From sem@ciam.ru  Thu Feb 13 04:05:51 2003
Return-Path: <sem@ciam.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 525F737B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Feb 2003 04:05:51 -0800 (PST)
Received: from hueymiccailhuitl.mtu.ru (hueytecuilhuitl.mtu.ru [195.34.32.123])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6DD0A43F75
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Feb 2003 04:05:49 -0800 (PST)
	(envelope-from sem@ciam.ru)
Received: from sem-home.ciam.ru (ppp137-46.dialup.mtu-net.ru [62.118.137.46])
	by hueymiccailhuitl.mtu.ru (Postfix) with ESMTP id 0591DF9B95
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Feb 2003 15:05:42 +0300 (MSK)
	(envelope-from sem@ciam.ru)
Received: from sem by sem-home.ciam.ru with local (Exim 4.12)
	id 18jI7d-00059e-00
	for FreeBSD-gnats-submit@freebsd.org; Thu, 13 Feb 2003 15:05:45 +0300
Message-Id: <E18jI7d-00059e-00@sem-home.ciam.ru>
Date: Thu, 13 Feb 2003 15:05:45 +0300
From: Sergey Matveychuk <sem@ciam.ru>
Reply-To: Sergey Matveychuk <sem@ciam.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [UPDATE] security/pam-mysql update to 0.5 and OpenPAM support
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         48239
>Category:       ports
>Synopsis:       [UPDATE] security/pam-mysql update to 0.5 and OpenPAM support
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    anders
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 13 04:10:11 PST 2003
>Closed-Date:    Sun Jun 01 14:28:06 PDT 2003
>Last-Modified:  Sun Jun 01 14:28:06 PDT 2003
>Originator:     Sergey Matveychuk
>Release:        FreeBSD 5.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD sem-home.ciam.ru 5.0-RELEASE FreeBSD 5.0-RELEASE #2: Mon Jan 20 12:56:36 MSK 2003 root@sem-home.ciam.ru:/usr/obj/usr/src/sys/SEM-HOME i386


	
>Description:
	1) Update port to 0.5:
		Added md5 support by default -ksmith
		added a makefile that works fon FreeBSD -ksmith
		More buffer overflow related fixes -jo2y
		added -lz flag to link against the libz library -jo2y
		backport of sql logging into main branch -jo2y
		fixed a memoryleak with mysql_free_result() -jo2y
		Fixes buffer overflow in parseArgs() -jo2y
		Add askForPassword() for new passwords in pam_sm_chauthtok() -ksmith
		all instances of syslog() now have a format string -ksmith
		Many fixes from B J Black

	2) Add OpenPAM support

	New file: files/patch-ab

>How-To-Repeat:
	
>Fix:


diff -ruN /usr/ports/security/pam-mysql/Makefile pam-mysql/Makefile
--- /usr/ports/security/pam-mysql/Makefile	Thu Apr 11 02:28:01 2002
+++ pam-mysql/Makefile	Thu Feb 13 13:48:08 2003
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	pam_mysql
-PORTVERSION=	0.4.7
+PORTVERSION=	0.5
 CATEGORIES=	security databases
 MASTER_SITES=	http://download.sourceforge.net/pam-mysql/ \
 		http://atreides.freenix.no/~anders/
@@ -20,10 +20,6 @@
 WRKSRC=		${WRKDIR}/${PORTNAME}
 
 .include <bsd.port.pre.mk>
-
-.if !exists(/usr/include/security/_pam_types.h) && ${OSVERSION} >= 500031
-BROKEN=		"Does not work with OpenPAM (yet)"
-.endif
 
