From f15e8b644a3c32e7c0f5deb6b7e4cc501f26b8e0 Mon Sep 17 00:00:00 2001
From: joerg <joerg@pkgsrc.org>
Date: Tue, 7 Mar 2006 01:22:16 +0000
Subject: Update pam-mysql to 0.7RC1. This fixes a number of security issues.

From NEWS:
Version 0.7-RC1   2006/1/10  <moriyoshi@users.sourceforge.net>

* Add a option "disconnect_every_op" option that forces pam_mysql to
  disconnect from the database every operation (PR #1325395). -moriyoshi
* Use geteuid() instead of getuid() to check if the current user is authorized
  to change the password (PR #1338667). -moriyoshi
* Allow root (uid=0) to change the passwords of other users without their old
  password. -moriyoshi


Version 0.7-pre3  2005/9/29  <moriyoshi@users.sourceforge.net>

* Changed handling of the "where" option to not escape meta characters
  (PR #1261484). -moriyoshi
* Overhauled the SQL logging facility (PR #1256243). -moriyoshi
* Added logrhostcolumn (log.rhost_column) option that enables you to log the
  value of the "rhost" item specified by the application. -moriyoshi
* Fixed possible security flaw (though not considered to be severe). -moriyoshi
* Fixed memory leaks spotted when "config_file" option is used. -moriyoshi
* Fixed try_first_pass behaviour. -moriyoshi
* Changed option parsing behaviour so "=" following each option name is not
  needed. -moriyoshi


Version 0.7-pre2  2005/9/18  <moriyoshi@users.sourceforge.net>

* Changed column name handling to not escape meta characters. Now you can
  specify an expression to every XXXcolumn variable like "CONCAT(a, b, c)".
  -moriyoshi
* Supported SHA1 hash (PR #1117036). -moriyoshi, alexeen
* Supported use_first_pass and try_first_pass options. -moriyoshi


Version 0.7-pre1  2005/6/13  <moriyoshi@users.sourceforge.net>

* Support for NSS-mysql style configuration file which is inspired
  by the Florian's work. -moriyoshi


Version 0.6.2  2005/9/29  <moriyoshi@users.sourceforge.net>

* Overhauled the SQL logging facility (PR #1256243). -moriyoshi
* Fixed possible security flaw (though not considered to be severe). -moriyoshi


Version 0.6.1  2005/9/18  <moriyoshi@users.sourceforge.net>

* Added use_323_passwd option that allows you to use an encryption function
  used in the old MySQL versions (3.23.x). -moriyoshi, Daniel Renaud
* Fixed account management code that wouldn't work at all :-p -moriyoshi
* Included pam_mysql.spec to the tarball by default. This enables you to
  make a RPM with the following oneliner: (rpmbuild -tb pam_mysql.tar.gz).
  -moriyoshi
* Fixed compile failure that occurs with the old mysql_config (< 4.0.16).
  -moriyoshi
* Fixed compile failure on Solaris when --with-openssl is specified to the
  configure script.


Version 0.6  2005/6/13  <moriyoshi@users.sourceforge.net>

* Adopted autoconf / automake for build system. -moriyoshi
* Portable MD5 support by using OpenSSL / Cyrus-SASL. -moriyoshi
* MySQL library detection. -moriyoshi
* Added RPM spec file. -moriyoshi
* Tidied up the entire code for security and maintainability. -moriyoshi
* Modified log output to be more verbose. -moriyoshi
* Changed log facility type to LOG_AUTHPRIV as per the recommendation in
  the PAM documentation. -moriyoshi
* Added support for unix socket and non-default ports. -moriyoshi
* Added account management and authentication token alteration code. -moriyoshi
* Remove default values for string parameters for the sake of performance.
  -moriyoshi
* Enhanced SQL logging function to log session state as well. -moriyoshi
* Solaris support. -moriyoshi
---
 security/pam-mysql/Makefile         | 31 +++++--------
 security/pam-mysql/PLIST            |  8 ++--
 security/pam-mysql/distinfo         |  9 ++--
 security/pam-mysql/patches/patch-aa | 93 -------------------------------------
 4 files changed, 20 insertions(+), 121 deletions(-)
 delete mode 100644 security/pam-mysql/patches/patch-aa

