
 pam_krb5-2.2.22-1.tar.bz2                     |   3 +
 pam_krb5.changes                              |   9 ++
 pam_krb5.spec                                 | 108 ++++++++++--------
 6 files changed, 81 insertions(+), 62 deletions(-)
 delete mode 100644 pam_krb5-2.2.21-1.tar.bz2
 create mode 100644 pam_krb5-2.2.22-1.tar.bz2

diff --git a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
index 581fdf1..8a2e7a9 100644
--- a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
+++ b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
@@ -2,7 +2,7 @@ Index: src/auth.c
 ===================================================================
 --- src/auth.c.orig
 +++ src/auth.c
-@@ -494,9 +494,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
+@@ -481,9 +481,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
  		return pam_sm_open_session(pamh, flags, argc, argv);
  	}
  	if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
diff --git a/pam_krb5-2.2.20-1-debug-log-choice.dif b/pam_krb5-2.2.20-1-debug-log-choice.dif
index 06ebe82..ba0bc06 100644
--- a/pam_krb5-2.2.20-1-debug-log-choice.dif
+++ b/pam_krb5-2.2.20-1-debug-log-choice.dif
@@ -1,5 +1,7 @@
---- src/options.c
-+++ src/options.c	2007/11/05 15:20:39
+Index: src/options.c
+===================================================================
+--- src/options.c.orig
++++ src/options.c
 @@ -40,6 +40,7 @@
  #include <stdio.h>
  #include <stdlib.h>
@@ -8,12 +10,12 @@
  
  #ifdef HAVE_SECURITY_PAM_APPL_H
  #include <security/pam_appl.h>
-@@ -327,7 +328,7 @@
- 		options->debug = 0;
- 	}
- 	if (options->debug) {
--		debug("configured realm '%s'", options->realm);
+@@ -354,7 +355,7 @@ _pam_krb5_options_init(pam_handle_t *pam
+ 	if (strlen(options->realm) > 0) {
+ 		krb5_set_default_realm(ctx, options->realm);
+ 		if (options->debug) {
+-			debug("configured realm '%s'", options->realm);
 +	  pam_syslog(pamh, LOG_DEBUG, "configured realm '%s'", options->realm);
+ 		}
  	}
  
- 	/* private option */
diff --git a/pam_krb5-2.2.21-1.tar.bz2 b/pam_krb5-2.2.21-1.tar.bz2
deleted file mode 100644
index 0ad76e1..0000000
--- a/pam_krb5-2.2.21-1.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1340c721e1578053474daed83a6b6af5a5bbedb174c47631b8ace8f0fd7eb9f1
-size 339260
diff --git a/pam_krb5-2.2.22-1.tar.bz2 b/pam_krb5-2.2.22-1.tar.bz2
new file mode 100644
index 0000000..5861a11
--- /dev/null
+++ b/pam_krb5-2.2.22-1.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f71461ba84d1716609670ed74bd515ec5b23a722b083f10a27b6f2a62c36bf9c
+size 340922
diff --git a/pam_krb5.changes b/pam_krb5.changes
index 9ebd7ff..4d64ea2 100644
--- a/pam_krb5.changes
+++ b/pam_krb5.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Feb 11 13:37:46 CET 2008 - mc@suse.de
+
+- version 2.2.22
+  * moved .k5login checks to a subprocess to avoid screwing with the
+    parent process's tokens and PAG (fallout from #371761)
+  * all options which took true/false before ("debug", "tokens", and
+    so on) can now take service names
+
 -------------------------------------------------------------------
 Wed Nov 21 16:37:51 CET 2007 - mc@suse.de
 
diff --git a/pam_krb5.spec b/pam_krb5.spec
index 8ccdb7e..c689ca7 100644
--- a/pam_krb5.spec
+++ b/pam_krb5.spec
@@ -1,7 +1,7 @@
 #
-# spec file for package pam_krb5 (Version 2.2.21)
+# spec file for package pam_krb5 (Version 2.2.22)
 #
-# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
