From 3f4c451be954e266b82e2065eed4b4989b38d2f6cfd9712b45e2fece60222072 Mon Sep 17 00:00:00 2001
From: Christophe Marin <christophe+obs@krop.fr>
Date: Tue, 4 Apr 2023 18:14:26 +0000
Subject: [PATCH] Plasma 5.27.4(.1)

OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=268
---
 ...erify-that-XDG_RUNTIME_DIR-is-usable.patch | 37 ----------------
 ...do-anything-if-the-password-is-empty.patch | 30 -------------
 ...xit-early-if-the-target-user-is-root.patch | 42 -------------------
 kwallet-pam-5.27.3.tar.xz                     |  3 --
 kwallet-pam-5.27.3.tar.xz.sig                 | 16 -------
 kwallet-pam-5.27.4.tar.xz                     |  3 ++
 kwallet-pam-5.27.4.tar.xz.sig                 | 16 +++++++
 pam_kwallet.changes                           | 16 +++++++
 pam_kwallet.spec                              |  5 +--
 9 files changed, 36 insertions(+), 132 deletions(-)
 delete mode 100644 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch
 delete mode 100644 0002-Don-t-do-anything-if-the-password-is-empty.patch
 delete mode 100644 0003-Exit-early-if-the-target-user-is-root.patch
 delete mode 100644 kwallet-pam-5.27.3.tar.xz
 delete mode 100644 kwallet-pam-5.27.3.tar.xz.sig
 create mode 100644 kwallet-pam-5.27.4.tar.xz
 create mode 100644 kwallet-pam-5.27.4.tar.xz.sig

diff --git a/0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch b/0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch
deleted file mode 100644
index cf81743..0000000
--- a/0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 42f4dbd10b0f1a24d38513399f07936360920fa2 Mon Sep 17 00:00:00 2001
-From: Fabian Vogt <fabian@ritter-vogt.de>
-Date: Mon, 13 Mar 2023 10:07:22 +0100
-Subject: [PATCH 1/4] Verify that XDG_RUNTIME_DIR is usable
-
-It needs to be an existing directory with mode 0700 and owned by the user.
----
- pam_kwallet.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/pam_kwallet.c b/pam_kwallet.c
-index e8fbc27..31e93aa 100644
---- a/pam_kwallet.c
-+++ b/pam_kwallet.c
-@@ -455,6 +455,19 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
-         snprintf(fullSocket, needed, "%s/%s_%s%s", socketPath, socketPrefix, userInfo->pw_name, ".socket");
-     } else {
-         socketPath = get_env(pamh, "XDG_RUNTIME_DIR");
-+        // Check whether XDG_RUNTIME_DIR is usable
-+        if (socketPath) {
-+            struct stat rundir_stat;
-+            if (stat(socketPath, &rundir_stat) != 0) {
-+                pam_syslog(pamh, LOG_ERR, "%s: Failed to stat %s", logPrefix, socketPath);
-+                socketPath = NULL;
-+            } else if(!S_ISDIR(rundir_stat.st_mode) || (rundir_stat.st_mode & ~S_IFMT) != 0700
-+                      || rundir_stat.st_uid != userInfo->pw_uid) {
-+                pam_syslog(pamh, LOG_ERR, "%s: %s has wrong type, perms or ownership", logPrefix, socketPath);
-+                socketPath = NULL;
-+            }
-+        }
-+
-         if (socketPath) {
-             size_t needed = snprintf(NULL, 0, "%s/%s%s", socketPath, socketPrefix, ".socket");
-             needed += 1;
--- 
-2.39.2
-
diff --git a/0002-Don-t-do-anything-if-the-password-is-empty.patch b/0002-Don-t-do-anything-if-the-password-is-empty.patch
deleted file mode 100644
index 463f0e8..0000000
--- a/0002-Don-t-do-anything-if-the-password-is-empty.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 09659874cc6cc3ab21314dc3b24a2db1bc77c46c Mon Sep 17 00:00:00 2001
-From: Fabian Vogt <fabian@ritter-vogt.de>
-Date: Mon, 13 Mar 2023 10:09:10 +0100
-Subject: [PATCH 2/4] Don't do anything if the password is empty
-
-If for some reason the password is empty (bug or intentionally configured),
-avoid creating a possibly insecure hash.
