Accepting request 1077286 from KDE:Frameworks5

Plasma 5.27.4(.1) (forwarded request 1077257 from Vogtinator)

OBS-URL: https://build.opensuse.org/request/show/1077286
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_kwallet?expand=0&rev=123

0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch

@@ -1,37 +0,0 @@
-From 42f4dbd10b0f1a24d38513399f07936360920fa2 Mon Sep 17 00:00:00 2001
-From: Fabian Vogt <fabian@ritter-vogt.de>
-Date: Mon, 13 Mar 2023 10:07:22 +0100
-Subject: [PATCH 1/4] Verify that XDG_RUNTIME_DIR is usable
-
-It needs to be an existing directory with mode 0700 and owned by the user.
----
- pam_kwallet.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/pam_kwallet.c b/pam_kwallet.c
-index e8fbc27..31e93aa 100644
---- a/pam_kwallet.c
-+++ b/pam_kwallet.c
-@@ -455,6 +455,19 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
-         snprintf(fullSocket, needed, "%s/%s_%s%s", socketPath, socketPrefix, userInfo->pw_name, ".socket");
-     } else {
-         socketPath = get_env(pamh, "XDG_RUNTIME_DIR");
-+        // Check whether XDG_RUNTIME_DIR is usable
-+        if (socketPath) {
-+            struct stat rundir_stat;
-+            if (stat(socketPath, &rundir_stat) != 0) {
-+                pam_syslog(pamh, LOG_ERR, "%s: Failed to stat %s", logPrefix, socketPath);
-+                socketPath = NULL;
-+            } else if(!S_ISDIR(rundir_stat.st_mode) || (rundir_stat.st_mode & ~S_IFMT) != 0700
-+                      || rundir_stat.st_uid != userInfo->pw_uid) {
-+                pam_syslog(pamh, LOG_ERR, "%s: %s has wrong type, perms or ownership", logPrefix, socketPath);
-+                socketPath = NULL;
-+            }
-+        }
-+
-         if (socketPath) {
-             size_t needed = snprintf(NULL, 0, "%s/%s%s", socketPath, socketPrefix, ".socket");
-             needed += 1;
--- 
-2.39.2
-

0002-Don-t-do-anything-if-the-password-is-empty.patch

@@ -1,30 +0,0 @@
-From 09659874cc6cc3ab21314dc3b24a2db1bc77c46c Mon Sep 17 00:00:00 2001
-From: Fabian Vogt <fabian@ritter-vogt.de>
-Date: Mon, 13 Mar 2023 10:09:10 +0100
-Subject: [PATCH 2/4] Don't do anything if the password is empty
-
-If for some reason the password is empty (bug or intentionally configured),
-avoid creating a possibly insecure hash.
----
- pam_kwallet.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/pam_kwallet.c b/pam_kwallet.c
-index 31e93aa..2cd3758 100644
---- a/pam_kwallet.c
-+++ b/pam_kwallet.c
-@@ -294,6 +294,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
-         return PAM_IGNORE;
-     }
- 
-+    if (password[0] == '\0') {
-+        pam_syslog(pamh, LOG_NOTICE, "%s: Empty or missing password, doing nothing", logPrefix);
-+        return PAM_IGNORE;
-+    }
-+
-     char *key = strdup(password);
-     result = pam_set_data(pamh, kwalletPamDataKey, key, cleanup_free);
- 
--- 
-2.39.2
-

0003-Exit-early-if-the-target-user-is-root.patch

@@ -1,42 +0,0 @@
-From 2126d9f148506d71ebc5576a91259c80e095f5ec Mon Sep 17 00:00:00 2001
-From: Fabian Vogt <fabian@ritter-vogt.de>
-Date: Mon, 13 Mar 2023 10:12:18 +0100
-Subject: [PATCH 3/4] Exit early if the target user is root
-
-kwallet should not be used as root user, so just refuse doing anything if
-root is the target user.
----
- pam_kwallet.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/pam_kwallet.c b/pam_kwallet.c
-index 2cd3758..49be6c0 100644
---- a/pam_kwallet.c
-+++ b/pam_kwallet.c
-@@ -265,6 +265,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
-         return PAM_IGNORE;
-     }
- 
-+    if (userInfo->pw_uid == 0) {
-+        pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);
-+        return PAM_IGNORE;
-+    }
-+
-     const char *password;
-     result = pam_get_item(pamh, PAM_AUTHTOK, (const void**)&password);
- 
-@@ -569,6 +574,11 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
-         return PAM_IGNORE;
-     }
- 
-+    if (userInfo->pw_uid == 0) {
-+        pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);
-+        return PAM_IGNORE;
-+    }
-+
-     char *password;
-     result = pam_get_data(pamh, kwalletPamDataKey, (const void **)&password);
- 
--- 
-2.39.2
-

kwallet-pam-5.27.3.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e218299df53fcf0369f6b65eb907a0fbac602a8a75a85c6fc7d8a7d92fea1fdb
-size 22844

