diff --git a/Linux-PAM-1.5.3.tar.xz b/Linux-PAM-1.5.3.tar.xz
deleted file mode 100644
index 30c2aff12635721146cdb96e319b70266b6e10ad..0000000000000000000000000000000000000000
Binary files a/Linux-PAM-1.5.3.tar.xz and /dev/null differ
diff --git a/Linux-PAM-1.7.0-fix-xtests-name.patch b/Linux-PAM-1.7.0-fix-xtests-name.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3cb2b189063fd85a427bd0b275bf59eecaf4bf24
--- /dev/null
+++ b/Linux-PAM-1.7.0-fix-xtests-name.patch
@@ -0,0 +1,11 @@
+--- a/xtests/meson.build 2024-11-25 13:23:24.365535019 +0800
++++ b/xtests/meson.build 2024-11-25 13:23:35.891646844 +0800
+@@ -40,7 +40,7 @@
+ args: [
+ files('run-xtests.sh'),
+ meson.current_source_dir(),
+- fs.name(tst_exe),
++ fs.name(tst_exe.name()),
+ ],
+ env: ['MESON_BUILD_SUBDIR=' + meson.current_build_dir()],
+ is_parallel: false,
diff --git a/Linux-PAM-1.7.0.tar.xz b/Linux-PAM-1.7.0.tar.xz
new file mode 100644
index 0000000000000000000000000000000000000000..324d16ff6f37fe4c8b18246fadd3282dd5f1831f
Binary files /dev/null and b/Linux-PAM-1.7.0.tar.xz differ
diff --git a/add-sm3-crypt-support.patch b/add-sm3-crypt-support.patch
index eef922f806636ad43ab3b6b7493eb5f63b5f800b..3d61bdd1fca1022ca23fcf7c432fab7ef5994117 100644
--- a/add-sm3-crypt-support.patch
+++ b/add-sm3-crypt-support.patch
@@ -4,44 +4,21 @@ Date: Fri, 14 Jan 2022 11:46:20 +0800
Subject: [PATCH] add sm3 crypt support
---
- modules/pam_unix/pam_unix.8 | 9 +-
modules/pam_unix/pam_unix.8.xml | 16 +++-
modules/pam_unix/passverify.c | 5 +-
modules/pam_unix/support.c | 4 +-
modules/pam_unix/support.h | 6 +-
- xtests/Makefile.am | 6 +-
+ xtests/meson.build | 1 +
xtests/tst-pam_unix5.c | 151 ++++++++++++++++++++++++++++++++
xtests/tst-pam_unix5.pamd | 5 ++
xtests/tst-pam_unix5.sh | 41 +++++++++
- 9 files changed, 233 insertions(+), 10 deletions(-)
+ 8 files changed, 223 insertions(+), 6 deletions(-)
create mode 100644 xtests/tst-pam_unix5.c
create mode 100644 xtests/tst-pam_unix5.pamd
create mode 100644 xtests/tst-pam_unix5.sh
-diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
-index 438717f..6f31c10 100644
---- a/modules/pam_unix/pam_unix.8
-+++ b/modules/pam_unix/pam_unix.8
-@@ -201,9 +201,16 @@ When a user changes their password next, encrypt it with the yescrypt algorithm\
- function\&.
- .RE
- .PP
-+sm3
-+.RS 4
-+When a user changes their password next, encrypt it with the SM3 algorithm\&. The SM3 algorithm must be supported by the
-+\fBcrypt\fR(3)
-+function\&.
-+.RE
-+.PP
- rounds=n
- .RS 4
--Set the optional number of rounds of the SHA256, SHA512, blowfish, gost\-yescrypt, and yescrypt password hashing algorithms to
-+Set the optional number of rounds of the SHA256, SHA512, blowfish, gost\-yescrypt, yescrypt and SM3 password hashing algorithms to
- \fIn\fR\&.
- .RE
- .PP
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
-index dfc0427..7d61869 100644
+index d2cd198..416e144 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -366,6 +366,20 @@
@@ -75,10 +52,10 @@ index dfc0427..7d61869 100644
n.
