From 8d3cbe5e3266030886c5d0fac5334103bafd8e3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tmraz@fedoraproject.org>
Date: Mon, 27 Jul 2009 15:23:22 +0000
Subject: [PATCH] - fix for pam_cracklib from upstream

---
 pam-1.1.0-cracklib-authtok.patch | 38 ++++++++++++++++++++++++++++++++
 pam.spec                         |  7 +++++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 pam-1.1.0-cracklib-authtok.patch

diff --git a/pam-1.1.0-cracklib-authtok.patch b/pam-1.1.0-cracklib-authtok.patch
new file mode 100644
index 0000000..164d229
--- /dev/null
+++ b/pam-1.1.0-cracklib-authtok.patch
@@ -0,0 +1,38 @@
+Reset the new authtok if weak.
+diff -u -p -r1.33 -r1.34
+--- modules/pam_cracklib/pam_cracklib.c 11 Dec 2008 19:41:49 -0000      1.33
++++ modules/pam_cracklib/pam_cracklib.c 21 Jul 2009 13:59:24 -0000      1.34
+@@ -545,7 +545,7 @@ static int _pam_unix_approve_pass(pam_ha
+                                   const char *pass_new)
+ {
+     const char *msg = NULL;
+-    const void *user;
++    const char *user;
+     int retval;
+ 
+     if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) {
+@@ -556,7 +556,7 @@ static int _pam_unix_approve_pass(pam_ha
+         return PAM_AUTHTOK_ERR;
+     }
+ 
+-    retval = pam_get_item(pamh, PAM_USER, &user);
++    retval = pam_get_user(pamh, &user, NULL);
+     if (retval != PAM_SUCCESS || user == NULL) {
+        if (ctrl & PAM_DEBUG_ARG)
+                pam_syslog(pamh,LOG_ERR,"Can not get username");
+@@ -658,6 +658,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+            pam_error (pamh, _("BAD PASSWORD: %s"), crack_msg);
+            if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+              {
++               pam_set_item (pamh, PAM_AUTHTOK, NULL);
+                retval = PAM_AUTHTOK_ERR;
+                continue;
+              }
+@@ -670,6 +671,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+          if (retval != PAM_SUCCESS) {
+            if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+              {
++               pam_set_item(pamh, PAM_AUTHTOK, NULL);
+                retval = PAM_AUTHTOK_ERR;
+                continue;
+              }
diff --git a/pam.spec b/pam.spec
index 2a71600..891fbc8 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -24,6 +24,7 @@ Source13: config-util.5
 Source14: 90-nproc.conf
 Patch1:  pam-1.0.90-redhat-modules.patch
 Patch2:  pam-1.0.91-std-noclose.patch
+Patch3:  pam-1.1.0-cracklib-authtok.patch
 
 %define _sbindir /sbin
 %define _moduledir /%{_lib}/security
@@ -86,6 +87,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 
 %patch1 -p1 -b .redhat-modules
 %patch2 -p1 -b .std-noclose
+%patch3 -p1 -b .authtok
 
 libtoolize -f
 autoreconf
@@ -325,6 +327,9 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Mon Jul 27 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-3
+- fix for pam_cracklib from upstream
+
 * Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild