Rebase to release 1.5.2

Resolves: #2001208 Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-09-04 14:29:40 +02:00 · 2021-09-04 14:29:40 +02:00 · b5205aee6b
commit b5205aee6b
parent 06d409fea6
5 changed files with 20 additions and 95 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,3 +8,5 @@
 /Linux-PAM-1.5.0.tar.xz.asc
 /Linux-PAM-1.5.1.tar.xz
 /Linux-PAM-1.5.1.tar.xz.asc
 /Linux-PAM-1.5.2.tar.xz
 /Linux-PAM-1.5.2.tar.xz.asc
--- a/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
+++ b/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
@ -1,39 +0,0 @@
 From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001
 From: "Dmitry V. Levin" <ldv@altlinux.org>
 Date: Thu, 10 Jun 2021 14:00:00 +0000
 Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for
 password expiration
 According to Zack Weinberg, the intended meaning of
 CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
 method", it is not supposed to mean "force a password change on next
 login for any user with an existing stored hash using this method".
 This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
 * modules/pam_unix/passverify.c (check_shadow_expiry)
 [CRYPT_CHECKSALT_AVAILABLE]: Remove.
 Closes: https://github.com/linux-pam/linux-pam/issues/367
 ---
 modules/pam_unix/passverify.c | 6 ------
 1 file changed, 6 deletions(-)
 diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
 index f6132f80..5a19ed85 100644
 --- a/modules/pam_unix/passverify.c
 +++ b/modules/pam_unix/passverify.c
@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 		D(("account expired"));
 		return PAM_ACCT_EXPIRED;
 	}
 -#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
 -	if (spent->sp_lstchg == 0 ||
 -	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
 -	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
 -#else
 	if (spent->sp_lstchg == 0) {
 -#endif
 		D(("need a new password"));
 		*daysleft = 0;
 		return PAM_NEW_AUTHTOK_REQD;
--- a/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
+++ b/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
@ -1,42 +0,0 @@
 From ec0e724fe53188c5c762c34ca9db6681c0de01b8 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Thu, 1 Jul 2021 12:14:29 +0200
 Subject: [PATCH] pam_filter: Close file after controlling tty
 Failing to check the descriptor value meant that there was a bug in the
 attempt to close the controlling tty. Moreover, this would lead to a
 file descriptor leak as pointed out by the static analyzer tool:
 Error: RESOURCE_LEAK (CWE-772): [#def26]
 Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
 Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)".
 Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious.  "t" leaks when it is zero.
 Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero?
 Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle.
  365|   		pam_syslog(pamh, LOG_ERR,
  366|   			   "child cannot become new session: %m");
  367|-> 		return PAM_ABORT;
  368|   	    }
  369|
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 modules/pam_filter/pam_filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c
 index 2f0af4fb..6e6def37 100644
 --- a/modules/pam_filter/pam_filter.c
 +++ b/modules/pam_filter/pam_filter.c
@@ -354,7 +354,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
 	    int t = open("/dev/tty", O_RDWR|O_NOCTTY);
 #else
 	    int t = open("/dev/tty",O_RDWR);
 -	    if (t > 0) {
 +	    if (t >= 0) {
 		(void) ioctl(t, TIOCNOTTY, NULL);
 		close(t);
 	    }
 -- 
 2.31.1
--- a/pam.spec
+++ b/pam.spec
@ -2,8 +2,8 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
-Version: 1.5.1
+Version: 1.5.2
-Release: 9%{?dist}
+Release: 1%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -28,10 +28,6 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 Patch1:  pam-1.5.0-redhat-modules.patch
 Patch2:  pam-1.5.0-noflex.patch
 Patch3:  pam-1.3.0-unix-nomsg.patch
 # https://github.com/linux-pam/linux-pam/pull/368
 Patch4: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
 # https://github.com/linux-pam/linux-pam/commit/ec0e724fe53188c5c762c34ca9db6681c0de01b8
 Patch5:  pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
 %{load:%{SOURCE3}}
@ -111,8 +107,6 @@ cp %{SOURCE18} .
 %patch1 -p1 -b .redhat-modules
 %patch2 -p1 -b .noflex
 %patch3 -p1 -b .nomsg
 %patch4 -p1 -b .no_crypt_checksalt_for_pw_expiration
 %patch5 -p1 -b .pam_filter_close_file_after_controlling_tty
 autoreconf -i
@ -130,9 +124,8 @@ autoreconf -i
 %endif
 	--disable-static \
 	--disable-prelude
-make -C po update-gmo
+%make_build -C po update-gmo
-make
+%make_build
 # we do not use _smp_mflags because the build of sources in yacc/flex fails
 %install
 mkdir -p doc/txts
@ -144,7 +137,7 @@ done
 install -D -m 644 %{SOURCE3} %{buildroot}%{_rpmconfigdir}/macros.d/macros.%{name}
 # Install the binaries, libraries, and modules.
-make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
+%make_install LDCONFIG=:
 %if %{WITH_SELINUX}
 # Temporary compat link
@ -207,6 +200,10 @@ rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
 # Install the file for autocreation of /var/run subdirectories on boot
 install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf
 # Install systemd unit file.
 install -m644 -D modules/pam_namespace/pam_namespace.service \
  $RPM_BUILD_ROOT%{_unitdir}/pam_namespace.service
 %find_lang Linux-PAM
 %check
@ -360,6 +357,9 @@ done
 %{_libdir}/libpam.so
 %{_libdir}/libpamc.so
 %{_libdir}/libpam_misc.so
 %{_libdir}/pkgconfig/pam.pc
 %{_libdir}/pkgconfig/pam_misc.pc
 %{_libdir}/pkgconfig/pamc.pc
 %doc doc/mwg/*.txt doc/mwg/html
 %doc doc/adg/*.txt doc/adg/html
 %doc doc/specs/rfc86.0.txt
@ -384,6 +384,10 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \
 exit 0
 %changelog
 * Sat Sep 04 2021 Björn Esser <besser82@fedoraproject.org> - 1.5.2-1
 - Rebase to release 1.5.2
  Resolves: #2001208
 * Thu Jul 22 2021 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-9
 - Add macros file to allow other packages to stop hardcoding directory names
--- a/4
+++ b/4
@ -1,3 +1,3 @@
-SHA512 (Linux-PAM-1.5.1.tar.xz) = 1db091fc43b934dde220f1b85f35937fbaa0a3feec699b2e597e2cdf0c3ce11c17d36d2286d479c9eed24e8ca3ca6233214e4dff256db47249e358c01d424837
+SHA512 (Linux-PAM-1.5.2.tar.xz) = fa16350c132d3e5fb82b60d991768fb596582639841b8ece645c684705467305ccf1302a0147ec222ab78c01b2c9114c5496dc1ca565d2b56bf315f29a815144
-SHA512 (Linux-PAM-1.5.1.tar.xz.asc) = c3937c57dda4d83139bfd546a8e6eccf7dda03cbd485355af78488b0629157a575d442312a3f38734e70b6c164b259597cd6d1d8dc0611cd0d157e1bbe5900d0
+SHA512 (Linux-PAM-1.5.2.tar.xz.asc) = 5e4d9ac533651a9479ef26719430c1fdf31e2b70de859a4f09b17f9e14e8fb25d74a059332841dc8ed9db764971c3e4d9941d613a7bfbb6450122462810109ad
 SHA512 (pam-redhat-1.1.4.tar.bz2) = ad3b53744505faf7c93b1f0c1ef4434c2567b97e292859963401b0c117e824704713c69f7a661cccd3aecd1208facb39c433703c1f3cdea1dbda2c380006bfc4