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index 81b10d8..1aee153 100644
+index e8d0b91..846550d 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
-@@ -445,6 +445,8 @@ PAMH_ARG_DECL(char * create_password_hash,
+@@ -475,6 +475,8 @@ PAMH_ARG_DECL(char * create_password_hash,
algoid = "$5$";
} else if (on(UNIX_SHA512_PASS, ctrl)) {
algoid = "$6$";
@@ -87,7 +64,7 @@ index 81b10d8..1aee153 100644
} else { /* must be crypt/bigcrypt */
char tmppass[9];
char *hashed;
-@@ -492,7 +494,8 @@ PAMH_ARG_DECL(char * create_password_hash,
+@@ -521,7 +523,8 @@ PAMH_ARG_DECL(char * create_password_hash,
on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" :
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
@@ -98,29 +75,29 @@ index 81b10d8..1aee153 100644
pam_overwrite_string(sp);
}
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index 043273d..4052868 100644
+index dfdc9fc..0e10575 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
-@@ -99,7 +99,7 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember,
- free (val);
-
- /* read number of rounds for crypt algo */
-- if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
-+ if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl) || on(UNIX_SM3_PASS, ctrl))) {
- val = pam_modutil_search_key(pamh, LOGIN_DEFS, "SHA_CRYPT_MAX_ROUNDS");
-
- if (val) {
-@@ -194,7 +194,7 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember,
- } else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
- if (*rounds < 4 || *rounds > 31)
- *rounds = 5;
+@@ -191,7 +191,7 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember,
+ const char *key = NULL;
+ if (on(UNIX_YESCRYPT_PASS, ctrl))
+ key = "YESCRYPT_COST_FACTOR";
+- else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))
++ else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl) || on(UNIX_SM3_PASS, ctrl))
+ key = "SHA_CRYPT_MAX_ROUNDS";
+ else
+ key = NULL;
+@@ -232,7 +232,7 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember,
+ *rounds = 4;
+ else if (*rounds > 31)
+ *rounds = 31;
- } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
+ } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl) || on(UNIX_SM3_PASS, ctrl)) {
if ((*rounds < 1000) || (*rounds == INT_MAX)) {
/* don't care about bogus values */
*rounds = 0;
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
-index 8105400..b5712b5 100644
+index e8f629d..23d77c3 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -101,10 +101,11 @@ typedef struct {
@@ -145,31 +122,18 @@ index 8105400..b5712b5 100644
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
-diff --git a/xtests/Makefile.am b/xtests/Makefile.am
-index acf9746..33693de 100644
---- a/xtests/Makefile.am
-+++ b/xtests/Makefile.am
-@@ -14,9 +14,9 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
- tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \
- tst-pam_dispatch5.pamd \
- tst-pam_unix1.pamd tst-pam_unix2.pamd tst-pam_unix3.pamd \
-- tst-pam_unix4.pamd \
-+ tst-pam_unix4.pamd tst-pam_unix5.pamd \
- tst-pam_unix1.sh tst-pam_unix2.sh tst-pam_unix3.sh \
-- tst-pam_unix4.sh \
-+ tst-pam_unix4.sh tst-pam_unix5.sh \
- access.conf tst-pam_access1.pamd tst-pam_access1.sh \
- tst-pam_access2.pamd tst-pam_access2.sh \
- tst-pam_access3.pamd tst-pam_access3.sh \
-@@ -40,7 +40,7 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
+diff --git a/xtests/meson.build b/xtests/meson.build
+index 96b2612..3d98288 100644
+--- a/xtests/meson.build
++++ b/xtests/meson.build
+@@ -21,6 +21,7 @@ xtest_progs = [
+ 'tst-pam_unix2',
+ 'tst-pam_unix3',
+ 'tst-pam_unix4',
++ 'tst-pam_unix5',
+ ]
- XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
- tst-pam_dispatch4 tst-pam_dispatch5 \
-- tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 tst-pam_unix4 \
-+ tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 tst-pam_unix4 tst-pam_unix5 \
- tst-pam_access1 tst-pam_access2 tst-pam_access3 \
- tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
- tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
+ foreach prog: xtest_progs
diff --git a/xtests/tst-pam_unix5.c b/xtests/tst-pam_unix5.c
new file mode 100644
index 0000000..6e6e378
@@ -386,5 +350,5 @@ index 0000000..a6be19b
+/usr/sbin/userdel -r tstpamunix 2> /dev/null
+exit $RET
--
-2.33.0
+2.43.5
diff --git a/backport-CVE-2024-10041-pam_unix-try-to-set-uid-to-0-for-unix_chkpwd.patch b/backport-CVE-2024-10041-pam_unix-try-to-set-uid-to-0-for-unix_chkpwd.patch
deleted file mode 100644
index 34142923b8e32d634e5da8983b6fd3bc24d5ee8d..0000000000000000000000000000000000000000
--- a/backport-CVE-2024-10041-pam_unix-try-to-set-uid-to-0-for-unix_chkpwd.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann
-Date: Wed, 24 Jan 2024 18:57:42 +0100
-Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
-
-The geteuid check does not cover all cases. If a program runs with
-elevated capabilities like CAP_SETUID then we can still check
-credentials of other users.
-
-Keep logging for future analysis though.
-
-Resolves: https://github.com/linux-pam/linux-pam/issues/747
-Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
-
-Signed-off-by: Tobias Stoeckmann
-
-Conflict:NA
-Reference:https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620
----
- modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
- modules/pam_unix/support.c | 14 +++++++-------
- 2 files changed, 16 insertions(+), 15 deletions(-)
-
-diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
-index 8f5ed3e..7ffcb9e 100644
---- a/modules/pam_unix/pam_unix_acct.c
-+++ b/modules/pam_unix/pam_unix_acct.c
-@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
- _exit(PAM_AUTHINFO_UNAVAIL);
- }
-
-- if (geteuid() == 0) {
-- /* must set the real uid to 0 so the helper will not error
-- out if pam is called from setuid binary (su, sudo...) */
-- if (setuid(0) == -1) {
-- pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
-- printf("-1\n");
-- fflush(stdout);
-- _exit(PAM_AUTHINFO_UNAVAIL);
-+ /* must set the real uid to 0 so the helper will not error
-+ out if pam is called from setuid binary (su, sudo...) */
-+ if (setuid(0) == -1) {
-+ uid_t euid = geteuid();
-+ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
-+ if (euid == 0) {
-+ printf("-1\n");
-+ fflush(stdout);
-+ _exit(PAM_AUTHINFO_UNAVAIL);
- }
- }
-
-diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index 4052868..ff46155 100644
---- a/modules/pam_unix/support.c
-+++ b/modules/pam_unix/support.c
-@@ -513,13 +513,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
- _exit(PAM_AUTHINFO_UNAVAIL);
- }
-
-- if (geteuid() == 0) {
-- /* must set the real uid to 0 so the helper will not error
-- out if pam is called from setuid binary (su, sudo...) */
-- if (setuid(0) == -1) {
-- D(("setuid failed"));
-- _exit(PAM_AUTHINFO_UNAVAIL);
-- }
-+ /* must set the real uid to 0 so the helper will not error
-+ out if pam is called from setuid binary (su, sudo...) */
-+ if (setuid(0) == -1) {
-+ D(("setuid failed"));
-+ if (geteuid() == 0) {
-+ _exit(PAM_AUTHINFO_UNAVAIL);
-+ }
- }
-
- /* exec binary helper */
---
-2.46.0
-
diff --git a/backport-CVE-2024-10041.patch b/backport-CVE-2024-10041.patch
deleted file mode 100644
index 1a7ac46f8fe6daf1648dff4640906ba5c4d935be..0000000000000000000000000000000000000000
--- a/backport-CVE-2024-10041.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From b3020da7da384d769f27a8713257fbe1001878be Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin"
-Date: Mon, 1 Jan 2024 12:00:00 +0000
-Subject: [PATCH] pam_unix/passverify: always run the helper to obtain shadow
- password file entries
-
-Initially, when pam_unix.so verified the password, it used to try to
-obtain the shadow password file entry for the given user by invoking
-getspnam(3), and only when that didn't work and the effective uid
-was nonzero, pam_unix.so used to invoke the helper as a fallback.
-
-When SELinux support was introduced by commit
-67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended
-also for the case when SELinux was enabled.
-
-Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the
-fallback conditions for the case when pam_modutil_getspnam() failed
-with EACCES.
-
-Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is
-invoked as a fallback when pam_modutil_getspnam() fails for any reason.
-
-The ultimate solution for the case when pam_unix.so does not have
-permissions to obtain the shadow password file entry is to stop trying
-to use pam_modutil_getspnam() and to invoke the helper instead.
-Here are two recent examples.
-
-https://github.com/linux-pam/linux-pam/pull/484 describes a system
-configuration where libnss_systemd is enabled along with libnss_files
-in the shadow entry of nsswitch.conf, so when libnss_files is unable
-to obtain the shadow password file entry for the root user, e.g. when
-SELinux is enabled, NSS falls back to libnss_systemd which returns
-a synthesized shadow password file entry for the root user, which
-in turn locks the root user out.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes
-essentially the same problem in a similar system configuration.
-
-This commit is the final step in the direction of addressing the issue:
-for password verification pam_unix.so now invokes the helper instead of
-making the pam_modutil_getspnam() call.
-
-* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]:
-Always return PAM_UNIX_RUN_HELPER instead of trying to obtain
-the shadow password file entry.
-
-Complements: https://github.com/linux-pam/linux-pam/pull/386
-Resolves: https://github.com/linux-pam/linux-pam/pull/484
-Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92
-
-Conflict:NA
-Reference:https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be
----
- modules/pam_unix/passverify.c | 21 +++++++++++----------
- 1 file changed, 11 insertions(+), 10 deletions(-)
-
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index 1aee153..9f349e5 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -237,20 +237,21 @@ PAMH_ARG_DECL(int get_account_info,
- return PAM_UNIX_RUN_HELPER;
- #endif
- } else if (is_pwd_shadowed(*pwd)) {
-+#ifdef HELPER_COMPILE
- /*
-- * ...and shadow password file entry for this user,
-+ * shadow password file entry for this user,
- * if shadowing is enabled
- */
-- *spwdent = pam_modutil_getspnam(pamh, name);
-- if (*spwdent == NULL) {
--#ifndef HELPER_COMPILE
-- /* still a chance the user can authenticate */
-- return PAM_UNIX_RUN_HELPER;
--#endif
-- return PAM_AUTHINFO_UNAVAIL;
-- }
-- if ((*spwdent)->sp_pwdp == NULL)
-+ *spwdent = getspnam(name);
-+ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
- return PAM_AUTHINFO_UNAVAIL;
-+#else
-+ /*
-+ * The helper has to be invoked to deal with
-+ * the shadow password file entry.
-+ */
-+ return PAM_UNIX_RUN_HELPER;
-+#endif
- }
- } else {
- return PAM_USER_UNKNOWN;
---
-2.46.0
-
diff --git a/backport-CVE-2024-10963.patch b/backport-CVE-2024-10963.patch
index 131847faae7950056f0e435bf0b54a3a66a409a7..7e5575f9073d31d656223dc555fa2359da0ea158 100644
--- a/backport-CVE-2024-10963.patch
+++ b/backport-CVE-2024-10963.patch
@@ -3,9 +3,6 @@ From: Thorsten Kukuk
Date: Thu, 14 Nov 2024 10:27:28 +0100
Subject: [PATCH] pam_access: rework resolving of tokens as hostname
-Conflict:Context adaptation
-Reference:https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628
-
* modules/pam_access/pam_access.c: separate resolving of IP addresses
from hostnames. Don't resolve TTYs or display variables as hostname
(#834).
@@ -20,12 +17,12 @@ Reference:https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e8
3 files changed, 105 insertions(+), 17 deletions(-)
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
-index 0b93db00..10b8ba92 100644
+index 0b93db00e4..10b8ba9252 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
-@@ -226,6 +226,10 @@
- item and the line will be most probably ignored. For this reason, it is not
- recommended to put spaces around the ':' characters.
+@@ -233,6 +233,10 @@
+ An IPv6 link local host address must contain the interface
+ identifier. IPv6 link local network/netmask is not supported.
+
+ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
@@ -35,10 +32,10 @@ index 0b93db00..10b8ba92 100644
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
-index c991d7a0..71a4f7ee 100644
+index c991d7a097..71a4f7ee94 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
-@@ -25,11 +25,14 @@
+@@ -22,11 +22,14 @@
debug
@@ -53,8 +50,8 @@ index c991d7a0..71a4f7ee 100644
+ nodns
- accessfile=file
-@@ -112,6 +115,33 @@
+ quiet_log
+@@ -132,6 +135,33 @@
@@ -87,8 +84,8 @@ index c991d7a0..71a4f7ee 100644
+
- fieldsep=separators
-@@ -153,20 +183,6 @@
+ quiet_log
+@@ -185,20 +215,6 @@
@@ -110,27 +107,27 @@ index c991d7a0..71a4f7ee 100644
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
-index 48e7c7e9..109115e9 100644
+index 48e7c7e974..109115e9cf 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
-@@ -92,6 +92,7 @@ struct login_info {
- int debug; /* Print debugging messages. */
+@@ -100,6 +100,7 @@ struct login_info {
int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */
int noaudit; /* Do not audit denials */
+ int quiet_log; /* Do not log denials */
+ int nodns; /* Do not try to resolve tokens as hostnames */
const char *fs; /* field separator */
const char *sep; /* list-element separator */
int from_remote_host; /* If PAM_RHOST was used for from */
-@@ -143,6 +144,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
- loginfo->only_new_group_syntax = YES;
- } else if (strcmp (argv[i], "noaudit") == 0) {
+@@ -154,6 +155,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
loginfo->noaudit = YES;
+ } else if (strcmp (argv[i], "quiet_log") == 0) {
+ loginfo->quiet_log = YES;
+ } else if (strcmp (argv[i], "nodns") == 0) {
+ loginfo->nodns = YES;
} else {
pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
}
-@@ -637,7 +640,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+@@ -820,7 +823,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
if ((str_len = strlen(string)) > tok_len
&& strcasecmp(tok, string + str_len - tok_len) == 0)
return YES;
@@ -139,7 +136,7 @@ index 48e7c7e9..109115e9 100644
struct addrinfo hint;
memset (&hint, '\0', sizeof (hint));
-@@ -712,6 +715,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
+@@ -895,6 +898,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
}
@@ -179,7 +176,7 @@ index 48e7c7e9..109115e9 100644
/* network_netmask_match - match a string against one token
* where string is a hostname or ip (v4,v6) address and tok
* represents either a hostname, a single ip (v4,v6) address
-@@ -773,10 +809,42 @@ network_netmask_match (pam_handle_t *pamh,
+@@ -956,10 +992,42 @@ network_netmask_match (pam_handle_t *pamh,
return NO;
}
}
@@ -223,6 +220,3 @@ index 48e7c7e9..109115e9 100644
* Let getaddrinfo sort everything out
*/
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
---
-2.33.0
-
diff --git a/backport-CVE-2024-22365-pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch b/backport-CVE-2024-22365-pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
deleted file mode 100644
index abe24541c5f6c4d2b10d8c03f783b7440738e36f..0000000000000000000000000000000000000000
--- a/backport-CVE-2024-22365-pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
-From: Matthias Gerstner
-Date: Wed, 27 Dec 2023 14:01:59 +0100
-Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
- local DoS situations
-
-Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
-being placed in user controlled directories, causing the PAM module to
-block indefinitely during `openat()`.
