- name the next release (which should be a 4.1.5)

- reindent according to previous entry, and use the same bug closing
   style
 - document bugs closed by the latest upstream
 - refresh patch according to latest upstream
 - remove patch not needed with latest upstream
 - sort translations alphabetically
 - debian/control: mark passwd as 'Multi-Arch: foreign'. Closes: #614321
 - debian/securetty.linux: Add IBM pSeries console ports. Closes: #597661
 - debian/securetty.linux: Add serial Console for MIPS Swarm.
   (http://lists.debian.org/debian-release/2011/02/msg00320.html)

debian/changelog

@@ -1,26 +1,55 @@
-shadow (1:4.1.4.2+svnXXXX-1) unstable; urgency=low
+shadow (1:4.1.5-1) unstable; urgency=low
 
-  * New upstream version
-  * Upstream fixes:
-    - Fix several typos in manpages. Thanks to Simon Brandmair
-      (Closes: #628776)
-  * Upstream translation updates from Debian BTS:
-    - Japanese (Closes: #620978)
-    - Kazakh (Closes: #620930)
-    - Danish (Closes: #621330)
-    - Swedish (Closes: #621126)
-    - Russian (Closes: #622106)
-    - Brazilian Portuguese (Closes: #622834)
-    - German (Closes: #622908)
-    - French (Closes: #623608)
-    - Portuguese (Closes: #623722)
-    - Catalan (Closes: #627526)
-    - Spanish (Closes: #630618)
-  * Upstream manpages translation updates from Debian BTS:
-    - French (Closes: #630250)
-    - German (Closes: #628777)
+  * The "Charolais" release.
+  * New upstream release:
+    - userdel: Check the existence of the user's mail spool before trying to
+      remove it. If it does not exist, a warning is issued, but no failure.
+      Closes: #617295
+    - userdel: Do not remove a group with the same name as the user
+      (usergroup) if this group isn't the user's primary group.
+      Closes: #584868
+    - su: Fix possible tty hijacking by drop the controlling terminal when
+      executing a command. Closes: #628843
+    - su: Close the PAM session as root (fix issues with pam_mount and
+      pam_systemd). Closes: #580434
+    - Fix several typos in manpages. Thanks to Simon Brandmair.
+      Closes: #628776
+    - Updated patches
+      + debian/patches/523_su_arguments_are_no_more_concatenated_by_default
+      + debian/patches/505_useradd_recommend_adduser
+      + debian/patches/463_login_delay_obeys_to_PAM
+      + debian/patches/008_login_log_failure_in_FTMP
+      + debian/patches/501_commonio_group_shadow
+      + debian/patches/429_login_FAILLOG_ENAB
+      + debian/patches/508_nologin_in_usr_sbin
+      + debian/patches/506_relaxed_usernames
+      + debian/patches/523_su_arguments_are_concatenated
+      + debian/patches/542_useradd-O_option
+      + debian/patches/401_cppw_src.dpatch
+    - debian/patches/008_su_get_PAM_username: Removed, feature supported
+      upstream.
+    - debian/patches/300_CVE-2011-0721: Removed, applied upstream.
+    - Upstream translation updates from Debian BTS:
+      + Brazilian Portuguese. Closes: #622834
+      + Catalan. Closes: #627526
+      + Danish. Closes: #621330
+      + German. Closes: #622908
+      + French. Closes: #623608
+      + Japanese. Closes: #620978
+      + Kazakh. Closes: #620930
+      + Portuguese. Closes: #623722
+      + Russian. Closes: #622106
+      + Spanish (Closes: #630618)
+      + Swedish. Closes: #621126
+    - Upstream manpages translation updates from Debian BTS:
+      + French. Closes: #630250
+      + German. Closes: #628777
+  * debian/control: mark passwd as 'Multi-Arch: foreign'. Closes: #614321
+  * debian/securetty.linux: Add IBM pSeries console ports. Closes: #597661
+  * debian/securetty.linux: Add serial Console for MIPS Swarm.
+    (http://lists.debian.org/debian-release/2011/02/msg00320.html)
 
- -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>  Sat, 04 Jun 2011 09:39:38 +0200
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>  Fri, 24 Jun 2011 23:43:56 +0200
 
 shadow (1:4.1.4.2+svn3283-3) unstable; urgency=high
 

debian/control

@@ -13,6 +13,7 @@ Package: passwd
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-modules, debianutils (>= 2.15.2)
 Replaces: manpages-tr (<<1.0.5), manpages-zh (<<1.5.1-1)
+Multi-Arch: foreign
 Description: change and administer password and group data
  This package includes passwd, chsh, chfn, and many other programs to
  maintain password and group data.

debian/patches/008_login_log_failure_in_FTMP

@@ -6,7 +6,7 @@ Notes:
 
