Rebase to release 1.5.2

Resolves: #2001208 Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-09-04 14:29:40 +02:00 · 2021-09-04 14:29:40 +02:00 · b5205aee6b
parent 06d409fea6
commit b5205aee6b
5 changed files with 20 additions and 95 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,3 +8,5 @@
 /Linux-PAM-1.5.0.tar.xz.asc
 /Linux-PAM-1.5.1.tar.xz
 /Linux-PAM-1.5.1.tar.xz.asc
+/Linux-PAM-1.5.2.tar.xz
+/Linux-PAM-1.5.2.tar.xz.asc
--- a/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
+++ b/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
@ -1,39 +0,0 @@
-From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Thu, 10 Jun 2021 14:00:00 +0000
-Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for
- password expiration
-
-According to Zack Weinberg, the intended meaning of
-CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
-method", it is not supposed to mean "force a password change on next
-login for any user with an existing stored hash using this method".
-
-This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
-
-* modules/pam_unix/passverify.c (check_shadow_expiry)
-[CRYPT_CHECKSALT_AVAILABLE]: Remove.
-
-Closes: https://github.com/linux-pam/linux-pam/issues/367
---
- modules/pam_unix/passverify.c | 6 ------
- 1 file changed, 6 deletions(-)
-
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index f6132f80..5a19ed85 100644
--- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
- 		D(("account expired"));
- 		return PAM_ACCT_EXPIRED;
- 	}
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
-	if (spent->sp_lstchg == 0 ||
-	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
-	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
-#else
- 	if (spent->sp_lstchg == 0) {
-#endif
- 		D(("need a new password"));
- 		*daysleft = 0;
- 		return PAM_NEW_AUTHTOK_REQD;
--- a/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
+++ b/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
@ -1,42 +0,0 @@
-From ec0e724fe53188c5c762c34ca9db6681c0de01b8 Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Thu, 1 Jul 2021 12:14:29 +0200
-Subject: [PATCH] pam_filter: Close file after controlling tty
-
-Failing to check the descriptor value meant that there was a bug in the
-attempt to close the controlling tty. Moreover, this would lead to a
-file descriptor leak as pointed out by the static analyzer tool:
-
-Error: RESOURCE_LEAK (CWE-772): [#def26]
-Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
-Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)".
-Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious.  "t" leaks when it is zero.
-Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero?
-Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle.
-  365|   		pam_syslog(pamh, LOG_ERR,
-  366|   			   "child cannot become new session: %m");
-  367|-> 		return PAM_ABORT;
-  368|   	    }
-  369|
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
- modules/pam_filter/pam_filter.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c
-index 2f0af4fb..6e6def37 100644
--- a/modules/pam_filter/pam_filter.c
-+++ b/modules/pam_filter/pam_filter.c
-@@ -354,7 +354,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
- 	    int t = open("/dev/tty", O_RDWR|O_NOCTTY);
- #else
- 	    int t = open("/dev/tty",O_RDWR);
-	    if (t > 0) {
-+	    if (t >= 0) {
- 		(void) ioctl(t, TIOCNOTTY, NULL);
- 		close(t);
- 	    }
-- 
-2.31.1
-
--- a/pam.spec
+++ b/pam.spec
@ -2,8 +2,8 @@

 Summary: An extensible library which provides authentication for applications
 Name: pam
-Version: 1.5.1
-Release: 9%{?dist}
+Version: 1.5.2
+Release: 1%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -28,10 +28,6 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 Patch1:  pam-1.5.0-redhat-modules.patch
 Patch2:  pam-1.5.0-noflex.patch
 Patch3:  pam-1.3.0-unix-nomsg.patch
-# https://github.com/linux-pam/linux-pam/pull/368
-Patch4: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
-# https://github.com/linux-pam/linux-pam/commit/ec0e724fe53188c5c762c34ca9db6681c0de01b8
-Patch5:  pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch

 %{load:%{SOURCE3}}

@ -111,8 +107,6 @@ cp %{SOURCE18} .
 %patch1 -p1 -b .redhat-modules
 %patch2 -p1 -b .noflex
 %patch3 -p1 -b .nomsg
-%patch4 -p1 -b .no_crypt_checksalt_for_pw_expiration
-%patch5 -p1 -b .pam_filter_close_file_after_controlling_tty

 autoreconf -i

@ -130,9 +124,8 @@ autoreconf -i
 %endif
 	--disable-static \
 	--disable-prelude
-make -C po update-gmo
-make
-# we do not use _smp_mflags because the build of sources in yacc/flex fails
+%make_build -C po update-gmo
+%make_build

 %install
 mkdir -p doc/txts
@ -144,7 +137,7 @@ done
 install -D -m 644 %{SOURCE3} %{buildroot}%{_rpmconfigdir}/macros.d/macros.%{name}

 # Install the binaries, libraries, and modules.
-make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
+%make_install LDCONFIG=:

 %if %{WITH_SELINUX}
 # Temporary compat link
@ -207,6 +200,10 @@ rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
 # Install the file for autocreation of /var/run subdirectories on boot
 install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf

+# Install systemd unit file.
+install -m644 -D modules/pam_namespace/pam_namespace.service \
+  $RPM_BUILD_ROOT%{_unitdir}/pam_namespace.service
+
 %find_lang Linux-PAM

 %check
@ -360,6 +357,9 @@ done
 %{_libdir}/libpam.so
 %{_libdir}/libpamc.so
 %{_libdir}/libpam_misc.so
+%{_libdir}/pkgconfig/pam.pc
+%{_libdir}/pkgconfig/pam_misc.pc
+%{_libdir}/pkgconfig/pamc.pc
 %doc doc/mwg/*.txt doc/mwg/html
 %doc doc/adg/*.txt doc/adg/html
 %doc doc/specs/rfc86.0.txt
@ -384,6 +384,10 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \
 exit 0

 %changelog
+* Sat Sep 04 2021 Björn Esser <besser82@fedoraproject.org> - 1.5.2-1
+- Rebase to release 1.5.2
+  Resolves: #2001208
+
 * Thu Jul 22 2021 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-9
 - Add macros file to allow other packages to stop hardcoding directory names

--- a/4
+++ b/4
@ -1,3 +1,3 @@
-SHA512 (Linux-PAM-1.5.1.tar.xz) = 1db091fc43b934dde220f1b85f35937fbaa0a3feec699b2e597e2cdf0c3ce11c17d36d2286d479c9eed24e8ca3ca6233214e4dff256db47249e358c01d424837
-SHA512 (Linux-PAM-1.5.1.tar.xz.asc) = c3937c57dda4d83139bfd546a8e6eccf7dda03cbd485355af78488b0629157a575d442312a3f38734e70b6c164b259597cd6d1d8dc0611cd0d157e1bbe5900d0
+SHA512 (Linux-PAM-1.5.2.tar.xz) = fa16350c132d3e5fb82b60d991768fb596582639841b8ece645c684705467305ccf1302a0147ec222ab78c01b2c9114c5496dc1ca565d2b56bf315f29a815144
+SHA512 (Linux-PAM-1.5.2.tar.xz.asc) = 5e4d9ac533651a9479ef26719430c1fdf31e2b70de859a4f09b17f9e14e8fb25d74a059332841dc8ed9db764971c3e4d9941d613a7bfbb6450122462810109ad
 SHA512 (pam-redhat-1.1.4.tar.bz2) = ad3b53744505faf7c93b1f0c1ef4434c2567b97e292859963401b0c117e824704713c69f7a661cccd3aecd1208facb39c433703c1f3cdea1dbda2c380006bfc4