----
- pam_kwallet.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/pam_kwallet.c b/pam_kwallet.c
-index 31e93aa..2cd3758 100644
---- a/pam_kwallet.c
-+++ b/pam_kwallet.c
-@@ -294,6 +294,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
-         return PAM_IGNORE;
-     }
- 
-+    if (password[0] == '\0') {
-+        pam_syslog(pamh, LOG_NOTICE, "%s: Empty or missing password, doing nothing", logPrefix);
-+        return PAM_IGNORE;
-+    }
-+
-     char *key = strdup(password);
-     result = pam_set_data(pamh, kwalletPamDataKey, key, cleanup_free);
- 
--- 
-2.39.2
-
diff --git a/0003-Exit-early-if-the-target-user-is-root.patch b/0003-Exit-early-if-the-target-user-is-root.patch
deleted file mode 100644
index 42e10a5..0000000
--- a/0003-Exit-early-if-the-target-user-is-root.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 2126d9f148506d71ebc5576a91259c80e095f5ec Mon Sep 17 00:00:00 2001
-From: Fabian Vogt <fabian@ritter-vogt.de>
-Date: Mon, 13 Mar 2023 10:12:18 +0100
-Subject: [PATCH 3/4] Exit early if the target user is root
-
-kwallet should not be used as root user, so just refuse doing anything if
-root is the target user.
----
- pam_kwallet.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/pam_kwallet.c b/pam_kwallet.c
-index 2cd3758..49be6c0 100644
---- a/pam_kwallet.c
-+++ b/pam_kwallet.c
-@@ -265,6 +265,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
-         return PAM_IGNORE;
-     }
- 
-+    if (userInfo->pw_uid == 0) {
-+        pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);
-+        return PAM_IGNORE;
-+    }
-+
-     const char *password;
-     result = pam_get_item(pamh, PAM_AUTHTOK, (const void**)&password);
- 
-@@ -569,6 +574,11 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
-         return PAM_IGNORE;
-     }
- 
-+    if (userInfo->pw_uid == 0) {
-+        pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);
-+        return PAM_IGNORE;
-+    }
-+
-     char *password;
-     result = pam_get_data(pamh, kwalletPamDataKey, (const void **)&password);
- 
--- 
-2.39.2
-
diff --git a/kwallet-pam-5.27.3.tar.xz b/kwallet-pam-5.27.3.tar.xz
deleted file mode 100644
index 0610993..0000000
--- a/kwallet-pam-5.27.3.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e218299df53fcf0369f6b65eb907a0fbac602a8a75a85c6fc7d8a7d92fea1fdb
-size 22844
diff --git a/kwallet-pam-5.27.3.tar.xz.sig b/kwallet-pam-5.27.3.tar.xz.sig
deleted file mode 100644
index 473f0aa..0000000
--- a/kwallet-pam-5.27.3.tar.xz.sig
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4KPrIC+OV1KOE+cv11dEg7tXsY0FAmQQZ5EACgkQ11dEg7tX
-sY1nIw/9GDVX6IWXuVLKrJ8+4N58ipG3C6bMnVopPzqw+LdpDOPHGzaYXoSJ3omc
-JIIsMfU06UoQArncQXM4Yb1Rok+yjEaXHHLIX5ZnwXajBbRq5IIAQ8O5+d2BhCHN
-jK6BBQNq0Bk9X6eRN8E/DUco4P3NS1BUv4+Szt1lToWjIoGsFAburzzw/63Z2tk3
-f5qeHkJw8XMFDCfb5sJ7cUznqUjBHTVYK7weBxkvLqje2Hxa8k1GDnD0lMlvDzDC
-jmYDS6GeOSsKX2QWEoqq2Z/zhWEkHb3d9e8VgGC5YYi69uB6huLrHP2ooPI/KPSg
-exOjNjRF15SXCLTouukfJZx6xgMhukjt2bqm+B4TPvnGJhDwFmBJuvjTQfE4WgXb
-/SZhZuDBQ1zGHvXFI6tTjweVd+IhOw+ZnSO5iFUzSA284Y5usbZmITnNteY6gPB9
-vn6ONdwNfK3gjXugtnfXxW1a8sbNSCYHYqIL/z0KfLQqgeeXEnUgFmlrsTYJ3Scs
-lxn7RhrV4O4CrCo+nYIBWjjLxZLyxGaMuCWCrwhuyRem1HbL3qrRUEY/vC/sKaaU
-pZLXisM4TkgLh3rYkCuDVtZGxH9m0D8apjDpxLElqN4tXpXDd+CbD6fXK1y/tpYI