kwallet-pam-5.27.3.tar.xz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4KPrIC+OV1KOE+cv11dEg7tXsY0FAmQQZ5EACgkQ11dEg7tX
-sY1nIw/9GDVX6IWXuVLKrJ8+4N58ipG3C6bMnVopPzqw+LdpDOPHGzaYXoSJ3omc
-JIIsMfU06UoQArncQXM4Yb1Rok+yjEaXHHLIX5ZnwXajBbRq5IIAQ8O5+d2BhCHN
-jK6BBQNq0Bk9X6eRN8E/DUco4P3NS1BUv4+Szt1lToWjIoGsFAburzzw/63Z2tk3
-f5qeHkJw8XMFDCfb5sJ7cUznqUjBHTVYK7weBxkvLqje2Hxa8k1GDnD0lMlvDzDC
-jmYDS6GeOSsKX2QWEoqq2Z/zhWEkHb3d9e8VgGC5YYi69uB6huLrHP2ooPI/KPSg
-exOjNjRF15SXCLTouukfJZx6xgMhukjt2bqm+B4TPvnGJhDwFmBJuvjTQfE4WgXb
-/SZhZuDBQ1zGHvXFI6tTjweVd+IhOw+ZnSO5iFUzSA284Y5usbZmITnNteY6gPB9
-vn6ONdwNfK3gjXugtnfXxW1a8sbNSCYHYqIL/z0KfLQqgeeXEnUgFmlrsTYJ3Scs
-lxn7RhrV4O4CrCo+nYIBWjjLxZLyxGaMuCWCrwhuyRem1HbL3qrRUEY/vC/sKaaU
-pZLXisM4TkgLh3rYkCuDVtZGxH9m0D8apjDpxLElqN4tXpXDd+CbD6fXK1y/tpYI
-nPT5pxVF0KtB54gCr0GsSK2VKxtWZHFVVTzWh7HZKU2YNMB3L08=
-=7meE
------END PGP SIGNATURE-----

kwallet-pam-5.27.4.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cea13f6b4cc17cb692cf0f94880926e4a072f6af8f4c0bce343ef3d5eafc126c
+size 23028

kwallet-pam-5.27.4.tar.xz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4KPrIC+OV1KOE+cv11dEg7tXsY0FAmQr/jkACgkQ11dEg7tX
+sY1yXQ/+JNi4eHAfsG1YcKe4jHWA5DPhMepYLF8V2qg5BSOoGBpXwSRznIFQWa4O
+6Eq37lPo5xKKDM2xG7HgvFyRhs2fwf470jkB+WeAhHUjYwASjqHLegIAvl2ZXUCA
+xfwVbzbSnsBfpd8/1nUPyU7QROkzIiEpL2hmgG8nWzI+4gISrBHjXwM4EuI47vy8
+4gdrZCN8s0FYgMjhPIQzOlexoWJZqUwbd9sO/vzCJcXqD9CpQ1q/qWfwK21SHiZI
+lfM9uV66aQcVDroEuY0slCDnwxSY9IrJkuzy8rNTI3K40iuyTBVx7jGnwlWex7ue
+oQF8XQjQQdfUEZSSc5vSHITmaBSR0OdnQtV9/QLCrlOmbOeyEO0jisiA2IEAx+66
+mQ/joxYYVwJtgzEGAHUiEwqprFjBZiql2vCNruFFS9ReQMkm/wRxcPBPH6/yr+s5
+Ff3zeM/q4SYQIeYKtj66uJXigyO5qCczdFmj9N3fICyXFdetD8uRhPv3w5afus6O
+2pudm0hp/Sc3USpsayFa1oFqCRzPip8uhJLKA4aAlcnhofFWYbj9FG0OGnKedkXN
+E2Xd2+aTeZ6feE8+GrphPN8pMYlheyQEgh2fr4C8US/bAAofU3gn7gM+sCXTW/p7
+EYSzWsro7KvsMMW9QQv+2lMtOGP3Mb/S/33nMUjXdF/+bBsrZ6Y=
+=wpba
+-----END PGP SIGNATURE-----

pam_kwallet.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Apr  4 15:05:39 UTC 2023 - Fabian Vogt <fabian@ritter-vogt.de>
+
+- Update to 5.27.4
+  * New bugfix release
+  * For more details please see:
+  * https://kde.org/announcements/plasma/5/5.27.4
+- Changes since 5.27.3:
+  * Exit early if the target user is root
+  * Don't do anything if the password is empty
+  * Verify that XDG_RUNTIME_DIR is usable
+- Drop patches, now upstream:
+  * 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch
+  * 0002-Don-t-do-anything-if-the-password-is-empty.patch
+  * 0003-Exit-early-if-the-target-user-is-root.patch
+
 -------------------------------------------------------------------
 Tue Mar 14 15:05:58 UTC 2023 - Fabian Vogt <fabian@ritter-vogt.de>
 

pam_kwallet.spec

@@ -18,7 +18,7 @@
 
 %bcond_without released
 Name:           pam_kwallet
-Version:        5.27.3
+Version:        5.27.4
 Release:        0
 Summary:        A PAM Module for KWallet signing
 License:        GPL-2.0-or-later AND LGPL-2.1-only AND GPL-3.0-only
@@ -31,9 +31,6 @@ Source2:        plasma.keyring
 %endif
 Source3:        baselibs.conf
 # PATCH-FIX-UPSTREAM https://invent.kde.org/plasma/kwallet-pam/-/merge_requests/12
-Patch1:         0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch
-Patch2:         0002-Don-t-do-anything-if-the-password-is-empty.patch
-Patch3:         0003-Exit-early-if-the-target-user-is-root.patch
 Patch4:         0004-Don-t-call-pam_sm_open_session-within-pam_sm_authent.patch
 BuildRequires:  extra-cmake-modules >= 1.2.0
 BuildRequires:  kf5-filesystem