-
-Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
-refer to a directory.
-
-With this the check whether the final path element is a directory
-becomes unnecessary, drop it.
----
- modules/pam_namespace/pam_namespace.c | 18 +-----------------
- 1 file changed, 1 insertion(+), 17 deletions(-)
-
-diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
-index 2528cff8..f72d6718 100644
---- a/modules/pam_namespace/pam_namespace.c
-+++ b/modules/pam_namespace/pam_namespace.c
-@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
- int dfd = AT_FDCWD;
- int dfd_next;
- int save_errno;
-- int flags = O_RDONLY;
-+ int flags = O_RDONLY | O_DIRECTORY;
- int rv = -1;
- struct stat st;
-
-@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
- rv = openat(dfd, dir, flags);
- }
-
-- if (rv != -1) {
-- if (fstat(rv, &st) != 0) {
-- save_errno = errno;
-- close(rv);
-- rv = -1;
-- errno = save_errno;
-- goto error;
-- }
-- if (!S_ISDIR(st.st_mode)) {
-- close(rv);
-- errno = ENOTDIR;
-- rv = -1;
-- goto error;
-- }
-- }
--
- if (flags & O_NOFOLLOW) {
- /* we are inside user-owned dir - protect */
- if (protect_mount(rv, p, idata) == -1) {
---
-2.33.0
-
diff --git a/backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch b/backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch
deleted file mode 100644
index e3e2e8bcb99298c330d5aea2ca792d4aaab4b68d..0000000000000000000000000000000000000000
--- a/backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001
-From: Thorsten Kukuk
-Date: Fri, 4 Aug 2023 15:46:16 +0200
-Subject: [PATCH] pam_access: make non-resolveable hostname a debug output
- (#590)
-
-Conflict:NA
-Reference:https://github.com/linux-pam/linux-pam/commit/741acf4ff707d53b94947736a01eeeda5e2c7e98
-
-* modules/pam_access/pam_access.c (network_netmask_match): Don't print
-an error if a string is not resolveable, only a debug message in debug
-mode. We even don't know if that entry is for remote logins or not.
----
- modules/pam_access/pam_access.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
-index f70b7e49..985dc7de 100644
---- a/modules/pam_access/pam_access.c
-+++ b/modules/pam_access/pam_access.c
-@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh,
- */
- if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
- {
-- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
-+ if (item->debug)
-+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
-
- return NO;
- }
---
-2.33.0
-
diff --git a/backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch b/backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch
deleted file mode 100644
index cc34f50c0007b1f563904c7e27b6a4b1b9b49051..0000000000000000000000000000000000000000
--- a/backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 80dc2d410595b5193d32f965185710df27f3984e Mon Sep 17 00:00:00 2001
-From: Md Zain Hasib
-Date: Sat, 29 Jul 2023 11:01:35 +0530
-Subject: [PATCH] pam_pwhistory: fix passing NULL filename argument to
- pwhistory helper
-
-This change fixes a bug when pwhistory_helper is invoked from
-pam_pwhistory with an NULL filename, pwhistory_helper receives a short
-circuited argc count of 3, ignoring the rest of the arguments passed
-due to filename being NULL. To resolve the issue, an empty string is
-passed in case the filename is empty, which is later changed back to
-NULL in pwhistory_helper so that it can be passed to opasswd to read
-the default opasswd file.
