Mon May 18 19:17:21 UTC 202020200518191721

Greetings! After three months in /testing, the PAM merge into the main tree
is now complete. When updating, be sure to install the new pam, cracklib, and
libpwquality packages or you may find yourself locked out of your machine.
Otherwise, these changes should be completely transparent and you shouldn't
notice any obvious operational differences. Be careful if you make any changes
in /etc/pam.d/ - leaving an extra console logged in while testing PAM config
changes is a recommended standard procedure. Thanks again to Robby Workman,
Vincent Batts, Phantom X, and ivandi for help implementing this. It's not
done yet and there will be more fine-tuning of the config files, but now we
can move on to build some other updates. Enjoy!
a/cracklib-2.9.7-x86_64-1.txz:  Added.
a/kernel-firmware-20200517_f8d32e4-noarch-1.txz:  Upgraded.
a/libcgroup-0.41-x86_64-7.txz:  Rebuilt.
  Rebuilt to add PAM support.
a/libpwquality-1.4.2-x86_64-1.txz:  Added.
a/lilo-24.2-x86_64-9.txz:  Rebuilt.
  Enable the "compact" option by default.
  liloconfig: correctly set the root partition.
a/pam-1.3.1-x86_64-1.txz:  Added.
a/shadow-4.8.1-x86_64-7.txz:  Rebuilt.
  Rebuilt to add PAM support.
a/utempter-1.2.0-x86_64-1.txz:  Upgraded.
a/util-linux-2.35.1-x86_64-6.txz:  Rebuilt.
  Rebuilt to add PAM support.
a/xfsprogs-5.6.0-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
ap/at-3.2.1-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/cups-2.3.3-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/hplip-3.20.5-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/mariadb-10.4.13-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/screen-4.8.0-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/soma-3.3.0-noarch-1.txz:  Upgraded.
  Thanks to David Woodfall.
ap/sqlite-3.31.1-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
ap/sudo-1.9.0-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/vim-8.2.0788-x86_64-1.txz:  Upgraded.
d/bison-3.6.2-x86_64-1.txz:  Upgraded.
d/meson-0.54.2-x86_64-1.txz:  Upgraded.
d/python-setuptools-46.4.0-x86_64-1.txz:  Upgraded.
d/vala-0.48.6-x86_64-1.txz:  Upgraded.
kde/calligra-2.9.11-x86_64-36.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
kde/kde-workspace-4.11.22-x86_64-7.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/ConsoleKit2-1.2.1-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/boost-1.73.0-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/gnome-keyring-3.36.0-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/harfbuzz-2.6.6-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/icu4c-67.1-x86_64-1.txz:  Upgraded.
  Shared library .so-version bump.
l/imagemagick-7.0.10_13-x86_64-1.txz:  Upgraded.
l/libcap-2.34-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/libical-3.0.8-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/libuv-1.38.0-x86_64-1.txz:  Upgraded.
l/libvisio-0.1.7-x86_64-3.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/polkit-0.116-x86_64-3.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/qt-4.8.7-x86_64-16.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/qt5-5.13.2-x86_64-4.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/qt5-webkit-5.212.0_alpha4-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/raptor2-2.0.15-x86_64-9.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/system-config-printer-1.5.12-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/vte-0.60.2-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
n/cifs-utils-6.10-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/cyrus-sasl-2.1.27-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/dovecot-2.3.10.1-x86_64-1.txz:  Upgraded.
  Rebuilt to add PAM support.
  Compiled against icu4c-67.1.
  This update fixes several denial-of-service vulnerabilities.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10957
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10958
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10967
  (* Security fix *)
n/mutt-1.14.1-x86_64-1.txz:  Upgraded.
n/netatalk-3.1.12-x86_64-3.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/netkit-rsh-0.17-x86_64-3.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/nss-pam-ldapd-0.9.11-x86_64-1.txz:  Added.
n/openssh-8.2p1-x86_64-3.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/openvpn-2.4.9-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/pam-krb5-4.9-x86_64-1.txz:  Added.
n/php-7.4.6-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
n/popa3d-1.0.3-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/postfix-3.5.2-x86_64-1.txz:  Upgraded.
  Compiled against icu4c-67.1.
n/ppp-2.4.8-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/proftpd-1.3.6c-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/samba-4.12.2-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
  Recompiled against icu4c-67.1.
n/tin-2.4.4-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
n/vsftpd-3.0.3-x86_64-6.txz:  Rebuilt.
  Rebuilt to add PAM support.
t/texlive-2019.190626-x86_64-4.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
x/vulkan-sdk-1.2.135.0-x86_64-1.txz:  Upgraded.
x/xdm-1.1.11-x86_64-10.txz:  Rebuilt.
  Rebuilt to add PAM support.
x/xisxwayland-1-x86_64-1.txz:  Added.
xap/sane-1.0.30-x86_64-1.txz:  Upgraded.
  This update fixes several security issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12862
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12863
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12865
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12866
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12861
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12864
  (* Security fix *)
xap/vim-gvim-8.2.0788-x86_64-1.txz:  Upgraded.
xap/xlockmore-5.63-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
xap/xscreensaver-5.44-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
extra/brltty/brltty-6.1-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
extra/pure-alsa-system/qt5-5.13.2-x86_64-4_alsa.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
isolinux/initrd.img:  Rebuilt.
  Added PAM libraries, security modules, and config files.
usb-and-pxe-installers/usbboot.img:  Rebuilt.
  Added PAM libraries, security modules, and config files.