@@ -10,6 +10,7 @@
 
 # norootforbuild
 
+
 Name:           pam_krb5
 BuildRequires:  krb5-client krb5-devel krb5-server openssl-devel pam-devel
 %define       PAM_RELEASE 1
@@ -17,8 +18,8 @@ License:        GPL v2 or later
 Group:          Productivity/Networking/Security
 Provides:       pam_krb
 AutoReqProv:    on
-Version:        2.2.21
-Release:        5
+Version:        2.2.22
+Release:        1
 Summary:        PAM Module for Kerberos Authentication
 Url:            http://sourceforge.net/projects/pam-krb5/
 Source:         pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
@@ -72,25 +73,32 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) /%{_lib}/security/pam_krb5/pam_krb5_storetmp
 %attr(444,root,root) %_mandir/man*/*.*
 %attr(755,root,root) /usr/bin/afs5log
+
 %changelog
-* Wed Nov 21 2007 - mc@suse.de
+* Mon Feb 11 2008 mc@suse.de
+- version 2.2.22
+  * moved .k5login checks to a subprocess to avoid screwing with the
+  parent process's tokens and PAG (fallout from #371761)
+  * all options which took true/false before ("debug", "tokens", and
+  so on) can now take service names
+* Wed Nov 21 2007 mc@suse.de
 - some bugfixes from upstream
-* Fri Nov 09 2007 - mc@suse.de
+* Fri Nov 09 2007 mc@suse.de
 - version 2.2.21
   * fix permissions problems on keyring ccaches, so that users can write
   to them after we've set them up, and we can still do the cleanup
 - remove pam_krb5-2.2.20-1-copy-cache-priv-fix.dif; fix is upstream
-* Mon Nov 05 2007 - mc@suse.de
+* Mon Nov 05 2007 mc@suse.de
 - pam_krb5-2.2.20-1-copy-cache-priv-fix.dif
   fix permissions on the ccache im not file case
 - pam_krb5-2.2.20-1-debug-log-choice.dif
   improve debug log
-* Mon Oct 29 2007 - mc@suse.de
+* Mon Oct 29 2007 mc@suse.de
 - version 2.2.20
   * fixes for credential refreshing
 - remove obsolete patch pam_krb5-2.2.19-fix-format-error.dif
   (fix is upstream)
-* Fri Oct 26 2007 - mc@suse.de
+* Fri Oct 26 2007 mc@suse.de
 - version 2.2.19:
   * the "keytab" option can now be used to specify a custom location
   for a given service from within krb5.conf
@@ -105,7 +113,7 @@ rm -rf $RPM_BUILD_ROOT
   * added the "ccname_template" option to provide a way to specify
   where the user's credentials should be stored, so that KEYRING:
   credential caches can be deployed at will.
-* Tue Aug 07 2007 - mc@suse.de
+* Tue Aug 07 2007 mc@suse.de
 - version 2.2.17:
   * corrected a typo in the pam_krb5(8) man page
   * clarified that the "tokens" flag should only be needed for
@@ -121,34 +129,34 @@ rm -rf $RPM_BUILD_ROOT
   a password for a user who has no corresponding principal (#235020)
   * don't bother using a helper for creating ccache files, which we're
   just going to delete, when we need to get tokens
-* Mon Jul 16 2007 - mc@suse.de
+* Mon Jul 16 2007 mc@suse.de
 - version 2.2.14
   * treat a "client revoked" error as an "unknown principal" error
   * some small bugfixes
-* Fri Jul 13 2007 - mc@suse.de
+* Fri Jul 13 2007 mc@suse.de
 - version 2.2.13
   * make it possible to have more than one ccache (and tktfile) at
   a time to work around apps which open a session, set the
   environment, and initialize creds (when we previously created
   a ccache, removing the one which was named in the environment)
-* Mon Jul 02 2007 - mc@suse.de
+* Mon Jul 02 2007 mc@suse.de
 - version 2.2.12
   * add a "pwhelp" option.
