- Update to version 1.6.0

- Added support of configuration files with arbitrarily long lines.
  - build: fixed build outside of the source tree.
  - libpam: added use of getrandom(2) as a source of randomness if available.
  - libpam: fixed calculation of fail delay with very long delays.
  - libpam: fixed potential infinite recursion with includes.
  - libpam: implemented string to number conversions validation when parsing
    controls in configuration.
  - pam_access: added quiet_log option.
  - pam_access: fixed truncation of very long group names.
  - pam_canonicalize_user: new module to canonicalize user name.
  - pam_echo: fixed file handling to prevent overflows and short reads.
  - pam_env: added support of '\' character in environment variable values.
  - pam_exec: allowed expose_authtok for password PAM_TYPE.
  - pam_exec: fixed stack overflow with binary output of programs.
  - pam_faildelay: implemented parameter ranges validation.
  - pam_listfile: changed to treat \r and \n exactly the same in configuration.
  - pam_mkhomedir: hardened directory creation against timing attacks.
  - Please note that using *at functions leads to more open file handles
    during creation.
  - pam_namespace: fixed potential local DoS (CVE-2024-22365).
  - pam_nologin: fixed file handling to prevent short reads.
  - pam_pwhistory: helper binary is now built only if SELinux support is
    enabled.
  - pam_pwhistory: implemented reliable usernames handling when remembering
    passwords.
  - pam_shells: changed to allow shell entries with absolute paths only.
  - pam_succeed_if: fixed treating empty strings as numerical value 0.
  - pam_unix: added support of disabled password aging.
  - pam_unix: synchronized password aging with shadow.

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=280

Linux-PAM-1.5.3.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABCgAGBQJkWBFQAAoJEKgEH6g54W42OoMP/R1O9dvpncrR4DfD3yJViTPw
-To3isPszsdHhw/uZUzCBEUMxhJgUgefzHGAng1EbTyX2eTLk/cnLY8pZLXr3pzC0
-5CfacxAqgjK8B/7CbchsZQCDal84E5jR8qyzVCM3IPxZQfpiR3HJzXVjhg/gnBcY
-L6v7FbLpcdM2keHHT1C/hyQfTnzyIdmwyzRdE1DF3ERbe3/1VlNmANNOacZ1H2T9
-Hs5dVIFiXwOO11Xku42oOo99LCqXyIsRnEogBFCORHNjD7B88lCdJAHssBdvWq5t
-/CJnoGtJrVCXs11JVPSNyW0rm24rZH9YCC6yVRIuMq6jjMBawFUlMAqamLoSA3hK
-4BPuPqQjHYk/D5H+m0HF2qRDpz76Bj1zdmYofqspeJf4QJOyOpMSXFY3pgsohuKW
-P8YQ44cAkmMswFqMSKGi9EVnf6SVXWQFoHJhtlbUgi7ef/4IICrbtgSSE96OGdlg
-Sdoplu3n+1HClaYqlHbjkd/m0Hc8QvOjovctb0Zoclnlup+u2JH4rDNqjxFUvkWB
-8CeILjebgBrNRqAFDx7fKBEQyHs5FLOtUU1SwBLXXSyMCHuMhr/tKBHcbDgMhpVP
-IiIyYGyEGUoIR/er5AgIX9e6/zcQbc8OvY+gTu9t+tw+HIt8hGvUUkuYX8LB1k6r
-zf06e/iTT4GL6AhJtbh3
-=2hyW
------END PGP SIGNATURE-----

Linux-PAM-1.6.0.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI
+n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm
+NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY
+U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3
+XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw
+6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi
+Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2
+gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n
+b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n
+NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ
+LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox
+zxDFnUsJ/JgmJm3y47J2
+=wzV/
+-----END PGP SIGNATURE-----

disable-examples.patch

@@ -1,51 +0,0 @@
-From 5fa961fd3b5b8cf5ba1a0cf49b10ebf79e273e96 Mon Sep 17 00:00:00 2001
-From: Pino Toscano <toscano.pino@tiscali.it>
-Date: Mon, 8 May 2023 18:39:36 +0200
-Subject: [PATCH] configure.ac: add --enable-examples option
-
-Allow the user to not build the examples through --disable-examples
-(enabled by default); this can be useful:
-- when cross-compiling, as the examples are not useful
-- in distribution builds, not building stuff that is not used in any
-  way
----
- Makefile.am  | 5 ++++-
- configure.ac | 5 +++++
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index deb252680..2e8fede7b 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -4,11 +4,14 @@
- 
- AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
- 
--SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
-+SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests
- 
- if HAVE_DOC
- SUBDIRS += doc
- endif
-+if HAVE_EXAMPLES
-+SUBDIRS += examples
-+endif
- 
- CLEANFILES = *~
- 
-diff --git a/configure.ac b/configure.ac
-index b9b0f8392..6666b1b26 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -224,6 +224,11 @@ AC_ARG_ENABLE([doc],
-         WITH_DOC=$enableval, WITH_DOC=yes)
- AM_CONDITIONAL([HAVE_DOC], [test "x$WITH_DOC" = "xyes"])
- 
-+AC_ARG_ENABLE([examples],
-+        AS_HELP_STRING([--disable-examples],[Do not build the examples]),
-+        WITH_EXAMPLES=$enableval, WITH_EXAMPLES=yes)
-+AM_CONDITIONAL([HAVE_EXAMPLES], [test "x$WITH_EXAMPLES" = "xyes"])
-+
- AC_ARG_ENABLE([prelude],
- 	AS_HELP_STRING([--disable-prelude],[do not use prelude]),
- 	WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)

