Cherry-picked from upstream:
https://git.savannah.gnu.org/gitweb/?p=config.git;a=commit;h=1c4398015583eb77bc043234f5734be055e64bea
Everything except external/apache2/llvm/dist/llvm/cmake/config.guess
is patched, which is under vendor tag and cannot be modified. I expect
that this file is not actually used as we use hand-crafted version of
configure script instead of cmake for building LLVM.
Note that external/apache2/llvm/autoconf/autoconf/config.guess has
already been committed on Oct. 20, but commit message disappeared as
cvs aborted due to "permission denied" when trying to modify the file
mentioned above. Sorry for confusing you.
Also note that GMP uses its own config.guess Patch for
external/lgpl3/gmp/dist/config.guess is provided by ryo@. Thanks!
This avoids leaking NO_STATIC_MODULES into the public header, which
has led to considerable confusion and workarounds in pkgrsc.
PR security/39313
PR security/55216
ok christos
- BUGFIX: Reinstore the NULL check in pam_end(3) which was removed in
OpenPAM Radula, as it breaks common error-handling constructs.
- BUGFIX: Return PAM_SYMBOL_ERR instead of PAM_SYSTEM_ERR from the
dispatcher when the required service function could not be found.
- ENHANCE: Introduce the PAM_BAD_HANDLE error code for when pamh is
NULL in API functions that have a NULL check.
- ENHANCE: Introduce the PAM_BAD_ITEM, PAM_BAD_FEATURE and
PAM_BAD_CONSTANT error codes for situations where we previously
incorrectly used PAM_SYMBOL_ERR to denote that an invalid constant
had been passed to an API function.
- ENHANCE: Improve the RETURN VALUES section in API man pages,
especially for functions that cannot fail, which were incorrectly
documented as returning -1 on failure.
============================================================================
OpenPAM Radula 2017-02-19
- BUGFIX: Fix an inverted test which prevented pam_get_authtok(3) and
pam_get_user(3) from using application-provided custom prompts.
- BUGFIX: Plug a memory leak in pam_set_item(3).
- BUGFIX: Plug a potential memory leak in openpam_readlinev(3).
- BUGFIX: In openpam_readword(3), support line continuations within
whitespace.
- ENHANCE: Add a feature flag to control fallback to "other" policy.
- ENHANCE: Add a pam_return(8) module which returns an arbitrary
code specified in the module options.
- ENHANCE: More and better unit tests.
introducing since release of software to be recognised. This should hopefully
allow the builds to progress a littles further on systems such as the POWER8
which features a little endian 64-bit PowerPC CPU identified as ppc64le.
- ENHANCE: When executing a chain, require at least one service
function to succeed. This mitigates fail-open scenarios caused by
misconfigurations or missing modules.
- ENHANCE: Make sure to overwrite buffers which may have contained an
authentication token when they're no longer needed.
- BUGFIX: Under certain circumstances, specifying a non-existent
module (or misspelling the name of a module) in a policy could
result in a fail-open scenario. (CVE-2014-3879)
- FEATURE: Add a search path for modules. This was implemented in
Nummularia but inadvertently left out of the release notes.
- BUGFIX: The is_upper() predicate only accepted the letter A as an
upper-case character instead of the entire A-Z range. As a result,
service and module names containing upper-case letters other than A
would be rejected.
why pam is failing in the case of an included pam config file missing.
example: instead of logging with the default log settings:
Jun 17 08:49:37 tucana su: pam_start failed: system error
it will log:
Jun 17 08:55:49 tucana su: in openpam_parse_chain(): failed loading include for service gibbetnich in /etc/pam.d/su(15): No such file or directory
Jun 17 08:55:49 tucana su: pam_start failed: system error
Missing module files were treated as soft failures leading to
unexpected behavior if policy files were copied between hosts with
differently installed modules or in the short period during upgrades
when module files were being replaced.
module link failed, instead of printing "Undefined error 0".
- don't print free'd variable on error, restructure so that we free at the
end and print the consistent name of the path dlopened.
- downgrade the error of not finding a file to load to a debug message.
Statically linked OpenPAM (like on sun2) does not have shared objects.
- make sure we preserve errno around dlclose() which will call munmap()
XXX: Pullup to 6
ENHANCE: removed static build autodetection, which didn't work anyway.
Use an explicit, user-specified preprocessor variable instead.
ENHANCE: cleaned up the documentation a bit.
ENHANCE: added openpam_subst(3), allowing certain PAM items to be embedded
in strings such as prompts. Apply it to the prompts used by
pam_get_user(3) and pam_get_authtok(3).
ENHANCE: added support for the user_prompt, authtok_prompt and
oldauthtok_prompt module options, which override the prompts passed
by the module to pam_set_user(3) and pam_get_authtok(3).
ENHANCE: rewrote the policy parser to support quoted option values.
ENHANCE: added pamtest(1), a tool for testing modules and policies.
ENHANCE: added code to check the ownership and permissions of a module before
loading it.
ENHANCE: added / improved input validation in many cases, including the policy
file and some function arguments.