 post-patch:
 	@cd ${WRKSRC} && ${GMAKE} clean
diff -ruN /usr/ports/security/pam-mysql/distinfo pam-mysql/distinfo
--- /usr/ports/security/pam-mysql/distinfo	Sat Oct 14 00:18:29 2000
+++ pam-mysql/distinfo	Mon Feb 10 06:00:00 2003
@@ -1 +1 @@
-MD5 (pam_mysql-0.4.7.tar.gz) = 8442ec07c3de929720bbb8783750a1ff
+MD5 (pam_mysql-0.5.tar.gz) = 8cf002392292ae2a5774545324739a94
diff -ruN /usr/ports/security/pam-mysql/files/patch-aa pam-mysql/files/patch-aa
--- /usr/ports/security/pam-mysql/files/patch-aa	Sat Oct 14 00:18:33 2000
+++ pam-mysql/files/patch-aa	Thu Feb 13 13:46:55 2003
@@ -1,63 +1,18 @@
---- pam_mysql.c.old	Sun Sep 24 02:26:17 2000
-+++ pam_mysql.c	Sun Sep 24 02:42:23 2000
-@@ -14,7 +14,6 @@
- #include <unistd.h>
- #include <syslog.h>
- #include <stdarg.h>
--#include <alloca.h>
- #include <string.h>
+--- Makefile.orig	Thu Nov 21 05:13:01 2002
++++ Makefile	Thu Feb 13 13:39:07 2003
+@@ -3,13 +3,9 @@
+ ifndef FULL_LINUX_PAM_SOURCE_TREE
+ export DYNAMIC=-DPAM_DYNAMIC
+ export CC=gcc
+-export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
+-       -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
+-       -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
+-       -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
+-       -Wshadow -pedantic -fPIC
++export CFLAGS=-O2 -I/usr/local/include -fPIC
+ export MKDIR=mkdir -p
+-export LD_D=gcc -shared -Xlinker -x -L/usr/lib/mysql -lz
++export LD_D=gcc -shared -Xlinker -x -L/usr/local/lib/mysql -lz
+ endif
  