1 files changed, 95 insertions, 0 deletions

diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch
new file mode 100644
index 000000000..8ae4abfd8
--- /dev/null
+++ b/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch
@@ -0,0 +1,95 @@
+From 05aa693b7db6b818d31e41f0cab1d5fb4f49600e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Thu, 15 Nov 2018 15:58:56 +0100
+Subject: [PATCH] pam_unix: Prefer a gensalt function, that supports auto
+ entropy.
+
+* modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
+* modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
+* modules/pam_unix/support.c: Fix sanitizing of rounds parameter.
+---
+ modules/pam_unix/pam_unix_passwd.c |  2 +-
+ modules/pam_unix/passverify.c      | 13 +++++++++++++
+ modules/pam_unix/support.c         |  7 +++++--
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+Index: Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- Linux-PAM-1.3.1.orig/modules/pam_unix/pam_unix_passwd.c
++++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
+@@ -607,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
+ 	unsigned int ctrl, lctrl;
+ 	int retval;
+ 	int remember = -1;
+-	int rounds = -1;
++	int rounds = 0;
+ 	int pass_min_len = 0;
+ 
+ 	/* <DO NOT free() THESE> */
+Index: Linux-PAM-1.3.1/modules/pam_unix/passverify.c
+===================================================================
+--- Linux-PAM-1.3.1.orig/modules/pam_unix/passverify.c
++++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c
+@@ -375,7 +375,12 @@ PAMH_ARG_DECL(char * create_password_has
+ 	const char *password, unsigned int ctrl, int rounds)
+ {
+ 	const char *algoid;
++#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64
++	/* Strings returned by crypt_gensalt_rn will be no longer than this. */
++	char salt[CRYPT_GENSALT_OUTPUT_SIZE];
++#else
+ 	char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */
++#endif
+ 	char *sp;
+ #ifdef HAVE_CRYPT_R
+ 	struct crypt_data *cdata = NULL;
+@@ -406,6 +411,13 @@ PAMH_ARG_DECL(char * create_password_has
+ 		return crypted;
+ 	}
+ 
++#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
++	/*
++	 * Any version of libcrypt supporting auto entropy is
++	 * guaranteed to have crypt_gensalt_rn().
++	 */
++	sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt));
++#else
+ #ifdef HAVE_CRYPT_GENSALT_R
+ 	if (on(UNIX_BLOWFISH_PASS, ctrl)) {
+ 		char entropy[17];
+@@ -423,6 +435,7 @@ PAMH_ARG_DECL(char * create_password_has
+ #ifdef HAVE_CRYPT_GENSALT_R
+ 	}
+ #endif
++#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */
+ #ifdef HAVE_CRYPT_R
+ 	sp = NULL;
+ 	cdata = malloc(sizeof(*cdata));
+Index: Linux-PAM-1.3.1/modules/pam_unix/support.c
+===================================================================
+--- Linux-PAM-1.3.1.orig/modules/pam_unix/support.c
++++ Linux-PAM-1.3.1/modules/pam_unix/support.c
+@@ -175,6 +175,7 @@ int _set_ctrl(pam_handle_t *pamh, int fl
+ 
+ 	    if (val) {
+ 	      *rounds = strtol(val, NULL, 10);
++	      set(UNIX_ALGO_ROUNDS, ctrl);
+ 	      free (val);
+ 	    }
+ 	  }
+@@ -254,11 +255,13 @@ int _set_ctrl(pam_handle_t *pamh, int fl
+ 			if (*rounds < 4 || *rounds > 31)
+ 				*rounds = 5;
+ 		} else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
+-			if ((*rounds < 1000) || (*rounds == INT_MAX))
++			if ((*rounds < 1000) || (*rounds == INT_MAX)) {
+ 				/* don't care about bogus values */
++				*rounds = 0;
+ 				unset(UNIX_ALGO_ROUNDS, ctrl);
+-			if (*rounds >= 10000000)
++			} else if (*rounds >= 10000000) {
+ 				*rounds = 9999999;
++			}
+ 		}
+ 	}
+