   * Display the KDC error to users.
   * lots of bugfixes
-* Thu Mar 15 2007 - mc@suse.de
+* Thu Mar 15 2007 mc@suse.de
 - drop privileges in _pam_krb5_sly_maybe_refresh when
   running in set uid and restore them on exit of this
   function. This enables us to refresh the ticket
   after screen un-lock.
   [#124611]
-* Mon Sep 25 2006 - mc@suse.de
+* Mon Sep 25 2006 mc@suse.de
 - version 2.2.11
 - remove two patches with are upstream now
   - pam_krb5-2.2.10-0-oldauthtok.dif
   - pam_krb5-2.2.10-0-testfix.dif
 - make use of --with-os-distribution
-* Thu Sep 14 2006 - mc@suse.de
+* Thu Sep 14 2006 mc@suse.de
 - fix pam_set_item call for AUTHTOK and OLDAUTHTOK
 - fix testcase
 - if the server returns an error message during password-changing,
@@ -156,7 +164,7 @@ rm -rf $RPM_BUILD_ROOT
 - add the "debug_sensitive" option, which actually logs passwords
 - add the "no_subsequent_prompt" option, to force the module to
   always answer a libkrb5 prompt with the PAM_AUTHTOK value
-* Tue Sep 12 2006 - mc@suse.de
+* Tue Sep 12 2006 mc@suse.de
 - version 2.2.10
   * log text for server-supplied error code along with the
   failure information.
@@ -168,7 +176,7 @@ rm -rf $RPM_BUILD_ROOT
   * track whether or not we want to let libkrb5 ask for information
   via the callbacks.
   * and more fixes
-* Thu Jul 27 2006 - mc@suse.de
+* Thu Jul 27 2006 mc@suse.de
 - version 2.2.9
   * look for krb5/krb5.h in preference to krb5.h (new in
   MIT Kerberos 1.5)
@@ -185,87 +193,87 @@ rm -rf $RPM_BUILD_ROOT
   instead of assuming the previous file ended with one
   * and more fixes.
 - remove pam_krb5-2.2.3-1-prompter-segfault.dif it is upstream now
-* Wed Jun 28 2006 - mc@suse.de
+* Wed Jun 28 2006 mc@suse.de
 - update to version 2.2.8
   * fix reporting of the reasons for password change failures
   * add "krb4_use_as_req" to completely disallow any attempts to get
   v4 credentials
   * do 524 conversion for the "external" cases, too
 - remove obsolete patches
-* Fri Apr 21 2006 - mc@suse.de
+* Fri Apr 21 2006 mc@suse.de
 - fix segfault in prompter [#165972]
-* Wed Jan 25 2006 - mls@suse.de
+* Wed Jan 25 2006 mls@suse.de
 - converted neededforbuild to BuildRequires
-* Tue Jan 17 2006 - mc@suse.de
+* Tue Jan 17 2006 mc@suse.de
 - add two patches from upstream
   * pam_krb5-upstreamfix-password-handling.dif
   * pam_krb5-upstreamfix-testcase.dif
 - build with more then one job
-* Fri Jan 13 2006 - mc@suse.de
+* Fri Jan 13 2006 mc@suse.de
 - set /usr/bin/afs5log executable
-* Wed Jan 11 2006 - mc@suse.de
+* Wed Jan 11 2006 mc@suse.de
 - add -fstack-protector to CFLAGS
-* Tue Dec 20 2005 - mc@suse.de
+* Tue Dec 20 2005 mc@suse.de
 - update to version 2.2.3
 - remove pam_krb5-2.2.0-0.5-NULL-fix.dif; patch is now upstream
-* Fri Dec 02 2005 - mc@suse.de
+* Fri Dec 02 2005 mc@suse.de
 - update to version 2.2.2
   * don't leak the keytab file descriptor
   * actually check for AFS support first, so that the
   ioctl-only support case will work properly.