-
-* modules/pam_pwhistory/pam_pwhistory.c (run_save_helper,
-run_check_helper): Replace NULL filename argument with an empty string.
-* modules/pam_pwhistory/pwhistory_helper.c (main): Replace empty string
-filename argument with NULL.
-
-Fixes: 11c35109a67f ("pam_pwhistory: Enable alternate location for password history file (#396)")
-Signed-off-by: Dmitry V. Levin
-
-Reference: https://github.com/linux-pam/linux-pam/commit/80dc2d410595b5193d32f965185710df27f3984e
-Conflict: NA
----
- modules/pam_pwhistory/pam_pwhistory.c | 4 ++--
- modules/pam_pwhistory/pwhistory_helper.c | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c
-index 5a7fb81..98ddffc 100644
---- a/modules/pam_pwhistory/pam_pwhistory.c
-+++ b/modules/pam_pwhistory/pam_pwhistory.c
-@@ -141,7 +141,7 @@ run_save_helper(pam_handle_t *pamh, const char *user,
- args[0] = (char *)PWHISTORY_HELPER;
- args[1] = (char *)"save";
- args[2] = (char *)user;
-- args[3] = (char *)filename;
-+ args[3] = (char *)((filename != NULL) ? filename : "");
- DIAG_POP_IGNORE_CAST_QUAL;
- if (asprintf(&args[4], "%d", howmany) < 0 ||
- asprintf(&args[5], "%d", debug) < 0)
-@@ -228,7 +228,7 @@ run_check_helper(pam_handle_t *pamh, const char *user,
- args[0] = (char *)PWHISTORY_HELPER;
- args[1] = (char *)"check";
- args[2] = (char *)user;
-- args[3] = (char *)filename;
-+ args[3] = (char *)((filename != NULL) ? filename : "");
- DIAG_POP_IGNORE_CAST_QUAL;
- if (asprintf(&args[4], "%d", debug) < 0)
- {
-diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c
-index 469d95f..fb9a1e3 100644
---- a/modules/pam_pwhistory/pwhistory_helper.c
-+++ b/modules/pam_pwhistory/pwhistory_helper.c
-@@ -108,7 +108,7 @@ main(int argc, char *argv[])
-
- option = argv[1];
- user = argv[2];
-- filename = argv[3];
-+ filename = (argv[3][0] != '\0') ? argv[3] : NULL;
-
- if (strcmp(option, "check") == 0 && argc == 5)
- return check_history(user, filename, argv[4]);
---
-2.43.0
-
diff --git a/backport-pam_selinux-fix-formatting-of-audit-messages.patch b/backport-pam_selinux-fix-formatting-of-audit-messages.patch
deleted file mode 100644
index f8a1ddc2becf36d9ef92bf7c4dc33e28a9cc9fcb..0000000000000000000000000000000000000000
--- a/backport-pam_selinux-fix-formatting-of-audit-messages.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 1648734a69c31e9ce834da70144ac9a453296807 Mon Sep 17 00:00:00 2001
-From: Steve Grubb
-Date: Fri, 4 Aug 2023 17:45:45 -0400
-Subject: [PATCH] pam_selinux: fix formatting of audit messages
-
-pam_selinux uses audit_log_user_message to write to the audit system.
-It does not take an op argument, so you have to add one yourself. Otherwise
-the pam_selinux part of the message is lost because it's not in key=value
-format.
