- Update to version 1.6.1

- pam_env: fixed --disable-econf --enable-vendordir support. - pam_unix: do not warn if password aging is disabled. - pam_unix: try to set uid to 0 before unix_chkpwd invocation. - pam_unix: allow empty passwords with non-empty hashes. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - Remove backports: - pam_env-fix_vendordir.patch - pam_env-fix-enable-vendordir-fallback.patch - pam_env-remove-escaped-newlines.patch - pam_unix-fix-password-aging-disabled.patch OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=296
2024-04-10 07:30:15 +00:00 · 2024-04-10 07:30:15 +00:00 · 810c4f59c1
commit 810c4f59c1
parent 0158e751ab
10 changed files with 36 additions and 211 deletions
--- a/Linux-PAM-1.6.0.tar.xz
+++ b/Linux-PAM-1.6.0.tar.xz
--- a/Linux-PAM-1.6.0.tar.xz.asc
+++ b/Linux-PAM-1.6.0.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI
-n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm
-NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY
-U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3
-XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw
-6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi
-Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2
-gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n
-b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n
-NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ
-LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox
-zxDFnUsJ/JgmJm3y47J2
-=wzV/
-----END PGP SIGNATURE-----
--- a/Linux-PAM-1.6.1.tar.xz
+++ b/Linux-PAM-1.6.1.tar.xz
--- a/Linux-PAM-1.6.1.tar.xz.asc
+++ b/Linux-PAM-1.6.1.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
+sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
+47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
+RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
+mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
+cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
+fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
+PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
+o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
+0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
+9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
+UoUkHsbCWJU/ksn/9BIQ
+=Dbz2
+-----END PGP SIGNATURE-----
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Apr 10 07:12:02 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to version 1.6.1
+  - pam_env: fixed --disable-econf --enable-vendordir support.
+  - pam_unix: do not warn if password aging is disabled.
+  - pam_unix: try to set uid to 0 before unix_chkpwd invocation.
+  - pam_unix: allow empty passwords with non-empty hashes.
+  - Multiple minor bug fixes, build fixes, portability fixes,
+    documentation improvements, and translation updates.
+- Remove backports:
+  - pam_env-fix_vendordir.patch
+  - pam_env-fix-enable-vendordir-fallback.patch
+  - pam_env-remove-escaped-newlines.patch
+  - pam_unix-fix-password-aging-disabled.patch
+
 -------------------------------------------------------------------
 Thu Feb 22 17:30:24 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>

--- a/pam.spec
+++ b/pam.spec
@ -71,7 +71,7 @@
 #
 Name:           pam%{name_suffix}
 #
-Version:        1.6.0
+Version:        1.6.1
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@ -96,14 +96,6 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
-# https://github.com/linux-pam/linux-pam/pull/739
-Patch2:         pam_env-fix_vendordir.patch
-# https://github.com/linux-pam/linux-pam/pull/740
-Patch3:		pam_env-fix-enable-vendordir-fallback.patch
-# https://github.com/linux-pam/linux-pam/pull/741
-Patch4:         pam_env-remove-escaped-newlines.patch
-# https://github.com/linux-pam/linux-pam/pull/744
-Patch5:         pam_unix-fix-password-aging-disabled.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
--- a/pam_env-fix-enable-vendordir-fallback.patch
+++ b/pam_env-fix-enable-vendordir-fallback.patch
@ -1,51 +0,0 @@
-From 28894b319488e8302899ee569b6e0911905f374e Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@strace.io>
-Date: Thu, 18 Jan 2024 17:00:00 +0000
-Subject: [PATCH] pam_env: fix --enable-vendordir fallback logic
-
-* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF &&
-VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file
-if the config file is specified via module arguments.
-
-Link: https://github.com/linux-pam/linux-pam/issues/738
-Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
---
- modules/pam_env/pam_env.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
-index a0b812fff..8b40b6a5a 100644
--- a/modules/pam_env/pam_env.c
-+++ b/modules/pam_env/pam_env.c
-@@ -850,20 +850,20 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
- #ifdef USE_ECONF
-     /* If "file" is not NULL, only this file will be parsed. */
-     retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list);
-#else
-+#else /* !USE_ECONF */
-     /* Only one file will be parsed. So, file has to be set. */
-    if (file == NULL) /* No filename has been set via argv. */
-+    if (file == NULL) { /* No filename has been set via argv. */
-       file = DEFAULT_CONF_FILE;
-#ifdef VENDOR_DEFAULT_CONF_FILE
-    /*
-    * Check whether file is available.
-    * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
-    */
-    struct stat stat_buffer;
-    if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
-      file = VENDOR_DEFAULT_CONF_FILE;
-+# ifdef VENDOR_DEFAULT_CONF_FILE
-+      /*
-+       * Check whether DEFAULT_CONF_FILE file is available.