-* Mon Nov 14 2005 - uli@suse.de
+* Mon Nov 14 2005 uli@suse.de
 - no afs_syscall on ARM
-* Mon Nov 14 2005 - mc@suse.de
+* Mon Nov 14 2005 mc@suse.de
 - update to version 2.2.0-2
 - remove obsolete patch (debug_false is upstream now)
-* Mon Oct 10 2005 - mc@suse.de
+* Mon Oct 10 2005 mc@suse.de
 - update to current CVS version
 - drop some patches (they are upstream now)
 - fix NULL problem
-* Wed Aug 17 2005 - mc@suse.de
+* Wed Aug 17 2005 mc@suse.de
 - got official fix for the authtok problem
   [#104051]
-* Mon Aug 15 2005 - mc@suse.de
+* Mon Aug 15 2005 mc@suse.de
 - fix the behavior of password changing if use_authtok
   is not present [#104051]
-* Wed Jun 29 2005 - mc@suse.de
+* Wed Jun 29 2005 mc@suse.de
 - fix change password
-* Fri Jun 10 2005 - mc@suse.de
+* Fri Jun 10 2005 mc@suse.de
 - set default for debug to false [#87005]
-* Thu Apr 07 2005 - mc@suse.de
+* Thu Apr 07 2005 mc@suse.de
 - switch to version 2.2.0-0.5
-* Tue Feb 22 2005 - nadvornik@suse.cz
+* Tue Feb 22 2005 nadvornik@suse.cz
 - fixed parsing of time values
-* Mon Feb 21 2005 - mc@suse.de
+* Mon Feb 21 2005 mc@suse.de
 - add pam_krb5-use-krb5_afslog.dif [#51047]
-* Tue Jan 18 2005 - okir@suse.de
+* Tue Jan 18 2005 okir@suse.de
 - updated to latest pam_krb5 snapshot from sourcforge CVS
-* Tue Jan 11 2005 - ro@suse.de
+* Tue Jan 11 2005 ro@suse.de
 - re-added afs module (added krbafs to neededforbuild)
-* Mon Nov 22 2004 - ro@suse.de
+* Mon Nov 22 2004 ro@suse.de
 - remove afs for the moment, mit-kerberos does not have support
-* Wed Apr 28 2004 - ro@suse.de
+* Wed Apr 28 2004 ro@suse.de
 - added -fno-strict-aliasing
-* Fri Jan 16 2004 - kukuk@suse.de
+* Fri Jan 16 2004 kukuk@suse.de
 - Add pam-devel to neededforbuild
-* Sun Jan 11 2004 - adrian@suse.de
+* Sun Jan 11 2004 adrian@suse.de
 - build as user
-* Wed Jul 16 2003 - nadvornik@suse.cz
+* Wed Jul 16 2003 nadvornik@suse.cz
 - replaced by different implementation of pam_krb5
 - afs support
-* Fri Jun 20 2003 - okir@suse.de
+* Fri Jun 20 2003 okir@suse.de
 - fix build problem with latest heimdal
 - another fix for passwd updates (#20284)
-* Wed Jun 18 2003 - ro@suse.de
+* Wed Jun 18 2003 ro@suse.de
 - use kerberos-devel-packages in neededforbuild
-* Tue Apr 15 2003 - ro@suse.de
+* Tue Apr 15 2003 ro@suse.de
 - fixed neededforbuild
-* Wed Aug 28 2002 - okir@suse.de
+* Wed Aug 28 2002 okir@suse.de
 - Security fix (#18463): unbecome_user did not properly reassert
   original privilege, and the caller didn't check the return value.
-* Wed Jul 31 2002 - okir@suse.de
+* Wed Jul 31 2002 okir@suse.de
 - suse_update_config now updates the right files
-* Wed Jul 24 2002 - okir@suse.de
+* Wed Jul 24 2002 okir@suse.de
 - fixed passwd(1) support; updated README
-* Tue Jul 23 2002 - okir@suse.de
+* Tue Jul 23 2002 okir@suse.de
 - initial packaging