----
- modules/pam_selinux/pam_selinux.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
-index e52e0fc45..713b3f73f 100644
---- a/modules/pam_selinux/pam_selinux.c
-+++ b/modules/pam_selinux/pam_selinux.c
-@@ -97,7 +97,7 @@ send_audit_message(const pam_handle_t *pamh, int success, const char *default_co
- pam_syslog(pamh, LOG_ERR, "Error translating selected context '%s'.", selected_context);
- selected_raw = NULL;
- }
-- if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
-+ if (asprintf(&msg, "op=pam_selinux default-context=%s selected-context=%s",
- default_raw ? default_raw : (default_context ? default_context : "?"),
- selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
- msg = NULL; /* asprintf leaves msg in undefined state on failure */
diff --git a/backport-pam_shells-Plug-econf-memory-leak.patch b/backport-pam_shells-Plug-econf-memory-leak.patch
deleted file mode 100644
index 065a78a7db8f50aba6e3e5ecf8ba188f746e392c..0000000000000000000000000000000000000000
--- a/backport-pam_shells-Plug-econf-memory-leak.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann
-Date: Thu, 18 May 2023 17:55:21 +0200
-Subject: [PATCH] pam_shells: Plug econf memory leak
-
-Signed-off-by: Tobias Stoeckmann
----
- modules/pam_shells/pam_shells.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c
-index 05c09c656..276a56dd5 100644
---- a/modules/pam_shells/pam_shells.c
-+++ b/modules/pam_shells/pam_shells.c
-@@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh)
- if (!retval)
- break;
- }
-+ econf_free (keys);
- econf_free (key_file);
- #else
- char shellFileLine[256];
diff --git a/change-ndbm-to-gdbm.patch b/change-ndbm-to-gdbm.patch
deleted file mode 100644
index 5a119a8d8f2c67a707cd631274703e05aab4fec4..0000000000000000000000000000000000000000
--- a/change-ndbm-to-gdbm.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From c8ff297d3ca1d5a195147c32859b87dba820c281 Mon Sep 17 00:00:00 2001
-From: gaoyi
-Date: Wed, 28 Oct 2020 19:37:25 +0800
-Subject: [PATCH] change ndbm to gdbm
-
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index b9b0f83..7262199 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -447,7 +447,7 @@ if test x"$WITH_DB" != xno ; then
- LIBS=$old_libs
- fi
- if test -z "$LIBDB" ; then
-- AC_CHECK_LIB([ndbm],[dbm_store], LIBDB="-lndbm", LIBDB="")
-+ AC_CHECK_LIB([gdbm_compat],[dbm_store], LIBDB="-lgdbm_compat", LIBDB="")
- if test -n "$LIBDB" ; then
- AC_CHECK_HEADERS(ndbm.h)
- fi
---
-2.33.0
-
diff --git a/pam-1.7.0-fop-optional.patch b/pam-1.7.0-fop-optional.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e183bc5b13a526709f0dbd61a0ee19b32f475727
--- /dev/null
+++ b/pam-1.7.0-fop-optional.patch
@@ -0,0 +1,50 @@
+From 5cab1abeebddf12f506826e4a037c903b188c0c4 Mon Sep 17 00:00:00 2001
+From: Yaakov Selkowitz
+Date: Mon, 4 Nov 2024 22:55:18 -0500
+Subject: [PATCH] doc: make PDF documentation optional
+
+While building any documentation requires xsltproc, only the PDF
+documentation requires fop, which is dependency-heavy, and not always
+available (e.g. it is not included in RHEL). This allows the HTML
+documentation to be built while skipping the PDFs.
+---
+ doc/guide-meson.build | 2 ++
+ meson.build | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/doc/guide-meson.build b/doc/guide-meson.build
+index e29d16e2..4ec8a69f 100644
+--- a/doc/guide-meson.build
++++ b/doc/guide-meson.build
+@@ -56,6 +56,7 @@ custom_target(
+ )
+
+
++if prog_fop.found()
+ fop = custom_target(
+ input: xml,
+ output: name + '.fop',
+@@ -85,6 +86,7 @@ custom_target(
+ install_dir: pdfdir,
+ install_tag: 'doc',
+ )
++endif
+
+
+ subdir('html')
+diff --git a/meson.build b/meson.build
+index e3d8cc2a..664bd126 100644
+--- a/meson.build
++++ b/meson.build
+@@ -502,7 +502,7 @@ if enable_docs
+ endif
+ prog_fop = find_program(
+ 'fop',
+- required: feature_docs,
++ required: false,
+ disabler: true,
+ )
+
+--
+2.47.0
+
diff --git a/pam.spec b/pam.spec
index b9f3475b302884c94db14cfb167f94e4b2bd62d9..8f9f22487e7e36ea489cb70090ae2713802e8a3b 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,8 +3,8 @@
%define _secconfdir %{_sysconfdir}/security
%define _pamconfdir %{_sysconfdir}/pam.d
Name: pam
-Version: 1.5.3
-Release: 8
+Version: 1.7.0
+Release: 1
Summary: Pluggable Authentication Modules for Linux
