package/linux-pam: bump version to 1.2.1

Move to the latest release of linux-pam. This allows us to remove
a number of patches and consolidate the existing ones :

- 0001-configure.patch
- 0007-rhosts.patch

these two patches deal with the ruserok function, which is not
usable with uclibc. Consolidated into
0002-Conditionally-compile-per-ruserok-availability.patch.

- 0003-group.patch
- 0005-succeed.patch
- 0006-time.patch

these three patches deal with the innetgr function, which is not
usable with uclibc. Consolidated into
0003-Conditionally-compile-per-innetgr-availability.patch.

- 0004-mkdir.patch

Fixed in upstream, no longer required.

- 0002-doc-makefile-am.patch

renamed to 0001-doc-makefile-am.patch.

- 0008-fix-CVE-2014-2583.patch
- 0009-fix-CVE-2013-7041.patch

These patches are already included in the new release and so
can be safely deleted.

Signed-off-by: Brendan Heading <brendanheading@gmail.com>
Tested-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

13 files changed, 138 insertions, 248 deletions

diff --git a/package/linux-pam/0001-configure.patch b/package/linux-pam/0001-configure.patch
deleted file mode 100644
index d39261f74..000000000
--- a/package/linux-pam/0001-configure.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Add check for ruserok
-
-ruserok is not available/functional in uclibc, provide conditions for compilation
-where needed.
-
-Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
-
-diff -urN a/configure.in b/configure.in
---- a/configure.in	2012-08-17 03:48:24.000000000 -0500
-+++ b/configure.in	2013-07-17 09:49:23.760254684 -0500
-@@ -526,7 +526,7 @@
- AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
- AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
- AC_CHECK_FUNCS(getgrouplist getline getdelim)
--AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
-+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok)
- 
- AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
- AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
diff --git a/package/linux-pam/0002-doc-makefile-am.patch b/package/linux-pam/0001-doc-makefile-am.patch
index 8fa2dda2f..ac3ff2b22 100644
--- a/package/linux-pam/0002-doc-makefile-am.patch
+++ b/package/linux-pam/0001-doc-makefile-am.patch
@@ -3,6 +3,9 @@ Disable generation of documentation
 Generation of documentation is not necessary in Buildroot, disable it completely.
 
 Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
+Signed-off-by: Brendan Heading <brendanheading@gmail.com>
+
+Upstream-status: inappropriate
 