pam-login_defs-check.sh

@@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
 	sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
 	LC_ALL=C sort -u >pam-login_defs-vars.lst
 
-if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != cda62ec4158236270a5a30ba1875fa2795926f23 ; then
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
 
 	echo "does not match!" >&2
 	echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2

pam.changes

@@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Thu Jan 18 08:28:14 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to version 1.6.0
+  - Added support of configuration files with arbitrarily long lines.
+  - build: fixed build outside of the source tree.
+  - libpam: added use of getrandom(2) as a source of randomness if available.
+  - libpam: fixed calculation of fail delay with very long delays.
+  - libpam: fixed potential infinite recursion with includes.
+  - libpam: implemented string to number conversions validation when parsing
+    controls in configuration.
+  - pam_access: added quiet_log option.
+  - pam_access: fixed truncation of very long group names.
+  - pam_canonicalize_user: new module to canonicalize user name.
+  - pam_echo: fixed file handling to prevent overflows and short reads.
+  - pam_env: added support of '\' character in environment variable values.
+  - pam_exec: allowed expose_authtok for password PAM_TYPE.
+  - pam_exec: fixed stack overflow with binary output of programs.
+  - pam_faildelay: implemented parameter ranges validation.
+  - pam_listfile: changed to treat \r and \n exactly the same in configuration.
+  - pam_mkhomedir: hardened directory creation against timing attacks.
+  - Please note that using *at functions leads to more open file handles
+    during creation.
+  - pam_namespace: fixed potential local DoS (CVE-2024-22365).
+  - pam_nologin: fixed file handling to prevent short reads.
+  - pam_pwhistory: helper binary is now built only if SELinux support is
+    enabled.
+  - pam_pwhistory: implemented reliable usernames handling when remembering
+    passwords.
+  - pam_shells: changed to allow shell entries with absolute paths only.
+  - pam_succeed_if: fixed treating empty strings as numerical value 0.
+  - pam_unix: added support of disabled password aging.
+  - pam_unix: synchronized password aging with shadow.
+  - pam_unix: implemented string to number conversions validation.
+  - pam_unix: fixed truncation of very long user names.
+  - pam_unix: corrected rounds retrieval for configured encryption method.
+  - pam_unix: implemented reliable usernames handling when remembering
+    passwords.
+  - pam_unix: changed to always run the helper to obtain shadow password
+    entries.
+  - pam_unix: unix_update helper binary is now built only if SELinux support
+    is enabled.
+  - pam_unix: added audit support to unix_update helper.
+  - pam_userdb: added gdbm support.
+  - Multiple minor bug fixes, portability fixes, documentation improvements,
+    and translation updates.
+- The following patches are obsolete with the update:
+  - pam_access-doc-IPv6-link-local.patch
+  - pam_access-hostname-debug.patch
+  - pam_shells-fix-econf-memory-leak.patch
+  - pam_shells-fix-econf-memory-leak.patch
+- pam-login_defs-check.sh: adjust checksum, SHA_CRYPT_MAX_ROUNDS
+  is no longer used.
+
 -------------------------------------------------------------------
 Wed Aug 23 09:20:06 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 

pam.spec

@@ -71,7 +71,7 @@
 #
 Name:           pam%{name_suffix}
 #
-Version:        1.5.3
+Version:        1.6.0
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@@ -96,14 +96,6 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
-# https://github.com/linux-pam/linux-pam/pull/594
-Patch2:         pam_access-doc-IPv6-link-local.patch
-# https://github.com/linux-pam/linux-pam/pull/596
-Patch3:         pam_access-hostname-debug.patch
-# https://github.com/linux-pam/linux-pam/pull/581
-Patch4:         pam_shells-fix-econf-memory-leak.patch
-# https://github.com/linux-pam/linux-pam/pull/574
-Patch5:         disable-examples.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
@@ -214,10 +206,6 @@ building both PAM-aware applications and modules for use with PAM.
 %setup -q -n Linux-PAM-%{version}
 cp -a %{SOURCE12} .
 %patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
 