(limited to 'security')

diff --git a/security/pam-mysql/Makefile b/security/pam-mysql/Makefile
index e40721dbe8e..65a317f5e8c 100644
--- a/security/pam-mysql/Makefile
+++ b/security/pam-mysql/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.5 2006/03/04 21:30:37 jlam Exp $
+# $NetBSD: Makefile,v 1.6 2006/03/07 01:22:16 joerg Exp $
 
-DISTNAME=	pam_mysql-0.5
-PKGNAME=	${DISTNAME:S/_/-/}
-PKGREVISION=	2
+DISTNAME=	pam_mysql-0.7RC1
+PKGNAME=	${DISTNAME:S/_/-/:S/RC/rc/}
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=pam-mysql/}
 
@@ -10,26 +9,20 @@ MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://pam-mysql.sourceforge.net/
 COMMENT=	PAM module for authenticating with MySQL
 
-WRKSRC=		${WRKDIR}/pam_mysql
 DOCDIR=		${PREFIX}/share/doc/pam-mysql
 
-INSTALLATION_DIRS=	lib
+GNU_CONFIGURE=	yes
+USE_LIBTOOL=	yes
 
-do-build:
-	${CC} -fpic -DPIC -Wall -I${LOCALBASE}/include \
-		-c ${WRKSRC}/pam_mysql.c -o ${WRKSRC}/pam_mysql.o
-	${LD} -x --shared -o ${WRKSRC}/pam_mysql.so ${WRKSRC}/pam_mysql.o \
-		-lpam -lcrypt -L${LOCALBASE}/lib/mysql \
-		${COMPILER_RPATH_FLAG}${LOCALBASE}/lib/mysql -lmysqlclient \
-		-L${LOCALBASE}/lib ${COMPILER_RPATH_FLAG}${LOCALBASE}/lib
+CONFIGURE_ARGS+=	--with-mysql=${BUILDLINK_PREFIX.mysql-client:Q}
+CONFIGURE_ARGS+=	--with-pam-mods-dir=${PREFIX:Q}/lib/security
+CONFIGURE_ARGS+=	--disable-static
 
-do-install:
-	${INSTALL_LIB} ${WRKSRC}/pam_mysql.so ${PREFIX}/lib
-	${INSTALL_DATA_DIR} ${DOCDIR}
-	${INSTALL_DATA} ${WRKSRC}/Changelog ${DOCDIR}
-	${INSTALL_DATA} ${WRKSRC}/CREDITS ${DOCDIR}
-	${INSTALL_DATA} ${WRKSRC}/Readme ${DOCDIR}
+post-install:
+	${INSTALL_DATA_DIR} ${DOCDIR:Q}
+	cd ${WRKSRC:Q} && ${INSTALL_DATA} CREDITS ChangeLog README ${DOCDIR:Q}
 
+.include "../../security/openssl/buildlink3.mk"
 .include "../../mk/mysql.buildlink3.mk"
 .include "../../mk/pam.buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff --git a/security/pam-mysql/PLIST b/security/pam-mysql/PLIST
index a7c2ec3b1c5..2096c55b259 100644
--- a/security/pam-mysql/PLIST
+++ b/security/pam-mysql/PLIST
@@ -1,6 +1,6 @@
-@comment $NetBSD: PLIST,v 1.1.1.1 2005/05/05 20:16:42 xtraeme Exp $
-lib/pam_mysql.so
+@comment $NetBSD: PLIST,v 1.2 2006/03/07 01:22:16 joerg Exp $
+lib/security/pam_mysql.la
 share/doc/pam-mysql/CREDITS
-share/doc/pam-mysql/Changelog
-share/doc/pam-mysql/Readme
+share/doc/pam-mysql/ChangeLog
+share/doc/pam-mysql/README
 @dirrm share/doc/pam-mysql
diff --git a/security/pam-mysql/distinfo b/security/pam-mysql/distinfo
index 71ed4e3b134..9cc51ef3ffa 100644
--- a/security/pam-mysql/distinfo
+++ b/security/pam-mysql/distinfo
@@ -1,6 +1,5 @@
-$NetBSD: distinfo,v 1.1.1.1 2005/05/05 20:16:42 xtraeme Exp $
+$NetBSD: distinfo,v 1.2 2006/03/07 01:22:16 joerg Exp $
 