 diff -urN a/doc/Makefile.am b/doc/Makefile.am
 --- a/doc/Makefile.am	2012-08-15 06:08:43.000000000 -0500
diff --git a/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch b/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch
new file mode 100644
index 000000000..cec642d84
--- /dev/null
+++ b/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch
@@ -0,0 +1,49 @@
+ruserok is not available/functional in uclibc, provide conditions
+for compilation where needed.
+
+Patch originally by Dmitry Golubovsky <golubovsky@gmail.com> -
+porting to linux-pam 1.2.1.
+
+Signed-off-by: Brendan Heading <brendanheading@gmail.com>
+
+Upstream-status: pending
+
+---
+ configure.ac                    | 2 +-
+ modules/pam_rhosts/pam_rhosts.c | 6 +++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 08e4530..fd2fd23 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -542,7 +542,7 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
+ AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
+ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
+ AC_CHECK_FUNCS(getgrouplist getline getdelim)
+-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
++AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok)
+ 
+ AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
+ AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
+diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
+index bc9e76f..909db29 100644
+--- a/modules/pam_rhosts/pam_rhosts.c
++++ b/modules/pam_rhosts/pam_rhosts.c
+@@ -114,8 +114,12 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
+ #ifdef HAVE_RUSEROK_AF
+     retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
+ #else
++  #ifdef HAVE_RUSEROK
+     retval = ruserok (rhost, as_root, ruser, luser);
+-#endif
++  #else
++    retval = -1;
++  #endif  /* HAVE_RUSEROK */
++#endif  /*HAVE_RUSEROK_AF */
+     if (retval != 0) {
+       if (!opt_silent || opt_debug)
+ 	pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
+-- 
+2.4.3
+
diff --git a/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch b/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch
new file mode 100644
index 000000000..4b516fa98
--- /dev/null
+++ b/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch
@@ -0,0 +1,84 @@
+innetgr is not available/functional in uclibc, provide conditions for
+compilation.
+
+Patch originally by Dmitry Golubovsky <golubovsky@gmail.com> - porting
+to linux-pam 1.2.1.
+
+Signed-off-by: Brendan Heading <brendanheading@gmail.com>
+
+Upstream-status: pending
+
+---
+ modules/pam_group/pam_group.c           | 8 +++++++-
+ modules/pam_succeed_if/pam_succeed_if.c | 4 ++++
+ modules/pam_time/pam_time.c             | 8 +++++++-
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
+index be5f20f..0982de8 100644
+--- a/modules/pam_group/pam_group.c
++++ b/modules/pam_group/pam_group.c
+@@ -655,8 +655,14 @@ static int check_account(pam_handle_t *pamh, const char *service,
+ 	    continue;
+ 	}
+ 	/* If buffer starts with @, we are using netgroups */
+-	if (buffer[0] == '@')
++	if (buffer[0] == '@') {
++#ifdef HAVE_INNETGR
+ 	  good &= innetgr (&buffer[1], NULL, user, NULL);
++#else
++	  good = 0;
++	  pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
++#endif  /* HAVE_INNETGR */
++	}
+ 	/* otherwise, if the buffer starts with %, it's a UNIX group */
+ 	else if (buffer[0] == '%')
+           good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
+diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
+index aa828fc..c09d669 100644
+--- a/modules/pam_succeed_if/pam_succeed_if.c
++++ b/modules/pam_succeed_if/pam_succeed_if.c
+@@ -233,16 +233,20 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
+ static int
+ evaluate_innetgr(const char *host, const char *user, const char *group)
+ {
++#ifdef HAVE_INNETGR
+ 	if (innetgr(group, host, user, NULL) == 1)
+ 		return PAM_SUCCESS;
++#endif /* HAVE_INNETGR */
+ 	return PAM_AUTH_ERR;
+ }
+ /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
+ static int
+ evaluate_notinnetgr(const char *host, const char *user, const char *group)
+ {
++#ifdef HAVE_INNETGR
+ 	if (innetgr(group, host, user, NULL) == 0)
+ 		return PAM_SUCCESS;
++#endif /* HAVE_INNETGR */
+ 	return PAM_AUTH_ERR;
+ }
+ 
+diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
+index c94737c..4898fd2 100644
+--- a/modules/pam_time/pam_time.c
++++ b/modules/pam_time/pam_time.c
+@@ -554,8 +554,14 @@ check_account(pam_handle_t *pamh, const char *service,
+ 	       continue;
+ 	  }
+ 	  /* If buffer starts with @, we are using netgroups */
+-	  if (buffer[0] == '@')
++	  if (buffer[0] == '@') {
++#ifdef HAVE_INNETGR
+ 	    good &= innetgr (&buffer[1], NULL, user, NULL);
++#else
++	    good = 0;
++	    pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
++#endif /* HAVE_INNETGR */
++	  }
+ 	  else
+ 	    good &= logic_field(pamh, user, buffer, count, is_same);
+ 	  D(("with user: %s", good ? "passes":"fails" ));
+-- 
+2.4.3
+
diff --git a/package/linux-pam/0003-group.patch b/package/linux-pam/0003-group.patch
deleted file mode 100644
index a94cf9e3d..000000000
