From 34b64c6a5c45bcc595e00ffce1378cce8f8d4dfb Mon Sep 17 00:00:00 2001 From: nekral-guest Date: Fri, 24 Jun 2011 21:44:27 +0000 Subject: [PATCH] - name the next release (which should be a 4.1.5) - reindent according to previous entry, and use the same bug closing style - document bugs closed by the latest upstream - refresh patch according to latest upstream - remove patch not needed with latest upstream - sort translations alphabetically - debian/control: mark passwd as 'Multi-Arch: foreign'. Closes: #614321 - debian/securetty.linux: Add IBM pSeries console ports. Closes: #597661 - debian/securetty.linux: Add serial Console for MIPS Swarm. (http://lists.debian.org/debian-release/2011/02/msg00320.html) --- debian/changelog | 71 +++++++++++++------ debian/control | 1 + debian/patches/008_login_log_failure_in_FTMP | 2 +- debian/patches/008_su_get_PAM_username | 46 ------------ debian/patches/300_CVE-2011-0721 | 57 --------------- debian/patches/401_cppw_src.dpatch | 6 +- debian/patches/429_login_FAILLOG_ENAB | 6 +- debian/patches/463_login_delay_obeys_to_PAM | 14 ++-- debian/patches/501_commonio_group_shadow | 2 +- debian/patches/505_useradd_recommend_adduser | 4 +- debian/patches/506_relaxed_usernames | 4 +- debian/patches/508_nologin_in_usr_sbin | 4 +- .../patches/523_su_arguments_are_concatenated | 2 +- ...uments_are_no_more_concatenated_by_default | 14 ++-- debian/patches/542_useradd-O_option | 10 +-- debian/patches/series | 2 - debian/securetty.linux | 7 ++ 17 files changed, 92 insertions(+), 160 deletions(-) delete mode 100644 debian/patches/008_su_get_PAM_username delete mode 100644 debian/patches/300_CVE-2011-0721 diff --git a/debian/changelog b/debian/changelog index d338d381..e5120b73 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,26 +1,55 @@ -shadow (1:4.1.4.2+svnXXXX-1) unstable; urgency=low +shadow (1:4.1.5-1) unstable; urgency=low - * New upstream version - * Upstream fixes: - - Fix several typos in manpages. Thanks to Simon Brandmair - (Closes: #628776) - * Upstream translation updates from Debian BTS: - - Japanese (Closes: #620978) - - Kazakh (Closes: #620930) - - Danish (Closes: #621330) - - Swedish (Closes: #621126) - - Russian (Closes: #622106) - - Brazilian Portuguese (Closes: #622834) - - German (Closes: #622908) - - French (Closes: #623608) - - Portuguese (Closes: #623722) - - Catalan (Closes: #627526) - - Spanish (Closes: #630618) - * Upstream manpages translation updates from Debian BTS: - - French (Closes: #630250) - - German (Closes: #628777) + * The "Charolais" release. + * New upstream release: + - userdel: Check the existence of the user's mail spool before trying to + remove it. If it does not exist, a warning is issued, but no failure. + Closes: #617295 + - userdel: Do not remove a group with the same name as the user + (usergroup) if this group isn't the user's primary group. + Closes: #584868 + - su: Fix possible tty hijacking by drop the controlling terminal when + executing a command. Closes: #628843 + - su: Close the PAM session as root (fix issues with pam_mount and + pam_systemd). Closes: #580434 + - Fix several typos in manpages. Thanks to Simon Brandmair. + Closes: #628776 + - Updated patches + + debian/patches/523_su_arguments_are_no_more_concatenated_by_default + + debian/patches/505_useradd_recommend_adduser + + debian/patches/463_login_delay_obeys_to_PAM + + debian/patches/008_login_log_failure_in_FTMP + + debian/patches/501_commonio_group_shadow + + debian/patches/429_login_FAILLOG_ENAB + + debian/patches/508_nologin_in_usr_sbin + + debian/patches/506_relaxed_usernames + + debian/patches/523_su_arguments_are_concatenated + + debian/patches/542_useradd-O_option + + debian/patches/401_cppw_src.dpatch + - debian/patches/008_su_get_PAM_username: Removed, feature supported + upstream. + - debian/patches/300_CVE-2011-0721: Removed, applied upstream. + - Upstream translation updates from Debian BTS: + + Brazilian Portuguese. Closes: #622834 + + Catalan. Closes: #627526 + + Danish. Closes: #621330 + + German. Closes: #622908 + + French. Closes: #623608 + + Japanese. Closes: #620978 + + Kazakh. Closes: #620930 + + Portuguese. Closes: #623722 + + Russian. Closes: #622106 + + Spanish (Closes: #630618) + + Swedish. Closes: #621126 + - Upstream manpages translation updates from Debian BTS: + + French. Closes: #630250 + + German. Closes: #628777 + * debian/control: mark passwd as 'Multi-Arch: foreign'. Closes: #614321 + * debian/securetty.linux: Add IBM pSeries console ports. Closes: #597661 + * debian/securetty.linux: Add serial Console for MIPS Swarm. + (http://lists.debian.org/debian-release/2011/02/msg00320.html) - -- Nicolas FRANCOIS (Nekral) Sat, 04 Jun 2011 09:39:38 +0200 + -- Nicolas FRANCOIS (Nekral) Fri, 24 Jun 2011 23:43:56 +0200 shadow (1:4.1.4.2+svn3283-3) unstable; urgency=high diff --git a/debian/control b/debian/control index f62a8d96..25b32580 100644 --- a/debian/control +++ b/debian/control @@ -13,6 +13,7 @@ Package: passwd Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-modules, debianutils (>= 2.15.2) Replaces: manpages-tr (<<1.0.5), manpages-zh (<<1.5.1-1) +Multi-Arch: foreign Description: change and administer password and group data This package includes passwd, chsh, chfn, and many other programs to maintain password and group data. diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP index ea46d233..c0706c85 100644 --- a/debian/patches/008_login_log_failure_in_FTMP +++ b/debian/patches/008_login_log_failure_in_FTMP @@ -6,7 +6,7 @@ Notes: --- a/src/login.c +++ b/src/login.c -@@ -832,6 +832,24 @@ +@@ -831,6 +831,24 @@ (void) puts (""); (void) puts (_("Login incorrect")); diff --git a/debian/patches/008_su_get_PAM_username b/debian/patches/008_su_get_PAM_username deleted file mode 100644 index ae128fc0..00000000 --- a/debian/patches/008_su_get_PAM_username +++ /dev/null @@ -1,46 +0,0 @@ -Goal: Retrieve the PAM username in case a module changed the PAM_USER - item. - -According to Linux-PAM_ADG: - * Note, modules can change the values of PAM_USER and PAM_RUSER during - any of the pam_*() library calls. For this reason, the application - should take care to use the pam_get_item() every time it wishes to - establish who the authenticated user is (or will currently be). - -PAM_USER description: - - The username of the entity under whose identity service will be given. That - is, following authentication, PAM_USER identifies the local entity that - gets to use the service. Note, this value can be mapped from something - (eg., "anonymous") to something else (eg. "guest119") by any module in the - PAM stack. As such an application should consult the value of PAM_USER - after each call to a PAM function. - -See also: https://www.redhat.com/archives/pam-list/2008-May/msg00009.html - ---- a/src/su.c -+++ b/src/su.c -@@ -325,6 +325,8 @@ - char **envp = environ; - char *shellstr = NULL; - char *command = NULL; -+ char *tmp_name; -+ char **ptr_tmp_name = &tmp_name; - - #ifdef USE_PAM - char **envcp; -@@ -728,6 +730,14 @@ - su_failure (tty); - } - } -+ ret = pam_get_item(pamh, PAM_USER, (const void **) ptr_tmp_name); -+ if (ret != PAM_SUCCESS) { -+ SYSLOG((LOG_ERR, "pam_get_item: internal PAM error\n")); -+ fprintf(stderr, "%s: Internal PAM error retrieving username\n", Prog); -+ (void) pam_end(pamh, ret); -+ su_failure(tty); -+ } -+ strncpy(name, tmp_name, sizeof(name) - 1); - #else /* !USE_PAM */ - /* - * Set up a signal handler in case the user types QUIT. diff --git a/debian/patches/300_CVE-2011-0721 b/debian/patches/300_CVE-2011-0721 deleted file mode 100644 index eb9ad80a..00000000 --- a/debian/patches/300_CVE-2011-0721 +++ /dev/null @@ -1,57 +0,0 @@ -Goal: Input sanitization for chfn and chsh - -Fixes: CVE-2011-0721 - -Status wrt upstream: Already applied upstream (4.1.4.3) - ---- a/src/chfn.c -+++ b/src/chfn.c -@@ -551,14 +551,14 @@ - static void check_fields (void) - { - int err; -- err = valid_field (fullnm, ":,="); -+ err = valid_field (fullnm, ":,=\n"); - if (err > 0) { - fprintf (stderr, _("%s: name with non-ASCII characters: '%s'\n"), Prog, fullnm); - } else if (err < 0) { - fprintf (stderr, _("%s: invalid name: '%s'\n"), Prog, fullnm); - fail_exit (E_NOPERM); - } -- err = valid_field (roomno, ":,="); -+ err = valid_field (roomno, ":,=\n"); - if (err > 0) { - fprintf (stderr, _("%s: room number with non-ASCII characters: '%s'\n"), Prog, roomno); - } else if (err < 0) { -@@ -566,17 +566,17 @@ - Prog, roomno); - fail_exit (E_NOPERM); - } -- if (valid_field (workph, ":,=") != 0) { -+ if (valid_field (workph, ":,=\n") != 0) { - fprintf (stderr, _("%s: invalid work phone: '%s'\n"), - Prog, workph); - fail_exit (E_NOPERM); - } -- if (valid_field (homeph, ":,=") != 0) { -+ if (valid_field (homeph, ":,=\n") != 0) { - fprintf (stderr, _("%s: invalid home phone: '%s'\n"), - Prog, homeph); - fail_exit (E_NOPERM); - } -- err = valid_field (slop, ":"); -+ err = valid_field (slop, ":\n"); - if (err > 0) { - fprintf (stderr, _("%s: '%s' contains non-ASCII characters\n"), Prog, slop); - } else if (err < 0) { ---- a/src/chsh. -+++ b/src/chsh.c -@@ -528,7 +528,7 @@ - * users are restricted to using the shells in /etc/shells. - * The shell must be executable by the user. - */ -- if (valid_field (loginsh, ":,=") != 0) { -+ if (valid_field (loginsh, ":,=\n") != 0) { - fprintf (stderr, _("%s: Invalid entry: %s\n"), Prog, loginsh); - fail_exit (1); - } diff --git a/debian/patches/401_cppw_src.dpatch b/debian/patches/401_cppw_src.dpatch index 8dab4587..2ec84b44 100755 --- a/debian/patches/401_cppw_src.dpatch +++ b/debian/patches/401_cppw_src.dpatch @@ -209,7 +209,7 @@ +} --- a/src/Makefile.am +++ b/src/Makefile.am -@@ -25,6 +25,7 @@ +@@ -26,6 +26,7 @@ sbin_PROGRAMS = nologin ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd usbin_PROGRAMS = \ @@ -217,7 +217,7 @@ chgpasswd \ chpasswd \ groupadd \ -@@ -75,6 +76,7 @@ +@@ -82,6 +83,7 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) @@ -227,7 +227,7 @@ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) --- a/po/POTFILES.in +++ b/po/POTFILES.in -@@ -79,6 +79,7 @@ +@@ -81,6 +81,7 @@ src/chgpasswd.c src/chpasswd.c src/chsh.c diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB index a6a1e34c..9b8978d9 100644 --- a/debian/patches/429_login_FAILLOG_ENAB +++ b/debian/patches/429_login_FAILLOG_ENAB @@ -20,7 +20,7 @@ Note: It could be removed if pam_tally could report the number of failures static void bad_time_notify (void); static void check_nologin (bool login_to_root); #else -@@ -792,6 +792,9 @@ +@@ -791,6 +791,9 @@ SYSLOG ((LOG_NOTICE, "TOO MANY LOGIN TRIES (%u)%s FOR '%s'", failcount, fromhost, failent_user)); @@ -30,7 +30,7 @@ Note: It could be removed if pam_tally could report the number of failures fprintf(stderr, _("Maximum number of tries exceeded (%u)\n"), failcount); -@@ -809,6 +812,14 @@ +@@ -808,6 +811,14 @@ pam_strerror (pamh, retcode))); failed = true; } @@ -45,7 +45,7 @@ Note: It could be removed if pam_tally could report the number of failures if (!failed) { break; -@@ -832,6 +843,10 @@ +@@ -831,6 +842,10 @@ (void) puts (""); (void) puts (_("Login incorrect")); diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/463_login_delay_obeys_to_PAM index 4173aee4..5dee9027 100644 --- a/debian/patches/463_login_delay_obeys_to_PAM +++ b/debian/patches/463_login_delay_obeys_to_PAM @@ -15,9 +15,9 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs #endif - unsigned int delay; unsigned int retries; - bool failed; bool subroot = false; -@@ -546,6 +545,7 @@ + #ifndef USE_PAM +@@ -545,6 +544,7 @@ pid_t child; char *pam_user = NULL; #else @@ -25,7 +25,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs struct spwd *spwd = NULL; #endif /* -@@ -706,7 +706,6 @@ +@@ -705,7 +705,6 @@ } environ = newenvp; /* make new environment active */ @@ -33,7 +33,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs retries = getdef_unum ("LOGIN_RETRIES", RETRIES); #ifdef USE_PAM -@@ -722,8 +721,7 @@ +@@ -721,8 +720,7 @@ /* * hostname & tty are either set to NULL or their correct values, @@ -43,7 +43,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs * * PAM_RHOST and PAM_TTY are used for authentication, only use * information coming from login or from the caller (e.g. no utmp) -@@ -732,10 +730,6 @@ +@@ -731,10 +729,6 @@ PAM_FAIL_CHECK; retcode = pam_set_item (pamh, PAM_TTY, tty); PAM_FAIL_CHECK; @@ -54,8 +54,8 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs /* if fflg, then the user has already been authenticated */ if (!fflg) { unsigned int failcount = 0; -@@ -776,12 +770,6 @@ - failed = false; +@@ -775,12 +769,6 @@ + bool failed = false; failcount++; -#ifdef HAS_PAM_FAIL_DELAY diff --git a/debian/patches/501_commonio_group_shadow b/debian/patches/501_commonio_group_shadow index 4c227dff..0aff3911 100644 --- a/debian/patches/501_commonio_group_shadow +++ b/debian/patches/501_commonio_group_shadow @@ -12,7 +12,7 @@ Fixes: #166793 #include "nscd.h" #ifdef WITH_SELINUX #include -@@ -868,13 +869,20 @@ +@@ -925,13 +926,20 @@ goto fail; } } else { diff --git a/debian/patches/505_useradd_recommend_adduser b/debian/patches/505_useradd_recommend_adduser index 0c3f247b..ad8ffa2e 100644 --- a/debian/patches/505_useradd_recommend_adduser +++ b/debian/patches/505_useradd_recommend_adduser @@ -6,7 +6,7 @@ Status wrt upstream: Debian specific patch. --- a/man/useradd.8.xml +++ b/man/useradd.8.xml -@@ -78,6 +78,12 @@ +@@ -81,6 +81,12 @@ DESCRIPTION @@ -21,7 +21,7 @@ Status wrt upstream: Debian specific patch. the values specified on the command line plus the default values from --- a/man/userdel.8.xml +++ b/man/userdel.8.xml -@@ -59,6 +59,12 @@ +@@ -61,6 +61,12 @@ DESCRIPTION diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/506_relaxed_usernames index d8ac342f..9bf64f8d 100755 --- a/debian/patches/506_relaxed_usernames +++ b/debian/patches/506_relaxed_usernames @@ -48,7 +48,7 @@ Details: } --- a/man/useradd.8.xml +++ b/man/useradd.8.xml -@@ -607,12 +607,19 @@ +@@ -615,12 +615,19 @@ @@ -71,7 +71,7 @@ Details: --- a/man/groupadd.8.xml +++ b/man/groupadd.8.xml -@@ -223,12 +223,17 @@ +@@ -222,12 +222,17 @@ CAVEATS diff --git a/debian/patches/508_nologin_in_usr_sbin b/debian/patches/508_nologin_in_usr_sbin index f1247b9f..026e2db4 100644 --- a/debian/patches/508_nologin_in_usr_sbin +++ b/debian/patches/508_nologin_in_usr_sbin @@ -1,6 +1,6 @@ --- a/src/Makefile.am +++ b/src/Makefile.am -@@ -22,7 +22,6 @@ +@@ -23,7 +23,6 @@ # $prefix/bin and $prefix/sbin, no install-data hacks...) bin_PROGRAMS = groups login su @@ -8,7 +8,7 @@ ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd usbin_PROGRAMS = \ cppw \ -@@ -37,6 +36,7 @@ +@@ -38,6 +37,7 @@ grpunconv \ logoutd \ newusers \ diff --git a/debian/patches/523_su_arguments_are_concatenated b/debian/patches/523_su_arguments_are_concatenated index 397fe498..a44f20b4 100644 --- a/debian/patches/523_su_arguments_are_concatenated +++ b/debian/patches/523_su_arguments_are_concatenated @@ -10,7 +10,7 @@ Note: the fix of the man page is still missing. --- a/src/su.c +++ b/src/su.c -@@ -953,6 +953,35 @@ +@@ -1137,6 +1137,35 @@ argv[0] = "-c"; argv[1] = command; } diff --git a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default index 708528ae..9fe19f9e 100644 --- a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default +++ b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default @@ -10,9 +10,9 @@ Status wrt upstream: This patch is Debian specific. --- a/src/su.c +++ b/src/su.c -@@ -86,6 +86,19 @@ +@@ -104,6 +104,19 @@ /* If nonzero, change some environment vars to indicate the user su'd to. */ - static bool change_environment; + static bool change_environment = true; +/* + * If nonzero, keep the old Debian behavior: @@ -29,17 +29,17 @@ Status wrt upstream: This patch is Debian specific. + #ifdef USE_PAM static pam_handle_t *pamh = NULL; - static bool caught = false; -@@ -344,6 +357,8 @@ - #endif - #endif /* !USE_PAM */ + static int caught = 0; +@@ -937,6 +950,8 @@ + int ret; + #endif /* USE_PAM */ + old_debian_behavior = (getenv("SU_NO_SHELL_ARGS") != NULL); + (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); -@@ -957,7 +972,7 @@ +@@ -1141,7 +1156,7 @@ * resulting string is always given to the shell with its * -c option. */ diff --git a/debian/patches/542_useradd-O_option b/debian/patches/542_useradd-O_option index 9a2bb13c..2166296f 100644 --- a/debian/patches/542_useradd-O_option +++ b/debian/patches/542_useradd-O_option @@ -7,9 +7,9 @@ Status wrt upstream: not included as this is just specific --- a/man/useradd.8.xml +++ b/man/useradd.8.xml -@@ -300,6 +300,11 @@ - UID_MIN=10,UID_MAX=499 - doesn't work yet. +@@ -318,6 +318,11 @@ + databases are resetted to avoid reusing the entry from a previously + deleted user. + + For the compatibility with previous Debian's @@ -21,7 +21,7 @@ Status wrt upstream: not included as this is just specific --- a/src/useradd.c +++ b/src/useradd.c -@@ -996,9 +996,9 @@ +@@ -1000,9 +1000,9 @@ }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX @@ -33,7 +33,7 @@ Status wrt upstream: not included as this is just specific #endif long_options, NULL)) != -1) { switch (c) { -@@ -1120,6 +1120,7 @@ +@@ -1124,6 +1124,7 @@ kflg = true; break; case 'K': diff --git a/debian/patches/series b/debian/patches/series index 8671b523..99921ff4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,7 +3,6 @@ #901_testsuite_gcov 503_shadowconfig.8 -008_su_get_PAM_username 428_grpck_add_prune_option 008_login_log_failure_in_FTMP 429_login_FAILLOG_ENAB @@ -18,4 +17,3 @@ 523_su_arguments_are_no_more_concatenated_by_default 508_nologin_in_usr_sbin 505_useradd_recommend_adduser -300_CVE-2011-0721 diff --git a/debian/securetty.linux b/debian/securetty.linux index 3d6971cc..92e13e5d 100644 --- a/debian/securetty.linux +++ b/debian/securetty.linux @@ -355,6 +355,10 @@ ttyY1 hvc0 hvc1 #... +#IBM pSeries console ports +hvsi0 +hvsi1 +hvsi2 # Equinox SST multi-port serial boards ttyEQ0 @@ -381,3 +385,6 @@ ttyama1 ttyama2 ttyama3 +# Serial Console for MIPS Swarm +duart0 +duart1