 --- a/src/login.c
 +++ b/src/login.c
-@@ -832,6 +832,24 @@
+@@ -831,6 +831,24 @@
  			(void) puts ("");
  			(void) puts (_("Login incorrect"));
  

debian/patches/008_su_get_PAM_username

@@ -1,46 +0,0 @@
-Goal: Retrieve the PAM username in case a module changed the PAM_USER
-      item.
-
-According to Linux-PAM_ADG:
- * Note, modules can change the values of PAM_USER and PAM_RUSER during
-   any of the pam_*() library calls. For this reason, the application
-   should take care to use the pam_get_item() every time it wishes to
-   establish who the authenticated user is (or will currently be).
-
-PAM_USER description:
-
-    The username of the entity under whose identity service will be given. That
-    is, following authentication, PAM_USER identifies the local entity that
-    gets to use the service. Note, this value can be mapped from something
-    (eg., "anonymous") to something else (eg. "guest119") by any module in the
-    PAM stack. As such an application should consult the value of PAM_USER
-    after each call to a PAM function.
-
-See also: https://www.redhat.com/archives/pam-list/2008-May/msg00009.html
-
---- a/src/su.c
-+++ b/src/su.c
-@@ -325,6 +325,8 @@
- 	char **envp = environ;
- 	char *shellstr = NULL;
- 	char *command = NULL;
-+	char *tmp_name;
-+	char **ptr_tmp_name = &tmp_name;
- 
- #ifdef USE_PAM
- 	char **envcp;
-@@ -728,6 +730,14 @@
- 			su_failure (tty);
- 		}
- 	}
-+	ret = pam_get_item(pamh, PAM_USER, (const void **) ptr_tmp_name);
-+	if (ret != PAM_SUCCESS) {
-+		SYSLOG((LOG_ERR, "pam_get_item: internal PAM error\n"));
-+		fprintf(stderr, "%s: Internal PAM error retrieving username\n", Prog);
-+		(void) pam_end(pamh, ret);
-+		su_failure(tty);
-+	}
-+	strncpy(name, tmp_name, sizeof(name) - 1);
- #else				/* !USE_PAM */
- 	/*
- 	 * Set up a signal handler in case the user types QUIT.

debian/patches/300_CVE-2011-0721

@@ -1,57 +0,0 @@
-Goal: Input sanitization for chfn and chsh
-
-Fixes: CVE-2011-0721
-
-Status wrt upstream: Already applied upstream (4.1.4.3)
-
---- a/src/chfn.c
-+++ b/src/chfn.c
-@@ -551,14 +551,14 @@
- static void check_fields (void)
- {
- 	int err;
--	err = valid_field (fullnm, ":,=");
-+	err = valid_field (fullnm, ":,=\n");
- 	if (err > 0) {
- 		fprintf (stderr, _("%s: name with non-ASCII characters: '%s'\n"), Prog, fullnm);
- 	} else if (err < 0) {
- 		fprintf (stderr, _("%s: invalid name: '%s'\n"), Prog, fullnm);
- 		fail_exit (E_NOPERM);
- 	}
--	err = valid_field (roomno, ":,=");
-+	err = valid_field (roomno, ":,=\n");
- 	if (err > 0) {
- 		fprintf (stderr, _("%s: room number with non-ASCII characters: '%s'\n"), Prog, roomno);
- 	} else if (err < 0) {
-@@ -566,17 +566,17 @@
- 		         Prog, roomno);
- 		fail_exit (E_NOPERM);
- 	}
--	if (valid_field (workph, ":,=") != 0) {
-+	if (valid_field (workph, ":,=\n") != 0) {
- 		fprintf (stderr, _("%s: invalid work phone: '%s'\n"),
- 		         Prog, workph);
- 		fail_exit (E_NOPERM);
- 	}
--	if (valid_field (homeph, ":,=") != 0) {
-+	if (valid_field (homeph, ":,=\n") != 0) {
- 		fprintf (stderr, _("%s: invalid home phone: '%s'\n"),
- 		         Prog, homeph);
- 		fail_exit (E_NOPERM);
- 	}
--	err = valid_field (slop, ":");
-+	err = valid_field (slop, ":\n");
- 	if (err > 0) {
- 		fprintf (stderr, _("%s: '%s' contains non-ASCII characters\n"), Prog, slop);
- 	} else if (err < 0) {
---- a/src/chsh.
-+++ b/src/chsh.c
-@@ -528,7 +528,7 @@
- 	 * users are restricted to using the shells in /etc/shells.
- 	 * The shell must be executable by the user.
- 	 */
--	if (valid_field (loginsh, ":,=") != 0) {
-+	if (valid_field (loginsh, ":,=\n") != 0) {
- 		fprintf (stderr, _("%s: Invalid entry: %s\n"), Prog, loginsh);
- 		fail_exit (1);
- 	}