 %build
 bash ./pam-login_defs-check.sh
@@ -237,7 +225,9 @@ autoreconf
 	--enable-isadir=../..%{_pam_moduledir} \
 	--enable-securedir=%{_pam_moduledir} \
 	--enable-vendordir=%{_prefix}/etc \
+%if "%{flavor}" == "full"
 	--enable-logind \
+%endif
         --disable-examples \
 	--disable-nis \
 %if %{with debug}

pam_access-doc-IPv6-link-local.patch

@@ -1,63 +0,0 @@
-From 4ba3105511c3a55fc750a790f7310c6d7ebfdfda Mon Sep 17 00:00:00 2001
-From: Thorsten Kukuk <kukuk@suse.com>
-Date: Thu, 3 Aug 2023 17:11:32 +0200
-Subject: [PATCH] pam_access: document IPv6 link-local addresses (#582)
-
-* modules/pam_access/access.conf.5.xml: Add example and note for IPv6
-  link-local addresses
-* modules/pam_access/access.conf: Add example for IPv6 link-local
-  addresses
----
- modules/pam_access/access.conf       |  3 +++
- modules/pam_access/access.conf.5.xml | 12 +++++++++++-
- 2 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf
-index 47b6b84c1..9c8e21716 100644
---- a/modules/pam_access/access.conf
-+++ b/modules/pam_access/access.conf
-@@ -115,6 +115,9 @@
- # User "john" should get access from ipv6 host address (same as above)
- #+:john:2001:4ca0:0:101:0:0:0:1
- #
-+# User "john" should get access from ipv6 local link host address
-+#+:john:fe80::de95:818c:1b55:7e42%eth0
-+#
- # User "john" should get access from ipv6 net/mask
- #+:john:2001:4ca0:0:101::/64
- #
-diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
-index ff1cb2237..2dc5d477c 100644
---- a/modules/pam_access/access.conf.5.xml
-+++ b/modules/pam_access/access.conf.5.xml
-@@ -188,6 +188,12 @@
-     </para>
-     <para>+:john foo:2001:db8:0:101::1</para>
- 
-+    <para>
-+      User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
-+      should get access from IPv6 link local host address.
-+    </para>
-+    <para>+:john foo:fe80::de95:818c:1b55:7e42%eth1</para>
-+
-     <para>
-       User <emphasis>john</emphasis> should get access from IPv6 net/mask.
-     </para>
-@@ -222,6 +228,10 @@
-       item and the line will be most probably ignored. For this reason, it is not
-       recommended to put spaces around the ':' characters.
-     </para>
-+    <para>
-+      An IPv6 link local host address must contain the interface
-+      identifier. IPv6 link local network/netmask is not supported.
-+    </para>
-   </refsect1>
- 
-   <refsect1 xml:id="access.conf-see_also">
-@@ -246,4 +256,4 @@
-       introduced by Mike Becher &lt;mike.becher@lrz-muenchen.de&gt;.
-     </para>
-   </refsect1>
--</refentry>
-\ No newline at end of file
-+</refentry>

pam_access-hostname-debug.patch

@@ -1,27 +0,0 @@
-From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001
-From: Thorsten Kukuk <kukuk@suse.com>
-Date: Fri, 4 Aug 2023 15:46:16 +0200
-Subject: [PATCH] pam_access: make non-resolveable hostname a debug output
- (#590)
-
-* modules/pam_access/pam_access.c (network_netmask_match): Don't print
-an error if a string is not resolveable, only a debug message in debug
-mode. We even don't know if that entry is for remote logins or not.
----
- modules/pam_access/pam_access.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
-index f70b7e495..985dc7de2 100644
---- a/modules/pam_access/pam_access.c
-+++ b/modules/pam_access/pam_access.c
-@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh,
- 	 */
- 	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
- 	  {
--	    pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
-+	    if (item->debug)
-+	      pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
- 
- 	    return NO;
- 	  }

pam_shells-fix-econf-memory-leak.patch

@@ -1,22 +0,0 @@
-From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Thu, 18 May 2023 17:55:21 +0200
-Subject: [PATCH] pam_shells: Plug econf memory leak
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
----
- modules/pam_shells/pam_shells.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c
-index 05c09c656..276a56dd5 100644
---- a/modules/pam_shells/pam_shells.c
-+++ b/modules/pam_shells/pam_shells.c
-@@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh)
-         if (!retval)
- 	   break;
-     }
-+    econf_free (keys);
-     econf_free (key_file);
- #else
-     char shellFileLine[256];