License: BSD-3-Clause AND GPL-2.0-or-later
URL: http://www.linux-pam.org/
@@ -20,21 +20,30 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Provides: %{name}-sm3 = %{version}-%{release}
Patch1: bugfix-pam-1.1.8-faillock-systemtime.patch
-Patch2: backport-CVE-2024-22365-pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
-Patch3: backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch
-Patch4: backport-pam_shells-Plug-econf-memory-leak.patch
-Patch5: backport-pam_selinux-fix-formatting-of-audit-messages.patch
-Patch6: backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch
+Patch2: Linux-PAM-1.7.0-fix-xtests-name.patch
+Patch3: pam-1.7.0-fop-optional.patch
Patch7: backport-CVE-2024-10963.patch
-Patch8: backport-CVE-2024-10041.patch
-Patch9: backport-CVE-2024-10041-pam_unix-try-to-set-uid-to-0-for-unix_chkpwd.patch
-Patch9000:change-ndbm-to-gdbm.patch
-Patch9001:add-sm3-crypt-support.patch
-
-BuildRequires: autoconf automake libtool bison flex sed cracklib-devel gdbm-devel
-BuildRequires: perl-interpreter pkgconfig gettext-devel libtirpc-devel libnsl2-devel
-BuildRequires: audit-libs-devel libselinux-devel
+Patch9001: add-sm3-crypt-support.patch
+
+BuildRequires: meson >= 0.62.0
+BuildRequires: pkgconfig(audit)
+BuildRequires: pkgconfig(libcrypt)
+BuildRequires: pkgconfig(libcrypto)
+BuildRequires: pkgconfig(libnsl)
+BuildRequires: pkgconfig(libselinux)
+BuildRequires: pkgconfig(libsystemd) >= 254
+BuildRequires: pkgconfig(libtirpc)
+BuildRequires: gdbm-devel
+BuildRequires: /usr/bin/bison
+BuildRequires: /usr/bin/elinks
+BuildRequires: /usr/bin/flex
+BuildRequires: /usr/bin/gettext
+BuildRequires: /usr/bin/msgfmt
+BuildRequires: /usr/bin/xmlcatalog
+BuildRequires: /usr/bin/xmllint
+BuildRequires: /usr/bin/xsltproc
+BuildRequires: docbook5-style-xsl docbook5-schemas
Requires: cracklib libpwquality coreutils glibc audit-libs libselinux libxcrypt-sm3
@@ -56,26 +65,20 @@ Requires: %{name} = %{version}-%{release}
cp %{S:18} .
%build
-autoreconf -i
-%configure \
- --disable-rpath \
- --libdir=%{_pamlibdir} \
- --includedir=%{_includedir}/security \
- --disable-static \
- --disable-prelude \
- --enable-db=ndbm \
- --enable-lastlog
-
-make -C po update-gmo
-%make_build
+%meson \
+ --libdir=%{_pamlibdir} \
+ --includedir=%{_includedir}/security \
+ -Ddb=gdbm \
+ -Deconf=disabled \
+ -Dpam_lastlog=enabled
+%meson_build
%install
-%make_install
-%delete_la
+%meson_install
mkdir -p doc/README.d
-for readme in modules/pam_*/README ; do
- cp -f ${readme} doc/README.d/README.`dirname ${readme} | sed -e 's@^modules/@@'`
+for readme in %{_vpath_builddir}/modules/pam_*/*.txt ; do
+ cp -f ${readme} doc/README.d/README.`dirname ${readme} | sed -e 's@^%{_vpath_builddir}/modules/@@'`
done
ln -sf pam_sepermit.so $RPM_BUILD_ROOT%{_moduledir}/pam_selinux_permit.so
@@ -85,9 +88,6 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/environment
install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir}
-install -m 644 -D modules/pam_namespace/pam_namespace.service \
- %{buildroot}%{_unitdir}/pam_namespace.service
-
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other
install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth
@@ -108,11 +108,11 @@ rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
%find_lang Linux-PAM
%check
-%make_build check
+%meson_test
%files -f Linux-PAM.lang
%license Copyright COPYING gpl-2.0.txt
-%doc AUTHORS README ChangeLog NEWS
+%doc AUTHORS README NEWS
%doc doc/README.d/
%dir %{_pamconfdir}
%config(noreplace) %{_pamconfdir}/other
@@ -129,7 +129,6 @@ rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
%attr(0755,root,root) %{_sbindir}/pwhistory_helper
%{_sbindir}/faillock
%{_sbindir}/mkhomedir_helper
-%{_sbindir}/pam_namespace_helper
%attr(0755,root,root) %{_sbindir}/pam_namespace_helper
%dir %{_moduledir}
%{_moduledir}/pam*.so
@@ -167,6 +166,9 @@ rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
%changelog
+* Wed Dec 25 2024 Funda Wang - 1.7.0-1
+- update to 1.7.0
+
* Tue Dec 17 2024 dongyuzhen - 1.5.3-8
- fix CVE-2024-10041
diff --git a/pam.yaml b/pam.yaml
index b227434b7d959b7eaf93bc8e0544db48db3a903e..6af4638e7afee44d01739f2a2318033b4eb9e6d5 100644
--- a/pam.yaml
+++ b/pam.yaml
@@ -1,4 +1,4 @@
version_control: github
src_repo: linux-pam/linux-pam
tag_prefix: ^v
-seperator: .
+separator: .