debian/patches/401_cppw_src.dpatch

@@ -209,7 +209,7 @@
 +}
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
-@@ -25,6 +25,7 @@
+@@ -26,6 +26,7 @@
  sbin_PROGRAMS  = nologin
  ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
  usbin_PROGRAMS = \
@@ -217,7 +217,7 @@
  	chgpasswd \
  	chpasswd \
  	groupadd \
-@@ -75,6 +76,7 @@
+@@ -82,6 +83,7 @@
  chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
  chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
  chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
@@ -227,7 +227,7 @@
  groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 --- a/po/POTFILES.in
 +++ b/po/POTFILES.in
-@@ -79,6 +79,7 @@
+@@ -81,6 +81,7 @@
  src/chgpasswd.c
  src/chpasswd.c
  src/chsh.c

debian/patches/429_login_FAILLOG_ENAB

@@ -20,7 +20,7 @@ Note: It could be removed if pam_tally could report the number of failures
  static void bad_time_notify (void);
  static void check_nologin (bool login_to_root);
  #else
-@@ -792,6 +792,9 @@
+@@ -791,6 +791,9 @@
  				SYSLOG ((LOG_NOTICE,
  				         "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
  				         failcount, fromhost, failent_user));
@@ -30,7 +30,7 @@ Note: It could be removed if pam_tally could report the number of failures
  				fprintf(stderr,
  				        _("Maximum number of tries exceeded (%u)\n"),
  				        failcount);
-@@ -809,6 +812,14 @@
+@@ -808,6 +811,14 @@
  				         pam_strerror (pamh, retcode)));
  				failed = true;
  			}
@@ -45,7 +45,7 @@ Note: It could be removed if pam_tally could report the number of failures
  
  			if (!failed) {
  				break;
-@@ -832,6 +843,10 @@
+@@ -831,6 +842,10 @@
  			(void) puts ("");
  			(void) puts (_("Login incorrect"));
  

debian/patches/463_login_delay_obeys_to_PAM

@@ -15,9 +15,9 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  #endif
 -	unsigned int delay;
  	unsigned int retries;
- 	bool failed;
  	bool subroot = false;
-@@ -546,6 +545,7 @@
+ #ifndef USE_PAM
+@@ -545,6 +544,7 @@
  	pid_t child;
  	char *pam_user = NULL;
  #else
@@ -25,7 +25,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  	struct spwd *spwd = NULL;
  #endif
  	/*
-@@ -706,7 +706,6 @@
+@@ -705,7 +705,6 @@
  	}
  
  	environ = newenvp;	/* make new environment active */
@@ -33,7 +33,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
  
  #ifdef USE_PAM
-@@ -722,8 +721,7 @@
+@@ -721,8 +720,7 @@
  
  	/*
  	 * hostname & tty are either set to NULL or their correct values,
@@ -43,7 +43,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  	 *
  	 * PAM_RHOST and PAM_TTY are used for authentication, only use
  	 * information coming from login or from the caller (e.g. no utmp)
-@@ -732,10 +730,6 @@
+@@ -731,10 +729,6 @@
  	PAM_FAIL_CHECK;
  	retcode = pam_set_item (pamh, PAM_TTY, tty);
  	PAM_FAIL_CHECK;
@@ -54,8 +54,8 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  	/* if fflg, then the user has already been authenticated */
  	if (!fflg) {
  		unsigned int failcount = 0;
-@@ -776,12 +770,6 @@
- 			failed = false;
+@@ -775,12 +769,6 @@
+ 			bool failed = false;
  
  			failcount++;
 -#ifdef HAS_PAM_FAIL_DELAY

debian/patches/501_commonio_group_shadow

@@ -12,7 +12,7 @@ Fixes: #166793
  #include "nscd.h"
  #ifdef WITH_SELINUX
  #include <selinux/selinux.h>
-@@ -868,13 +869,20 @@
+@@ -925,13 +926,20 @@
  			goto fail;
  		}
  	} else {

debian/patches/505_useradd_recommend_adduser

@@ -6,7 +6,7 @@ Status wrt upstream: Debian specific patch.
 
