From 6e9cb57186ee637eb51141e38ce4197a71fdb983 Mon Sep 17 00:00:00 2001
From: zhengxiaoxiao <zhengxiaoxiao2@huawei.com>
Date: Mon, 29 Apr 2024 16:57:46 +0800
Subject: [PATCH 1/2] add
 backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch

(cherry picked from commit 590275970969e58b4fc3690fcb4b1b0a06a3f33a)
---
 ...ilename-argument-to-pwhistory-helper.patch | 67 +++++++++++++++++++
 pam.spec                                      |  7 +-
 2 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch

diff --git a/backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch b/backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch
new file mode 100644
index 0000000..cc34f50
--- /dev/null
+++ b/backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch
@@ -0,0 +1,67 @@
+From 80dc2d410595b5193d32f965185710df27f3984e Mon Sep 17 00:00:00 2001
+From: Md Zain Hasib <hasibm@vmware.com>
+Date: Sat, 29 Jul 2023 11:01:35 +0530
+Subject: [PATCH] pam_pwhistory: fix passing NULL filename argument to
+ pwhistory helper
+
+This change fixes a bug when pwhistory_helper is invoked from
+pam_pwhistory with an NULL filename, pwhistory_helper receives a short
+circuited argc count of 3, ignoring the rest of the arguments passed
+due to filename being NULL. To resolve the issue, an empty string is
+passed in case the filename is empty, which is later changed back to
+NULL in pwhistory_helper so that it can be passed to opasswd to read
+the default opasswd file.
+
+* modules/pam_pwhistory/pam_pwhistory.c (run_save_helper,
+run_check_helper): Replace NULL filename argument with an empty string.
+* modules/pam_pwhistory/pwhistory_helper.c (main): Replace empty string
+filename argument with NULL.
+
+Fixes: 11c35109a67f ("pam_pwhistory: Enable alternate location for password history file (#396)")
+Signed-off-by: Dmitry V. Levin <ldv@strace.io>
+
+Reference: https://github.com/linux-pam/linux-pam/commit/80dc2d410595b5193d32f965185710df27f3984e
+Conflict: NA
+---
+ modules/pam_pwhistory/pam_pwhistory.c    | 4 ++--
+ modules/pam_pwhistory/pwhistory_helper.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c
+index 5a7fb81..98ddffc 100644
+--- a/modules/pam_pwhistory/pam_pwhistory.c
++++ b/modules/pam_pwhistory/pam_pwhistory.c
+@@ -141,7 +141,7 @@ run_save_helper(pam_handle_t *pamh, const char *user,
+       args[0] = (char *)PWHISTORY_HELPER;
+       args[1] = (char *)"save";
+       args[2] = (char *)user;
+-      args[3] = (char *)filename;
++      args[3] = (char *)((filename != NULL) ? filename : "");
+       DIAG_POP_IGNORE_CAST_QUAL;
+       if (asprintf(&args[4], "%d", howmany) < 0 ||
+           asprintf(&args[5], "%d", debug) < 0)
+@@ -228,7 +228,7 @@ run_check_helper(pam_handle_t *pamh, const char *user,
+       args[0] = (char *)PWHISTORY_HELPER;
+       args[1] = (char *)"check";
+       args[2] = (char *)user;
+-      args[3] = (char *)filename;
++      args[3] = (char *)((filename != NULL) ? filename : "");
+       DIAG_POP_IGNORE_CAST_QUAL;
+       if (asprintf(&args[4], "%d", debug) < 0)
+         {
+diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c
+index 469d95f..fb9a1e3 100644
+--- a/modules/pam_pwhistory/pwhistory_helper.c
++++ b/modules/pam_pwhistory/pwhistory_helper.c
+@@ -108,7 +108,7 @@ main(int argc, char *argv[])
+ 
+   option = argv[1];
+   user = argv[2];
+-  filename = argv[3];
++  filename = (argv[3][0] != '\0') ? argv[3] : NULL;
+ 
+   if (strcmp(option, "check") == 0 && argc == 5)
+     return check_history(user, filename, argv[4]);
+-- 
+2.43.0
+
diff --git a/pam.spec b/pam.spec
index 876aff5..570ee76 100644
--- a/pam.spec
+++ b/pam.spec
@@ -4,7 +4,7 @@
 %define _pamconfdir %{_sysconfdir}/pam.d
 Name: pam
 Version: 1.5.3
-Release: 2
+Release: 3
 Summary: Pluggable Authentication Modules for Linux
 License: BSD and GPLv2+
 URL: http://www.linux-pam.org/
@@ -22,6 +22,8 @@ Provides: %{name}-sm3 = %{version}-%{release}
 
 Patch1: bugfix-pam-1.1.8-faillock-systemtime.patch
 Patch2: backport-CVE-2024-22365-pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
+Patch3: backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch
+
 Patch9000:change-ndbm-to-gdbm.patch
 Patch9001:add-sm3-crypt-support.patch
 
@@ -180,6 +182,9 @@ fi
 
 
 %changelog
+* Mon Apr 29 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 1.5.3-3
+- add backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch
+
 * Wed Jan 24 2024 zhangruifang <zhangruifang1@h-partners.com> - 1.5.3-2
 - fix CVE-2024-22365
 
-- 
Gitee


From e0d37e841c899627351900d817a5a9c97f634488 Mon Sep 17 00:00:00 2001
From: dongyuzhen <dongyuzhen@h-partners.com>
Date: Thu, 9 May 2024 11:32:37 +0800
Subject: [PATCH 2/2] remove redundant /var/log/tallylog file

(cherry picked from commit 7d546d2861ef8ab39571816b73042744ae08fa27)
---
 pam.spec | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/pam.spec b/pam.spec
index 570ee76..8fcd1bf 100644
--- a/pam.spec
+++ b/pam.spec
@@ -4,7 +4,7 @@
 %define _pamconfdir %{_sysconfdir}/pam.d
 Name: pam
 Version: 1.5.3
-Release: 3
+Release: 4
 Summary: Pluggable Authentication Modules for Linux
 License: BSD and GPLv2+
 URL: http://www.linux-pam.org/
@@ -94,7 +94,6 @@ install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
 install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
 install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
 install -d -m 755 $RPM_BUILD_ROOT/var/log
-install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
 install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock
 
 for phase in auth acct passwd session ; do
@@ -113,9 +112,6 @@ make check
 
 %post
 /sbin/ldconfig
-if [ ! -e /var/log/tallylog ] ; then
-	/usr/bin/install -m 600 /dev/null /var/log/tallylog || :
-fi
 
 %postun -p /sbin/ldconfig
 
@@ -160,7 +156,6 @@ fi
 %config(noreplace) %{_secconfdir}/faillock.conf
 %config(noreplace) %{_secconfdir}/pwhistory.conf
 %dir /var/run/sepermit
-%ghost %verify(not md5 size mtime) /var/log/tallylog
 %dir /var/run/faillock
 %{_prefix}/lib/tmpfiles.d/pam.conf
 
@@ -182,6 +177,9 @@ fi
 
 
 %changelog
+* Thu May 9 2024 dongyuzhen <dongyuzhen@h-partners.com> - 1.5.3-4
+- remove redundant /var/log/tallylog file
+
 * Mon Apr 29 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 1.5.3-3
 - add backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch
 
-- 
Gitee