Hello community, here is the log from the commit of package pam_krb5 for openSUSE:Factory checked in at 2017-08-24 18:50:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_krb5 (Old) and /work/SRC/openSUSE:Factory/.pam_krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pam_krb5" Thu Aug 24 18:50:17 2017 rev:58 rq:515934 version:2.4.13 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_krb5/pam_krb5.changes 2014-06-10 14:38:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.pam_krb5.new/pam_krb5.changes 2017-08-24 18:50:19.374959146 +0200 @@ -1,0 +2,17 @@ +Wed Jul 26 07:04:12 UTC 2017 - josef.moellers@suse.com + +- Update to 2.4.13: + * Fix a memory leak on FAST-capable clients + * Learn to run 'kdc' and 'kpasswdd', if appropriate + * Add the ability to specify a server principal + * Drop _pam_krb5_stash_chown_keyring functionality + * Fix a configure syntax error + * Handle ccname templates that don't include a type + * Fix a memory leak (static analysis) + * default to subsequent_prompt=false for chauthtok + * Don't close descriptors for fork-without-exec + * Handle PKINIT without duplicate prompting + * Add support for rxkad-k5-kdf + [pam_krb5-LINGUAS.dif] + +------------------------------------------------------------------- Old: ---- pam_krb5-2.4.4.tar.gz pam_krb5-LINGUAS.dif pam_krb5-po.tar.gz New: ---- pam_krb5-2.4.13.tar.bz2 pam_krb5-po.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_krb5.spec ++++++ --- /var/tmp/diff_new_pack.PxkTly/_old 2017-08-24 18:50:20.338823430 +0200 +++ /var/tmp/diff_new_pack.PxkTly/_new 2017-08-24 18:50:20.342822867 +0200 @@ -1,7 +1,7 @@ # # spec file for package pam_krb5 # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,17 +30,16 @@ Obsoletes: pam_krb5-64bit %endif # -Version: 2.4.4 +Version: 2.4.13 Release: 0 Summary: A Pluggable Authentication Module for Kerberos 5 License: BSD-3-Clause or LGPL-2.1+ Group: Productivity/Networking/Security -Url: https://fedorahosted.org/pam_krb5/ -Source: https://fedorahosted.org/released/pam_krb5/pam_krb5-%{version}.tar.gz -Source2: pam_krb5-po.tar.gz +Url: https://pagure.io/pam_krb5 +Source: pam_krb5-%{version}.tar.bz2 +Source2: pam_krb5-po.tar.bz2 Source3: baselibs.conf Patch1: pam_krb5-2.3.1-log-choise.dif -Patch2: pam_krb5-LINGUAS.dif Patch3: pam_krb5-2.3.1-switch-perms-on-refresh.dif Patch4: pam_krb5-2.2.3-1-setcred-assume-establish.dif Patch5: bug-641008_pam_krb5-2.3.11-setcred-log.diff @@ -54,9 +53,8 @@ %setup -q -n pam_krb5-%{version} %setup -a 2 -T -D -n pam_krb5-%{version} %patch1 -p1 -%patch2 %patch3 -p1 -%patch4 +%patch4 -p1 %patch5 -p1 %build ++++++ bug-641008_pam_krb5-2.3.11-setcred-log.diff ++++++ --- /var/tmp/diff_new_pack.PxkTly/_old 2017-08-24 18:50:20.394815546 +0200 +++ /var/tmp/diff_new_pack.PxkTly/_new 2017-08-24 18:50:20.398814983 +0200 @@ -1,26 +1,27 @@ -Index: pam_krb5-2.4.4/src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- pam_krb5-2.4.4.orig/src/auth.c -+++ pam_krb5-2.4.4/src/auth.c -@@ -434,13 +434,32 @@ int - pam_sm_setcred(pam_handle_t *pamh, int flags, +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c +@@ -435,13 +435,33 @@ pam_sm_setcred(pam_handle_t *pamh, int f int argc, PAM_KRB5_MAYBE_CONST char **argv) { + const char *why = ""; + krb5_context ctx; + struct _pam_krb5_options *options; struct _pam_krb5_perms *saved_perms; - notice("pam_setcred (%s) called", -- (flags & PAM_ESTABLISH_CRED)?"establish credential": -- (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -- (flags & PAM_REFRESH_CRED)?"refresh credential": -- (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); +- (flags & PAM_ESTABLISH_CRED)?"establish credential": +- (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": +- (flags & PAM_REFRESH_CRED)?"refresh credential": +- (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); + + if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) { + warn("error initializing Kerberos"); + return PAM_SERVICE_ERR; + } + -+ options = _pam_krb5_options_init(pamh, argc, argv, ctx); ++ options = _pam_krb5_options_init(pamh, argc, argv, ctx, ++ _pam_krb5_option_role_general); + if (options == NULL) { + warn("error parsing options (shouldn't happen)"); + krb5_free_context(ctx); @@ -40,7 +41,7 @@ return _pam_krb5_open_session(pamh, flags, argc, argv, "pam_setcred(PAM_ESTABLISH_CRED)", _pam_krb5_session_caller_setcred); -@@ -455,21 +474,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f +@@ -464,20 +484,30 @@ pam_sm_setcred(pam_handle_t *pamh, int f } saved_perms = NULL; @@ -55,7 +56,6 @@ if (saved_perms != NULL) { _pam_krb5_restore_perms_r2e(saved_perms); } - saved_perms = NULL; + _pam_krb5_options_free(pamh, ctx, options); + krb5_free_context(ctx); return PAM_IGNORE; ++++++ pam_krb5-2.2.3-1-setcred-assume-establish.dif ++++++ --- /var/tmp/diff_new_pack.PxkTly/_old 2017-08-24 18:50:20.410813293 +0200 +++ /var/tmp/diff_new_pack.PxkTly/_new 2017-08-24 18:50:20.414812730 +0200 @@ -1,8 +1,8 @@ -Index: src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- src/auth.c.orig -+++ src/auth.c -@@ -470,6 +470,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c +@@ -478,6 +478,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f "pam_setcred(PAM_DELETE_CRED)", _pam_krb5_session_caller_setcred); } ++++++ pam_krb5-2.3.1-log-choise.dif ++++++ --- /var/tmp/diff_new_pack.PxkTly/_old 2017-08-24 18:50:20.430810478 +0200 +++ /var/tmp/diff_new_pack.PxkTly/_new 2017-08-24 18:50:20.430810478 +0200 @@ -1,92 +1,90 @@ -Index: pam_krb5-2.4.4/src/acct.c +Index: pam_krb5-2.4.13/src/acct.c =================================================================== ---- pam_krb5-2.4.4.orig/src/acct.c -+++ pam_krb5-2.4.4/src/acct.c -@@ -89,6 +89,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int +--- pam_krb5-2.4.13.orig/src/acct.c ++++ pam_krb5-2.4.13/src/acct.c +@@ -90,6 +90,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int _pam_krb5_free_ctx(ctx); return PAM_SERVICE_ERR; } + if (options->debug) { + debug("pam_acct_mgmt called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); + } /* Get information about the user and the user's principal name. */ userinfo = _pam_krb5_user_info_init(ctx, user, options); -Index: pam_krb5-2.4.4/src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- pam_krb5-2.4.4.orig/src/auth.c -+++ pam_krb5-2.4.4/src/auth.c -@@ -108,9 +108,10 @@ pam_sm_authenticate(pam_handle_t *pamh, +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c +@@ -109,8 +109,8 @@ pam_sm_authenticate(pam_handle_t *pamh, return PAM_SERVICE_ERR; } if (options->debug) { -- debug("called to authenticate '%s', realm '%s'", user, -- options->realm); +- debug("called to authenticate '%s', configured realm '%s'", +- user, options->realm); + debug("pam_authenticate called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); } -+ _pam_krb5_set_init_opts(ctx, gic_options, options); - /* Prompt for the password, as we might need to. */ -@@ -432,6 +433,11 @@ int - pam_sm_setcred(pam_handle_t *pamh, int flags, +@@ -434,6 +434,11 @@ pam_sm_setcred(pam_handle_t *pamh, int f int argc, PAM_KRB5_MAYBE_CONST char **argv) { + const char *why = ""; + notice("pam_setcred (%s) called", -+ (flags & PAM_ESTABLISH_CRED)?"establish credential": -+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -+ (flags & PAM_REFRESH_CRED)?"refresh credential": -+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); ++ (flags & PAM_ESTABLISH_CRED)?"establish credential": ++ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": ++ (flags & PAM_REFRESH_CRED)?"refresh credential": ++ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); if (flags & PAM_ESTABLISH_CRED) { return _pam_krb5_open_session(pamh, flags, argc, argv, "pam_setcred(PAM_ESTABLISH_CRED)", -Index: pam_krb5-2.4.4/src/password.c +Index: pam_krb5-2.4.13/src/password.c =================================================================== ---- pam_krb5-2.4.4.orig/src/password.c -+++ pam_krb5-2.4.4/src/password.c -@@ -110,6 +110,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int +--- pam_krb5-2.4.13.orig/src/password.c ++++ pam_krb5-2.4.13/src/password.c +@@ -111,6 +111,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int _pam_krb5_free_ctx(ctx); return PAM_SERVICE_ERR; } + if (options->debug) { + debug("pam_chauthtok called (%s) for '%s', realm '%s'", -+ (flags & PAM_PRELIM_CHECK) ? -+ "preliminary check" : -+ ((flags & PAM_UPDATE_AUTHTOK) ? -+ "updating authtok": -+ "unknown phase"), -+ user, -+ options->realm); ++ (flags & PAM_PRELIM_CHECK) ? ++ "preliminary check" : ++ ((flags & PAM_UPDATE_AUTHTOK) ? ++ "updating authtok": ++ "unknown phase"), ++ user, ++ options->realm); + } _pam_krb5_set_init_opts(ctx, gic_options, options); /* Get information about the user and the user's principal name. */ -Index: pam_krb5-2.4.4/src/session.c +Index: pam_krb5-2.4.13/src/session.c =================================================================== ---- pam_krb5-2.4.4.orig/src/session.c -+++ pam_krb5-2.4.4/src/session.c -@@ -97,6 +97,10 @@ _pam_krb5_open_session(pam_handle_t *pam +--- pam_krb5-2.4.13.orig/src/session.c ++++ pam_krb5-2.4.13/src/session.c +@@ -98,6 +98,10 @@ _pam_krb5_open_session(pam_handle_t *pam _pam_krb5_free_ctx(ctx); return PAM_SERVICE_ERR; } + if (options->debug) { + debug("pam_open_session called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); + } /* If we're in a no-cred-session situation, return. */ if ((!options->cred_session) && -@@ -301,7 +305,10 @@ _pam_krb5_close_session(pam_handle_t *pa +@@ -295,7 +299,10 @@ _pam_krb5_close_session(pam_handle_t *pa _pam_krb5_free_ctx(ctx); - return PAM_SUCCESS; + return PAM_SERVICE_ERR; } - + if (options->debug) { + debug("pam_close_session called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); + } - /* Get information about the user and the user's principal name. */ - userinfo = _pam_krb5_user_info_init(ctx, user, options); - if (userinfo == NULL) { + /* If we're in a no-cred-session situation, return. */ + if ((!options->cred_session) && + (caller_type == _pam_krb5_session_caller_setcred)) { ++++++ pam_krb5-2.3.1-switch-perms-on-refresh.dif ++++++ --- /var/tmp/diff_new_pack.PxkTly/_old 2017-08-24 18:50:20.454807099 +0200 +++ /var/tmp/diff_new_pack.PxkTly/_new 2017-08-24 18:50:20.454807099 +0200 @@ -1,7 +1,7 @@ -Index: pam_krb5-2.4.4/src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- pam_krb5-2.4.4.orig/src/auth.c -+++ pam_krb5-2.4.4/src/auth.c +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c @@ -56,6 +56,7 @@ #include "items.h" #include "kuserok.h" @@ -10,24 +10,30 @@ #include "options.h" #include "prompter.h" #include "session.h" -@@ -433,6 +434,7 @@ int - pam_sm_setcred(pam_handle_t *pamh, int flags, +@@ -434,6 +435,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f int argc, PAM_KRB5_MAYBE_CONST char **argv) { + const char *why = ""; + struct _pam_krb5_perms *saved_perms; notice("pam_setcred (%s) called", - (flags & PAM_ESTABLISH_CRED)?"establish credential": - (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -@@ -444,10 +446,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f + (flags & PAM_ESTABLISH_CRED)?"establish credential": + (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": +@@ -445,6 +447,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f _pam_krb5_session_caller_setcred); } if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { + saved_perms = _pam_krb5_switch_perms_r2e(); + + if (flags & PAM_REINITIALIZE_CRED) { + why = "pam_setcred(PAM_REINITIALIZE_CRED)"; + if (flags & PAM_REFRESH_CRED) { +@@ -454,9 +458,18 @@ pam_sm_setcred(pam_handle_t *pamh, int f + why = "pam_setcred(PAM_REFRESH_CRED)"; + } if (_pam_krb5_sly_looks_unsafe() == 0) { -- return _pam_krb5_sly_maybe_refresh(pamh, flags, +- return _pam_krb5_sly_maybe_refresh(pamh, flags, why, - argc, argv); -+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv); ++ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, why, argc, argv); + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } @@ -39,14 +45,13 @@ + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } -+ saved_perms = NULL; return PAM_IGNORE; } } -Index: pam_krb5-2.4.4/src/perms.c +Index: pam_krb5-2.4.13/src/perms.c =================================================================== ---- pam_krb5-2.4.4.orig/src/perms.c -+++ pam_krb5-2.4.4/src/perms.c +--- pam_krb5-2.4.13.orig/src/perms.c ++++ pam_krb5-2.4.13/src/perms.c @@ -89,3 +89,49 @@ _pam_krb5_restore_perms(struct _pam_krb5 } return ret; @@ -90,17 +95,17 @@ + int ret = -1; + if (saved != NULL) { + if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) && -+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { ++ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { + ret = 0; + } + free(saved); + } + return ret; +} -Index: pam_krb5-2.4.4/src/perms.h +Index: pam_krb5-2.4.13/src/perms.h =================================================================== ---- pam_krb5-2.4.4.orig/src/perms.h -+++ pam_krb5-2.4.4/src/perms.h +--- pam_krb5-2.4.13.orig/src/perms.h ++++ pam_krb5-2.4.13/src/perms.h @@ -37,4 +37,7 @@ struct _pam_krb5_perms; struct _pam_krb5_perms *_pam_krb5_switch_perms(void); int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); ++++++ pam_krb5-2.4.4.tar.gz -> pam_krb5-2.4.13.tar.bz2 ++++++ ++++ 30943 lines of diff (skipped) ++++++ pam_krb5-po.tar.gz -> pam_krb5-po.tar.bz2 ++++++