 --- a/man/useradd.8.xml
 +++ b/man/useradd.8.xml
-@@ -78,6 +78,12 @@
+@@ -81,6 +81,12 @@
    <refsect1 id='description'>
      <title>DESCRIPTION</title>
        <para>
@@ -21,7 +21,7 @@ Status wrt upstream: Debian specific patch.
  	the values specified on the command line plus the default values from
 --- a/man/userdel.8.xml
 +++ b/man/userdel.8.xml
-@@ -59,6 +59,12 @@
+@@ -61,6 +61,12 @@
    <refsect1 id='description'>
      <title>DESCRIPTION</title>
      <para>

debian/patches/506_relaxed_usernames

@@ -48,7 +48,7 @@ Details:
  }
 --- a/man/useradd.8.xml
 +++ b/man/useradd.8.xml
-@@ -607,12 +607,19 @@
+@@ -615,12 +615,19 @@
      </para>
  
      <para>
@@ -71,7 +71,7 @@ Details:
    </refsect1>
 --- a/man/groupadd.8.xml
 +++ b/man/groupadd.8.xml
-@@ -223,12 +223,17 @@
+@@ -222,12 +222,17 @@
     <refsect1 id='caveats'>
       <title>CAVEATS</title>
       <para>

debian/patches/508_nologin_in_usr_sbin

@@ -1,6 +1,6 @@
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
-@@ -22,7 +22,6 @@
+@@ -23,7 +23,6 @@
  # $prefix/bin and $prefix/sbin, no install-data hacks...)
  
  bin_PROGRAMS   = groups login su
@@ -8,7 +8,7 @@
  ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
  usbin_PROGRAMS = \
  	cppw \
-@@ -37,6 +36,7 @@
+@@ -38,6 +37,7 @@
  	grpunconv \
  	logoutd \
  	newusers \

debian/patches/523_su_arguments_are_concatenated

@@ -10,7 +10,7 @@ Note: the fix of the man page is still missing.
 
 --- a/src/su.c
 +++ b/src/su.c
-@@ -953,6 +953,35 @@
+@@ -1137,6 +1137,35 @@
  			argv[0] = "-c";
  			argv[1] = command;
  		}

debian/patches/523_su_arguments_are_no_more_concatenated_by_default

@@ -10,9 +10,9 @@ Status wrt upstream: This patch is Debian specific.
 
 --- a/src/su.c
 +++ b/src/su.c
-@@ -86,6 +86,19 @@
+@@ -104,6 +104,19 @@
  /* If nonzero, change some environment vars to indicate the user su'd to. */
- static bool change_environment;
+ static bool change_environment = true;
  
 +/*
 + * If nonzero, keep the old Debian behavior:
@@ -29,17 +29,17 @@ Status wrt upstream: This patch is Debian specific.
 +
  #ifdef USE_PAM
  static pam_handle_t *pamh = NULL;
- static bool caught = false;
-@@ -344,6 +357,8 @@
- #endif
- #endif				/* !USE_PAM */
+ static int caught = 0;
+@@ -937,6 +950,8 @@
+ 	int ret;
+ #endif				/* USE_PAM */
  
 +	old_debian_behavior = (getenv("SU_NO_SHELL_ARGS") != NULL);
 +
  	(void) setlocale (LC_ALL, "");
  	(void) bindtextdomain (PACKAGE, LOCALEDIR);
  	(void) textdomain (PACKAGE);
-@@ -957,7 +972,7 @@
+@@ -1141,7 +1156,7 @@
  		 * resulting string is always given to the shell with its
  		 * -c option.
  		 */

debian/patches/542_useradd-O_option

@@ -7,9 +7,9 @@ Status wrt upstream: not included as this is just specific
 
 --- a/man/useradd.8.xml
 +++ b/man/useradd.8.xml
-@@ -300,6 +300,11 @@
- 	    <replaceable>UID_MIN</replaceable>=<replaceable>10</replaceable>,<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
- 	    doesn't work yet.
+@@ -318,6 +318,11 @@
+ 	    databases are resetted to avoid reusing the entry from a previously
+ 	    deleted user.
  	  </para>
 +          <para>
 +            For the compatibility with previous Debian's
@@ -21,7 +21,7 @@ Status wrt upstream: not included as this is just specific
        <varlistentry>
 --- a/src/useradd.c
 +++ b/src/useradd.c
-@@ -996,9 +996,9 @@
+@@ -1000,9 +1000,9 @@
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -33,7 +33,7 @@ Status wrt upstream: not included as this is just specific
  #endif
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1120,6 +1120,7 @@
+@@ -1124,6 +1124,7 @@
  				kflg = true;
  				break;
  			case 'K':

debian/patches/series

@@ -3,7 +3,6 @@
 #901_testsuite_gcov
 
 503_shadowconfig.8
-008_su_get_PAM_username
 428_grpck_add_prune_option
 008_login_log_failure_in_FTMP
 429_login_FAILLOG_ENAB
@@ -18,4 +17,3 @@
 523_su_arguments_are_no_more_concatenated_by_default
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
-300_CVE-2011-0721

debian/securetty.linux

@@ -355,6 +355,10 @@ ttyY1
 hvc0
 hvc1
 #...
+#IBM pSeries console ports
+hvsi0
+hvsi1
+hvsi2
 
 # Equinox SST multi-port serial boards
 ttyEQ0
@@ -381,3 +385,6 @@ ttyama1
 ttyama2
 ttyama3
 
+# Serial Console for MIPS Swarm
+duart0
+duart1