--- a/package/linux-pam/0003-group.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Conditionally compile per innetgr availability
-
-innetgr is not available/functional in uclibc, provide conditions for compilation.
-
-Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
-
-Index: linux-pam-1.1.4/modules/pam_group/pam_group.c
-============================================================================
---- linux-pam-1.1.4/modules/pam_group/pam_group.c	2011-06-21 05:04:56.000000000 -0400
-+++ linux-pam-1.1.4/modules/pam_group/pam_group.c	2012-08-09 21:35:06.000000000 -0400
-@@ -655,8 +655,14 @@
- 	    continue;
- 	}
- 	/* If buffer starts with @, we are using netgroups */
--	if (buffer[0] == '@')
-+	if (buffer[0] == '@') {
-+#ifdef HAVE_INNETGR
- 	  good &= innetgr (&buffer[1], NULL, user, NULL);
-+#else
-+	  good = 0;
-+	  pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
-+#endif  /* HAVE_INNETGR */
-+	}
- 	/* otherwise, if the buffer starts with %, it's a UNIX group */
- 	else if (buffer[0] == '%')
-           good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
diff --git a/package/linux-pam/0004-mkdir.patch b/package/linux-pam/0004-mkdir.patch
deleted file mode 100644
index 00056daf3..000000000
--- a/package/linux-pam/0004-mkdir.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-$(mkdir_p) is obsolete for newer automake, use $(MKDIR_P) instead.
-Upstream should really gettextize with a newer version before packing up.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff -Nura Linux-PAM-1.1.7.orig/po/Makefile.in.in Linux-PAM-1.1.7/po/Makefile.in.in
---- Linux-PAM-1.1.7.orig/po/Makefile.in.in	2013-09-11 20:45:16.610770002 -0300
-+++ Linux-PAM-1.1.7/po/Makefile.in.in	2013-09-11 20:45:28.030145316 -0300
-@@ -31,7 +31,7 @@
- INSTALL = @INSTALL@
- INSTALL_DATA = @INSTALL_DATA@
- mkinstalldirs = $(SHELL) @install_sh@ -d
--mkdir_p = @mkdir_p@
-+mkdir_p = @MKDIR_P@
- 
- GMSGFMT_ = @GMSGFMT@
- GMSGFMT_no = @GMSGFMT@
diff --git a/package/linux-pam/0005-succeed.patch b/package/linux-pam/0005-succeed.patch
deleted file mode 100644
index 8a675efa2..000000000
--- a/package/linux-pam/0005-succeed.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Conditionally compile per innetgr availability
-
-innetgr is not available/functional in uclibc, provide conditions for compilation.
-
-Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
-
-Index: linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c
-============================================================================
---- linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c	2011-06-21 05:04:56.000000000 -0400
-+++ linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c	2012-08-09 21:05:02.000000000 -0400
-@@ -233,16 +233,20 @@
- static int
- evaluate_innetgr(const char *host, const char *user, const char *group)
- {
-+#ifdef HAVE_INNETGR
- 	if (innetgr(group, host, user, NULL) == 1)
- 		return PAM_SUCCESS;
-+#endif /* HAVE_INNETGR */
- 	return PAM_AUTH_ERR;
- }
- /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
- static int
- evaluate_notinnetgr(const char *host, const char *user, const char *group)
- {
-+#ifdef HAVE_INNETGR
- 	if (innetgr(group, host, user, NULL) == 0)
- 		return PAM_SUCCESS;
-+#endif /* HAVE_INNETGR */
- 	return PAM_AUTH_ERR;
- }
- 
diff --git a/package/linux-pam/0006-time.patch b/package/linux-pam/0006-time.patch
deleted file mode 100644
index 58d7c9f02..000000000
--- a/package/linux-pam/0006-time.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Conditionally compile per innetgr availability
-
-innetgr is not available/functional in uclibc, provide conditions for compilation.
-
-Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
-
-Index: linux-pam-1.1.4/modules/pam_time/pam_time.c
-============================================================================
---- linux-pam-1.1.4/modules/pam_time/pam_time.c	2011-06-21 05:04:56.000000000 -0400
-+++ linux-pam-1.1.4/modules/pam_time/pam_time.c	2012-08-09 21:02:29.000000000 -0400
-@@ -554,8 +554,14 @@
- 	       continue;
- 	  }
- 	  /* If buffer starts with @, we are using netgroups */
--	  if (buffer[0] == '@')
-+	  if (buffer[0] == '@') {
-+#ifdef HAVE_INNETGR
- 	    good &= innetgr (&buffer[1], NULL, user, NULL);
-+#else
-+	    good = 0;
-+	    pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
-+#endif /* HAVE_INNETGR */
-+	  }
- 	  else
- 	    good &= logic_field(pamh, user, buffer, count, is_same);
- 	  D(("with user: %s", good ? "passes":"fails" ));
diff --git a/package/linux-pam/0007-rhosts.patch b/package/linux-pam/0007-rhosts.patch
deleted file mode 100644
index 58f9adbb1..000000000
--- a/package/linux-pam/0007-rhosts.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Conditionally compile per ruserok availability
-
-ruserok is not available/functional in uclibc, provide conditions for compilation.
-
-Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
-
-Index: linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c
-============================================================================
---- linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c	2011-06-21 05:04:56.000000000 -0400
-+++ linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c	2012-08-09 21:19:34.000000000 -0400
-@@ -114,8 +114,12 @@
- #ifdef HAVE_RUSEROK_AF
-     retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
- #else
-+  #ifdef HAVE_RUSEROK
-     retval = ruserok (rhost, as_root, ruser, luser);
--#endif
-+  #else
-+    retval = -1;
-+  #endif  /* HAVE_RUSEROK */
-+#endif  /*HAVE_RUSEROK_AF */
-     if (retval != 0) {
-       if (!opt_silent || opt_debug)
- 	pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
diff --git a/package/linux-pam/0008-fix-CVE-2014-2583.patch b/package/linux-pam/0008-fix-CVE-2014-2583.patch
deleted file mode 100644
index a8b5f7bb7..000000000
--- a/package/linux-pam/0008-fix-CVE-2014-2583.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Wed, 26 Mar 2014 22:17:23 +0000
-Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
-
-pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
-the timestamp pathname it creates, so extra care should be taken to
-avoid potential directory traversal issues.
-
-* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
-"." and ".." tty values as invalid.
-(get_ruser): Treat "." and ".." ruser values, as well as any ruser
-value containing '/', as invalid.
-
-Fixes CVE-2014-2583.
-
-Reported-by: Sebastian Krahmer <krahmer@suse.de>
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
-index 5193733..b3f08b1 100644
---- a/modules/pam_timestamp/pam_timestamp.c
-+++ b/modules/pam_timestamp/pam_timestamp.c
-@@ -158,7 +158,7 @@ check_tty(const char *tty)
- 		tty = strrchr(tty, '/') + 1;
- 	}
- 	/* Make sure the tty wasn't actually a directory (no basename). */
--	if (strlen(tty) == 0) {
-+	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
- 		return NULL;
- 	}
- 	return tty;
-@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
- 		if (pwd != NULL) {
- 			ruser = pwd->pw_name;
- 		}
-+	} else {
-+		/*
-+		 * This ruser is used by format_timestamp_name as a component
-+		 * of constructed timestamp pathname, so ".", "..", and '/'
-+		 * are disallowed to avoid potential path traversal issues.
-+		 */
-+		if (!strcmp(ruser, ".") ||
-+		    !strcmp(ruser, "..") ||
-+		    strchr(ruser, '/')) {
-+			ruser = NULL;
-+		}
- 	}
- 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
- 		*ruserbuf = '\0';
--- 
-cgit v0.10.2
-
diff --git a/package/linux-pam/0009-fix-CVE-2013-7041.patch b/package/linux-pam/0009-fix-CVE-2013-7041.patch
deleted file mode 100644
index ed5880735..000000000
--- a/package/linux-pam/0009-fix-CVE-2013-7041.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Fri, 24 Jan 2014 22:18:32 +0000
-Subject: pam_userdb: fix password hash comparison
-
-Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
-passwords support in pam_userdb, hashes are compared case-insensitively.
-This bug leads to accepting hashes for completely different passwords in
-addition to those that should be accepted.
-
-Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
-modern password hashes with different lengths and settings, did not
-update the hash comparison accordingly, which leads to accepting
-computed hashes longer than stored hashes when the latter is a prefix
-of the former.
-
-* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
-hash whose length differs from the stored hash length.
-Compare computed and stored hashes case-sensitively.
-Fixes CVE-2013-7041.
-
-Bug-Debian: http://bugs.debian.org/731368
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
-index de8b5b1..ff040e6 100644
---- a/modules/pam_userdb/pam_userdb.c
-+++ b/modules/pam_userdb/pam_userdb.c
-@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
- 	  } else {
- 	    cryptpw = crypt (pass, data.dptr);
- 
--	    if (cryptpw) {
--	      compare = strncasecmp (data.dptr, cryptpw, data.dsize);
-+	    if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
-+	      compare = memcmp(data.dptr, cryptpw, data.dsize);
- 	    } else {
- 	      compare = -2;
- 	      if (ctrl & PAM_DEBUG_ARG) {
--		pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
-+		if (cryptpw)
-+		  pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
-+		else
-+		  pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
- 	      }
- 	    };
- 
--- 
-cgit v0.10.2
-
diff --git a/package/linux-pam/linux-pam.hash b/package/linux-pam/linux-pam.hash
index 3f420c2ba..a6a26d199 100644
--- a/package/linux-pam/linux-pam.hash
+++ b/package/linux-pam/linux-pam.hash
@@ -1,2 +1,2 @@
 # Locally computed hashes, not provided by upstream
-sha256	c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55	Linux-PAM-1.1.8.tar.bz2
+sha256	342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9	Linux-PAM-1.2.1.tar.bz2
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 26b627e7f..cf1b5b7b1 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LINUX_PAM_VERSION = 1.1.8
+LINUX_PAM_VERSION = 1.2.1
 LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2
 LINUX_PAM_SITE = http://linux-pam.org/library
 LINUX_PAM_INSTALL_STAGING = YES