-SHA1 (pam_mysql-0.5.tar.gz) = 6e974a3ee78a968b0069c4abbd1d8602c145e177
-RMD160 (pam_mysql-0.5.tar.gz) = 788246f050ce0b531799af3e8d816248b974638f
-Size (pam_mysql-0.5.tar.gz) = 11587 bytes
-SHA1 (patch-aa) = 05300eb46da816015567195dc755f39522d1f5d8
+SHA1 (pam_mysql-0.7RC1.tar.gz) = a139c4b4bf1a2e591a016069405428eb862f7690
+RMD160 (pam_mysql-0.7RC1.tar.gz) = ffa908bf2f458c48571f0f172f841ef861ad0b47
+Size (pam_mysql-0.7RC1.tar.gz) = 335240 bytes
diff --git a/security/pam-mysql/patches/patch-aa b/security/pam-mysql/patches/patch-aa
deleted file mode 100644
index 49a87441465..00000000000
--- a/security/pam-mysql/patches/patch-aa
+++ /dev/null
@@ -1,93 +0,0 @@
-$NetBSD: patch-aa,v 1.1.1.1 2005/05/05 20:16:42 xtraeme Exp $
-
---- pam_mysql.c.orig	Sun Sep 15 10:28:58 2002
-+++ pam_mysql.c	Thu Feb 13 14:58:21 2003
-@@ -23,6 +23,7 @@
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
-+#include <time.h>
- 
- 
- /* AFAIK, only FreeBSD has MD5Data() defined in md5.h
-@@ -54,7 +55,53 @@
- #define DEBUG 
- 
- #include <security/pam_modules.h>
-+#ifdef _OPENPAM
-+#include <security/pam_appl.h>
-+#else
- #include <security/pam_misc.h>
-+#endif
-+
-+#ifdef _OPENPAM
-+/* some macros not defined in OpenPAM */
-+
-+/* Good policy to strike out passwords with some characters not just
-+   free the memory */
-+
-+#define _pam_overwrite(x)        \
-+do {                             \
-+     register char *__xx__;      \
-+     if ((__xx__=(x)))           \
-+          while (*__xx__)        \
-+               *__xx__++ = '\0'; \
-+} while (0)
-+
-+/*
-+ * Don't just free it, forget it too.
-+ */
-+
-+#define _pam_drop(X) \
-+do {                 \
-+    if (X) {         \
-+        free(X);     \
-+        X=NULL;      \
-+    }                \
-+} while (0)
-+
-+#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
-+do {                                              \
-+    int reply_i;                                  \
-+                                                  \
-+    for (reply_i=0; reply_i<replies; ++reply_i) { \
-+	if (reply[reply_i].resp) {                \
-+	    _pam_overwrite(reply[reply_i].resp);  \
-+	    free(reply[reply_i].resp);            \
-+	}                                         \
-+    }                                             \
-+    if (reply)                                    \
-+	free(reply);                              \
-+} while (0)
-+
-+#endif
- 
- struct optionstruct {
- 	char host[257];
-@@ -620,7 +667,11 @@
- 		retval = conv->conv(nargs,
- 		                    (const struct pam_message **) message,
- 		                    response, conv->appdata_ptr);
--		if ((retval != PAM_SUCCESS) && (retval != PAM_CONV_AGAIN))
-+		if ((retval != PAM_SUCCESS)
-+#ifndef _OPENPAM
-+			&& (retval != PAM_CONV_AGAIN)
-+#endif
-+		   )
- 			syslog(LOG_DEBUG, "pam_mysql: conversation failure [%s]",
- 			       pam_strerror(pamh, retval));
- 	} else {
-@@ -827,8 +878,12 @@
- 	if (retval != PAM_SUCCESS) {
- 		if (resp != NULL)
- 			_pam_drop_reply(resp,i);
-+#ifndef _OPENPAM
- 		return ((retval == PAM_CONV_AGAIN)
- 		        ? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL);
-+#else
-+		return PAM_AUTHINFO_UNAVAIL;
-+#endif
- 	}
- 
- 	/* we have a password so set AUTHTOK
-
-- 
cgit v1.2.3