-nPT5pxVF0KtB54gCr0GsSK2VKxtWZHFVVTzWh7HZKU2YNMB3L08=
-=7meE
------END PGP SIGNATURE-----
diff --git a/kwallet-pam-5.27.4.tar.xz b/kwallet-pam-5.27.4.tar.xz
new file mode 100644
index 0000000..b1384bd
--- /dev/null
+++ b/kwallet-pam-5.27.4.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cea13f6b4cc17cb692cf0f94880926e4a072f6af8f4c0bce343ef3d5eafc126c
+size 23028
diff --git a/kwallet-pam-5.27.4.tar.xz.sig b/kwallet-pam-5.27.4.tar.xz.sig
new file mode 100644
index 0000000..eeb1348
--- /dev/null
+++ b/kwallet-pam-5.27.4.tar.xz.sig
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4KPrIC+OV1KOE+cv11dEg7tXsY0FAmQr/jkACgkQ11dEg7tX
+sY1yXQ/+JNi4eHAfsG1YcKe4jHWA5DPhMepYLF8V2qg5BSOoGBpXwSRznIFQWa4O
+6Eq37lPo5xKKDM2xG7HgvFyRhs2fwf470jkB+WeAhHUjYwASjqHLegIAvl2ZXUCA
+xfwVbzbSnsBfpd8/1nUPyU7QROkzIiEpL2hmgG8nWzI+4gISrBHjXwM4EuI47vy8
+4gdrZCN8s0FYgMjhPIQzOlexoWJZqUwbd9sO/vzCJcXqD9CpQ1q/qWfwK21SHiZI
+lfM9uV66aQcVDroEuY0slCDnwxSY9IrJkuzy8rNTI3K40iuyTBVx7jGnwlWex7ue
+oQF8XQjQQdfUEZSSc5vSHITmaBSR0OdnQtV9/QLCrlOmbOeyEO0jisiA2IEAx+66
+mQ/joxYYVwJtgzEGAHUiEwqprFjBZiql2vCNruFFS9ReQMkm/wRxcPBPH6/yr+s5
+Ff3zeM/q4SYQIeYKtj66uJXigyO5qCczdFmj9N3fICyXFdetD8uRhPv3w5afus6O
+2pudm0hp/Sc3USpsayFa1oFqCRzPip8uhJLKA4aAlcnhofFWYbj9FG0OGnKedkXN
+E2Xd2+aTeZ6feE8+GrphPN8pMYlheyQEgh2fr4C8US/bAAofU3gn7gM+sCXTW/p7
+EYSzWsro7KvsMMW9QQv+2lMtOGP3Mb/S/33nMUjXdF/+bBsrZ6Y=
+=wpba
+-----END PGP SIGNATURE-----
diff --git a/pam_kwallet.changes b/pam_kwallet.changes
index 1474c7d..80688fc 100644
--- a/pam_kwallet.changes
+++ b/pam_kwallet.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Apr  4 15:05:39 UTC 2023 - Fabian Vogt <fabian@ritter-vogt.de>
+
+- Update to 5.27.4
+  * New bugfix release
+  * For more details please see:
+  * https://kde.org/announcements/plasma/5/5.27.4
+- Changes since 5.27.3:
+  * Exit early if the target user is root
+  * Don't do anything if the password is empty
+  * Verify that XDG_RUNTIME_DIR is usable
+- Drop patches, now upstream:
+  * 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch
+  * 0002-Don-t-do-anything-if-the-password-is-empty.patch
+  * 0003-Exit-early-if-the-target-user-is-root.patch
+
 -------------------------------------------------------------------
 Tue Mar 14 15:05:58 UTC 2023 - Fabian Vogt <fabian@ritter-vogt.de>
 
diff --git a/pam_kwallet.spec b/pam_kwallet.spec
index 47d4a14..266a83d 100644
--- a/pam_kwallet.spec
+++ b/pam_kwallet.spec
@@ -18,7 +18,7 @@
 
 %bcond_without released
 Name:           pam_kwallet
-Version:        5.27.3
+Version:        5.27.4
 Release:        0
 Summary:        A PAM Module for KWallet signing
 License:        GPL-2.0-or-later AND LGPL-2.1-only AND GPL-3.0-only
@@ -31,9 +31,6 @@ Source2:        plasma.keyring
 %endif
 Source3:        baselibs.conf
 # PATCH-FIX-UPSTREAM https://invent.kde.org/plasma/kwallet-pam/-/merge_requests/12
-Patch1:         0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch
-Patch2:         0002-Don-t-do-anything-if-the-password-is-empty.patch
-Patch3:         0003-Exit-early-if-the-target-user-is-root.patch
 Patch4:         0004-Don-t-call-pam_sm_open_session-within-pam_sm_authent.patch
 BuildRequires:  extra-cmake-modules >= 1.2.0
 BuildRequires:  kf5-filesystem