-+       * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
-+       */
-+      struct stat stat_buffer;
-+      if (stat(file, &stat_buffer) != 0 && errno == ENOENT)
-+        file = VENDOR_DEFAULT_CONF_FILE;
-+# endif
-     }
-#endif
-     retval = read_file(pamh, file, &conf_list);
- #endif
- 
--- a/pam_env-fix_vendordir.patch
+++ b/pam_env-fix_vendordir.patch
@ -1,51 +0,0 @@
-From 0703453bec6ac54ad31d7245be4529796a3ef764 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Thu, 18 Jan 2024 18:08:05 +0100
-Subject: [PATCH] pam_env: check VENDORDIR after config.h inclusion
-
-The VENDORDIR define has to be checked after config.h
-inclusion, otherwise the ifdef test always yields false.
-
-Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
- modules/pam_env/pam_env.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
-index 59adc942c..a0b812fff 100644
--- a/modules/pam_env/pam_env.c
-+++ b/modules/pam_env/pam_env.c
-@@ -6,15 +6,6 @@
-  * template for this file (via pam_mail)
-  */
- 
-#define DEFAULT_ETC_ENVFILE     "/etc/environment"
-#ifdef VENDORDIR
-#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
-#endif
-#define DEFAULT_READ_ENVFILE    1
-
-#define DEFAULT_USER_ENVFILE    ".pam_environment"
-#define DEFAULT_USER_READ_ENVFILE 0
-
- #include "config.h"
- 
- #include <ctype.h>
-@@ -52,6 +43,15 @@ typedef struct var {
-   char *override;
- } VAR;
- 
-+#define DEFAULT_ETC_ENVFILE     "/etc/environment"
-+#ifdef VENDORDIR
-+#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
-+#endif
-+#define DEFAULT_READ_ENVFILE    1
-+
-+#define DEFAULT_USER_ENVFILE    ".pam_environment"
-+#define DEFAULT_USER_READ_ENVFILE 0
-+
- #define DEFAULT_CONF_FILE	(SCONFIGDIR "/pam_env.conf")
- #ifdef VENDOR_SCONFIGDIR
- #define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf")
--- a/pam_env-remove-escaped-newlines.patch
+++ b/pam_env-remove-escaped-newlines.patch
@ -1,54 +0,0 @@
-From ef51c51523b4c6ce6275b2863a0de1a3a6dff1e5 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Thu, 18 Jan 2024 20:25:20 +0100
-Subject: [PATCH] pam_env: remove escaped newlines from econf lines
-
-The libeconf routines do not remove escaped newlines the way we want to
-process them later on. Manually remove them from values.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
- modules/pam_env/pam_env.c | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
-
-diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
-index a0b812fff..5f53fbb10 100644
--- a/modules/pam_env/pam_env.c
-+++ b/modules/pam_env/pam_env.c
-@@ -160,6 +160,28 @@ isDirectory(const char *path) {
-    return S_ISDIR(statbuf.st_mode);
- }
- 
-+/*
-+ * Remove escaped newline from string.
-+ *
-+ * All occurrences of "\\n" will be removed from string.
-+ */
-+static void
-+econf_unescnl(char *val)
-+{
-+    char *dest, *p;
-+
-+    dest = p = val;
-+
-+    while (*p != '\0') {
-+      if (p[0] == '\\' && p[1] == '\n') {
-+	p += 2;
-+      } else {
-+	*dest++ = *p++;
-+      }
-+    }
-+    *dest = '\0';
-+}
-+
- static int
- econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim,
- 			   const char *name, const char *suffix, const char *subpath,
-@@ -270,6 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
- 		   keys[i],
- 		   econf_errString(error));
-       } else {
-+        econf_unescnl(val);
-         if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) {
- 	  pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
-           econf_free(keys);
--- a/pam_unix-fix-password-aging-disabled.patch
+++ b/pam_unix-fix-password-aging-disabled.patch
@ -1,27 +0,0 @@
-From 9d40f55216b2de60ccb9b617c79b9280b9f29ead Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Fri, 19 Jan 2024 10:09:00 +0100
-Subject: [PATCH] pam_unix: do not warn if password aging disabled
-
-Later checks will print a warning if daysleft is 0. If password
-aging is disabled, leave daysleft at -1.
-
-Fixes 9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
- modules/pam_unix/passverify.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index 5c4f862e7..1bc98fa25 100644
--- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -314,7 +314,6 @@ PAMH_ARG_DECL(int check_shadow_expiry,
- 	}
- 	if (spent->sp_lstchg < 0) {
- 		D(("password aging disabled"));
-		*daysleft = 0;
- 		return PAM_SUCCESS;
- 	}
- 	if (curdays < spent->sp_lstchg) {