- #include <mysql/mysql.h>
-@@ -332,40 +331,40 @@
- 		}
- 		strcpy (junk, argv[i]);
- 		if ((strchr (junk, (int) '=') != NULL)) {
--			strncpy (mybuf, strtok (junk, "="), 255);
--			strncpy (myval, strtok (NULL, "="), 255);
-+			strlcpy (mybuf, strtok (junk, "="), 255);
-+			strlcpy (myval, strtok (NULL, "="), 255);
- 			free (junk);
- 			if (!strcasecmp ("host", mybuf)) {
--				strncpy (options.host, myval, 255);
-+				strlcpy (options.host, myval, 255);
- 				D (("host changed."));
- 			} else if (!strcasecmp ("where", mybuf)) {
- 				while ( (mj = strtok(NULL,"=")) != NULL )
- 				{
--					strcat(myval, "=");
--					strcat(myval, mj);
-+					strlcat(myval, "=", 255);
-+					strlcat(myval, mj, 255);
- 				}
--				strncpy (options.where, myval, 256);
-+				strlcpy (options.where, myval, 256);
- 				D (("where changed."));
- #ifdef DEBUG
- 				syslog(LOG_ERR, "pam_mysql: where now is %s", options.where);
- #endif
- 			} else if (!strcasecmp ("db", mybuf)) {
--				strncpy (options.database, myval, 16);
-+				strlcpy (options.database, myval, 16);
- 				D (("database changed."));
- 			} else if (!strcasecmp ("user", mybuf)) {
--				strncpy (options.dbuser, myval, 16);
-+				strlcpy (options.dbuser, myval, 16);
- 				D (("dbuser changed."));
- 			} else if (!strcasecmp ("passwd", mybuf)) {
--				strncpy (options.dbpasswd, myval, 16);
-+				strlcpy (options.dbpasswd, myval, 16);
- 				D (("dbpasswd changed."));
- 			} else if (!strcasecmp ("table", mybuf)) {
--				strncpy (options.table, myval, 16);
-+				strlcpy (options.table, myval, 16);
- 				D (("table changed."));
- 			} else if (!strcasecmp ("usercolumn", mybuf)) {
--				strncpy (options.usercolumn, myval, 16);
-+				strlcpy (options.usercolumn, myval, 16);
- 				D (("usercolumn changed."));
- 			} else if (!strcasecmp ("passwdcolumn", mybuf)) {
--				strncpy (options.passwdcolumn, myval, 16);
-+				strlcpy (options.passwdcolumn, myval, 16);
- 				D (("passwdcolumn changed."));
- 			} else if (!strcasecmp ("crypt", mybuf)) {
- 				if ((!strcmp (myval, "1")) ||
+ #
diff -ruN /usr/ports/security/pam-mysql/files/patch-ab pam-mysql/files/patch-ab
--- /usr/ports/security/pam-mysql/files/patch-ab	Thu Jan  1 03:00:00 1970
+++ pam-mysql/files/patch-ab	Thu Feb 13 14:58:41 2003
@@ -0,0 +1,90 @@
+--- pam_mysql.c.orig	Sun Sep 15 10:28:58 2002
++++ pam_mysql.c	Thu Feb 13 14:58:21 2003
+@@ -23,6 +23,7 @@
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
++#include <time.h>
+ 
+ 
+ /* AFAIK, only FreeBSD has MD5Data() defined in md5.h
+@@ -54,7 +55,53 @@
+ #define DEBUG 
+ 
+ #include <security/pam_modules.h>
++#ifdef _OPENPAM
++#include <security/pam_appl.h>
++#else
+ #include <security/pam_misc.h>
++#endif
++
++#ifdef _OPENPAM
++/* some macros not defined in OpenPAM */
++
++/* Good policy to strike out passwords with some characters not just
++   free the memory */
++
++#define _pam_overwrite(x)        \
++do {                             \
++     register char *__xx__;      \
++     if ((__xx__=(x)))           \
++          while (*__xx__)        \
++               *__xx__++ = '\0'; \
++} while (0)
++
++/*
++ * Don't just free it, forget it too.
++ */
++
++#define _pam_drop(X) \
++do {                 \
++    if (X) {         \
++        free(X);     \
++        X=NULL;      \
++    }                \
++} while (0)
++
++#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
++do {                                              \
++    int reply_i;                                  \
++                                                  \
++    for (reply_i=0; reply_i<replies; ++reply_i) { \
++	if (reply[reply_i].resp) {                \
++	    _pam_overwrite(reply[reply_i].resp);  \
++	    free(reply[reply_i].resp);            \
++	}                                         \
++    }                                             \
++    if (reply)                                    \
++	free(reply);                              \
++} while (0)
++
++#endif
+ 
+ struct optionstruct {
+ 	char host[257];
+@@ -620,7 +667,11 @@
+ 		retval = conv->conv(nargs,
+ 		                    (const struct pam_message **) message,
+ 		                    response, conv->appdata_ptr);
+-		if ((retval != PAM_SUCCESS) && (retval != PAM_CONV_AGAIN))
++		if ((retval != PAM_SUCCESS)
++#ifndef _OPENPAM
++			&& (retval != PAM_CONV_AGAIN)
++#endif
++		   )
+ 			syslog(LOG_DEBUG, "pam_mysql: conversation failure [%s]",
+ 			       pam_strerror(pamh, retval));
+ 	} else {
+@@ -827,8 +878,12 @@
+ 	if (retval != PAM_SUCCESS) {
+ 		if (resp != NULL)
+ 			_pam_drop_reply(resp,i);
++#ifndef _OPENPAM
+ 		return ((retval == PAM_CONV_AGAIN)
+ 		        ? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL);
++#else
++		return PAM_AUTHINFO_UNAVAIL;
++#endif
+ 	}
+ 
+ 	/* we have a password so set AUTHTOK
>Release-Note:
>Audit-Trail:

From: "Sergey Matveychuk" <sem@ciam.ru>
To: <freebsd-gnats-submit@FreeBSD.org>, <sem@ciam.ru>
Cc:  
Subject: Re: ports/48239: [UPDATE] security/pam-mysql update to 0.5 and OpenPAM support
Date: Thu, 13 Feb 2003 15:16:35 +0300

 ... and it unbreaks this port on -CURRENT.
 
 ----
 Sem.
Responsible-Changed-From-To: freebsd-ports-bugs->anders@FreeBSD.org 
Responsible-Changed-By: roam 
Responsible-Changed-When: Thu Feb 27 00:36:08 PST 2003 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48239 
Responsible-Changed-From-To: anders@FreeBSD.org->anders 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Thu Apr 24 20:24:55 PDT 2003 
Responsible-Changed-Why:  
fix responsible 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48239 
State-Changed-From-To: open->closed 
State-Changed-By: anders 
State-Changed-When: Sun Jun 1 14:27:55 PDT 2003 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48239 
>Unformatted:
