From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] pam: Update to version 1.6.0
Date: Tue, 23 Jan 2024 12:26:45 +0100
Message-ID: <20240123112647.8800-7-adolf.belka@ipfire.org>
In-Reply-To: <20240123112647.8800-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5196273498177232702=="
List-Id: <development.lists.ipfire.org>

--===============5196273498177232702==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

- Update from version 1.5.3 to 1.6.0
- Update of rootfile
- A build bug was found with 1.6.0 if --enable-read-both-confs was set in the=
 configure.
   A commit fixing this has been released and converted into a patch for IPFi=
re. This
   will end up in the next pam release version and the IPFire patch can then =
be removed.
- Changelog
    1.6.0
	* Added support of configuration files with arbitrarily long lines.
	* build: fixed build outside of the source tree.
	* libpam: added use of getrandom(2) as a source of randomness if available.
	* libpam: fixed calculation of fail delay with very long delays.
	* libpam: fixed potential infinite recursion with includes.
	* libpam: implemented string to number conversions validation when parsing
	  controls in configuration.
	* pam_access: added quiet_log option.
	* pam_access: fixed truncation of very long group names.
	* pam_canonicalize_user: new module to canonicalize user name.
	* pam_echo: fixed file handling to prevent overflows and short reads.
	* pam_env: added support of '\' character in environment variable values.
	* pam_exec: allowed expose_authtok for password PAM_TYPE.
	* pam_exec: fixed stack overflow with binary output of programs.
	* pam_faildelay: implemented parameter ranges validation.
	* pam_listfile: changed to treat \r and \n exactly the same in configuration.
	* pam_mkhomedir: hardened directory creation against timing attacks.
	  Please note that using *at functions leads to more open file handles
	  during creation.
	* pam_namespace: fixed potential local DoS (CVE-2024-22365).
	* pam_nologin: fixed file handling to prevent short reads.
	* pam_pwhistory: helper binary is now built only if SELinux support is enabl=
ed.
	* pam_pwhistory: implemented reliable usernames handling when remembering
	  passwords.
	* pam_shells: changed to allow shell entries with absolute paths only.
	* pam_succeed_if: fixed treating empty strings as numerical value 0.
	* pam_unix: added support of disabled password aging.
	* pam_unix: synchronized password aging with shadow.
	* pam_unix: implemented string to number conversions validation.
	* pam_unix: fixed truncation of very long user names.
	* pam_unix: corrected rounds retrieval for configured encryption method.
	* pam_unix: implemented reliable usernames handling when remembering passwor=
ds.
	* pam_unix: changed to always run the helper to obtain shadow password entri=
es.
	* pam_unix: unix_update helper binary is now built only if SELinux support
	  is enabled.
	* pam_unix: added audit support to unix_update helper.
	* pam_userdb: added gdbm support.
	* Multiple minor bug fixes, portability fixes, documentation improvements,
	  and translation updates.

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/rootfiles/common/pam                           |  3 +++
 lfs/pam                                               |  7 ++++---
 ...pam:_fix_build_with_--enable-read-both-confs.patch | 11 +++++++++++
 3 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 src/patches/Linux-PAM-1.6.0-libpam:_fix_build_with_--enab=
le-read-both-confs.patch

diff --git a/config/rootfiles/common/pam b/config/rootfiles/common/pam
index e25fc9c26..de5c5b466 100644
--- a/config/rootfiles/common/pam
+++ b/config/rootfiles/common/pam
@@ -17,6 +17,8 @@ etc/security
 #lib/security/mkhomedir_helper
 #lib/security/pam_access.la
 lib/security/pam_access.so
+#lib/security/pam_canonicalize_user.la
+#lib/security/pam_canonicalize_user.so
 #lib/security/pam_debug.la
 #lib/security/pam_debug.so
 #lib/security/pam_deny.la
@@ -193,6 +195,7 @@ usr/lib/libpamc.so.0.82.1
 #usr/share/man/man8/mkhomedir_helper.8
 #usr/share/man/man8/pam.8
 #usr/share/man/man8/pam_access.8
+#usr/share/man/man8/pam_canonicalize_user.8
 #usr/share/man/man8/pam_debug.8
 #usr/share/man/man8/pam_deny.8
 #usr/share/man/man8/pam_echo.8
diff --git a/lfs/pam b/lfs/pam
index 020de981c..5e315a027 100644
--- a/lfs/pam
+++ b/lfs/pam
@@ -1,7 +1,7 @@
 ############################################################################=
###
 #                                                                           =
  #
 # IPFire.org - A linux based firewall                                       =
  #
-# Copyright (C) 2007-2023  IPFire Team  <info(a)ipfire.org>                 =
    #
+# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                 =
    #
 #                                                                           =
  #
 # This program is free software: you can redistribute it and/or modify      =
  #
 # it under the terms of the GNU General Public License as published by      =
  #
@@ -24,7 +24,7 @@
=20
 include Config
=20
-VER        =3D 1.5.3
+VER        =3D 1.6.0
=20
 THISAPP    =3D Linux-PAM-$(VER)
 DL_FILE    =3D $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
=20
 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
=20
-$(DL_FILE)_BLAKE2 =3D 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34ce=
cfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb
+$(DL_FILE)_BLAKE2 =3D 8ad3ed2d58b48cf43d065f15669788c113eee2aa3fc86cf38565a0=
e4835b142564ff1af5bcd3377db08af77141d25b4e93752a387ff7eabc00b4a826aa9ea39d
=20
 install : $(TARGET)
=20
@@ -70,6 +70,7 @@ $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/Linux-PAM-1.6.0-libpa=
m:_fix_build_with_--enable-read-both-confs.patch
 	$(UPDATE_AUTOMAKE)
 	cd $(DIR_APP) && ./configure --libdir=3D/usr/lib \
 		--sbindir=3D/lib/security \
diff --git a/src/patches/Linux-PAM-1.6.0-libpam:_fix_build_with_--enable-read=
-both-confs.patch b/src/patches/Linux-PAM-1.6.0-libpam:_fix_build_with_--enab=
le-read-both-confs.patch
new file mode 100644
index 000000000..1736c5f35
--- /dev/null
+++ b/src/patches/Linux-PAM-1.6.0-libpam:_fix_build_with_--enable-read-both-c=
onfs.patch
@@ -0,0 +1,11 @@
+--- Linux-PAM-1.6.0/libpam/pam_handlers.c.orig	2024-01-17 11:29:36.000000000=
 +0100
++++ Linux-PAM-1.6.0/libpam/pam_handlers.c	2024-01-22 16:02:45.546376172 +0100
+@@ -500,7 +500,7 @@
+=20
+ 		if (pamh->confdir =3D=3D NULL
+ 		    && (f =3D fopen(PAM_CONFIG,"r")) !=3D NULL) {
+-		    retval =3D _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 1);
++		    retval =3D _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 0, 1);
+ 		    fclose(f);
+ 		} else
+ #endif /* PAM_READ_BOTH_CONFS */
--=20
2.43.0


--===============5196273498177232702==--