debian/0000775000000000000000000000000013202334054007164 5ustar debian/control0000664000000000000000000000244513200324727010600 0ustar Source: libpam4j Section: java Priority: optional Maintainer: Debian Java Maintainers Uploaders: James Page Build-Depends: cdbs, debhelper (>= 7), default-jdk, javahelper, maven-debian-helper Build-Depends-Indep: default-jdk-doc, junit (>= 3.8.1), libjna-java, libmaven-javadoc-plugin-java Standards-Version: 3.9.2 Homepage: http://java.net/projects/libpam4j/ Vcs-Git: git://git.debian.org/git/pkg-java/libpam4j.git Vcs-Browser: http://git.debian.org/?p=pkg-java/libpam4j.git Package: libpam4j-java Architecture: all Depends: ${maven:Depends}, ${misc:Depends} Recommends: ${maven:OptionalDepends} Description: Java binding for libpam.so This library enables easy integration to the pluggable authentication module (PAM) on Linux and UNIX systems through the use of native integration to libpam.so. Package: libpam4j-java-doc Architecture: all Section: doc Depends: default-jdk-doc, ${maven:DocDepends}, ${misc:Depends} Suggests: libpam4j-java Description: Documentation for Java binding for libpam.so This library enables easy integration to the pluggable authentication module (PAM) on Linux and UNIX systems through the use of native integration to libpam.so. . This package provides the API documentation for libpam4j-java. debian/README.source0000664000000000000000000000044413200324727011351 0ustar Information about libpam4j ------------------------------ This package was debianized using the mh_make command from the maven-debian-helper package. The build system uses Maven but prevents it from downloading anything from the Internet, making the build compliant with the Debian policy. debian/changelog0000664000000000000000000000207313202333556011046 0ustar libpam4j (1.4-2+deb8u1build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Marc Deslauriers Mon, 13 Nov 2017 10:17:02 -0500 libpam4j (1.4-2+deb8u1) jessie-security; urgency=high * Team upload. * Fix CVE-2017-12197 (Closes: #879001): It was discovered that libpam4j does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account was able to log in. -- Markus Koschany Tue, 07 Nov 2017 13:40:55 +0100 libpam4j (1.4-2) unstable; urgency=low * Fix FTBFS (LP: #935254): - d/libpam4j.poms: Add --java-lib option to ensure jar files are installed to /usr/share/java. * d/copyright: Tweaked for revised field names. * Updated my email address. -- James Page Wed, 22 Feb 2012 09:16:04 +0000 libpam4j (1.4-1) unstable; urgency=low * Initial release. (Closes: #629381) -- James Page Mon, 06 Jun 2011 09:30:47 +0100 debian/libpam4j-java.classpath0000664000000000000000000000006413200324727013515 0ustar usr/share/java/libpam4j.jar /usr/share/java/jna.jar debian/libpam4j-java-doc.install0000664000000000000000000000006213200324727013742 0ustar target/apidocs/* usr/share/doc/libpam4j-java/api debian/source/0000775000000000000000000000000013200324727010470 5ustar debian/source/format0000664000000000000000000000001413200324727011676 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000213200324727010366 0ustar 7 debian/orig-tar.sh0000775000000000000000000000070113200324727011251 0ustar #!/bin/sh -e VERSION=$2 TAR=../libpam4j_$VERSION.orig.tar.gz DIR=libpam4j-$VERSION TAG=$(echo "libpam4j-$VERSION" | sed -re's/~(alpha|beta)/-\1-/') svn export https://svn.java.net/svn/libpam4j~svn/tags/${TAG}/ $DIR GZIP=--best tar -c -z -f $TAR --exclude '*.jar' --exclude '*.class' $DIR rm -rf $DIR ../$TAG # move to directory 'tarballs' if [ -r .svn/deb-layout ]; then . .svn/deb-layout mv $TAR $origDir && echo "moved $TAR to $origDir" fi debian/patches/0000775000000000000000000000000013200324727010617 5ustar debian/patches/CVE-2017-12197.patch0000664000000000000000000000243213200324727013326 0ustar From: Markus Koschany Date: Tue, 7 Nov 2017 13:25:46 +0100 Subject: CVE-2017-12197 Reenable the check for pam_acct_mgmt module. It was possible to authenticate with an invalid account. Bug-Debian: https://bugs.debian.org/879001 Bug-Upstream: https://github.com/kohsuke/libpam4j/issues/18 Origin: https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d --- src/main/java/org/jvnet/libpam/PAM.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/jvnet/libpam/PAM.java b/src/main/java/org/jvnet/libpam/PAM.java index dc86f4e..566ca80 100644 --- a/src/main/java/org/jvnet/libpam/PAM.java +++ b/src/main/java/org/jvnet/libpam/PAM.java @@ -123,7 +123,7 @@ public class PAM { check(libpam.pam_set_item(pht,PAM_USER,username),"pam_set_item failed"); check(libpam.pam_authenticate(pht,0),"pam_authenticate failed"); // several different error code seem to be used to represent authentication failures -// check(libpam.pam_acct_mgmt(pht,0),"pam_acct_mgmt failed"); + check(libpam.pam_acct_mgmt(pht,0),"pam_acct_mgmt failed"); PointerByReference r = new PointerByReference(); check(libpam.pam_get_item(pht,PAM_USER,r),"pam_get_item failed"); debian/patches/series0000664000000000000000000000005413200324727012033 0ustar 01-versioned-lib.patch CVE-2017-12197.patch debian/patches/01-versioned-lib.patch0000664000000000000000000000163213200324727014622 0ustar Description: Fix version of libpam.so to 0; this ensures that the JNI links against the right version of the pam library on Debian based distros. Author: James Page Forwarded: not-needed Index: libpam4j/src/main/java/org/jvnet/libpam/impl/PAMLibrary.java =================================================================== --- libpam4j.orig/src/main/java/org/jvnet/libpam/impl/PAMLibrary.java 2011-03-23 08:22:33.924273682 +0000 +++ libpam4j/src/main/java/org/jvnet/libpam/impl/PAMLibrary.java 2011-03-23 08:22:51.234454884 +0000 @@ -129,5 +129,5 @@ final int PAM_ERROR_MSG = 3; /* Error message */ final int PAM_TEXT_INFO = 4; /* Textual information */ - public static final PAMLibrary libpam = (PAMLibrary)Native.loadLibrary("pam",PAMLibrary.class); + public static final PAMLibrary libpam = (PAMLibrary)Native.loadLibrary("libpam.so.0",PAMLibrary.class); } debian/maven.ignoreRules0000664000000000000000000000143413200324727012520 0ustar # Maven ignore rules - ignore some Maven dependencies and plugins # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., this dependency is then removed # from the POM # junit junit jar s/3\\..*/3.x/ org.jvnet.wagon-svn wagon-svn * * * * debian/maven.publishedRules0000664000000000000000000000164213200324727013215 0ustar # Maven published rules - additional rules to publish, to help # the packaging work of Debian maintainers using mh_make # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # - a regular expression of the form s/match/replace/ # in this case, elements that match are transformed using # the regex rule. # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., replacing the version with 3.x # junit junit jar s/3\\..*/3.x/ debian/copyright0000664000000000000000000000272313200324727011127 0ustar Format: http://dep.debian.net/deps/dep5/ Upstream-Name: Java binding for libpam.so Source: http://java.net/projects/libpam4j/ Files: * Copyright: 2009, Sun Microsystems, Inc. License: MIT Files: debian/* Copyright: 2011, Canonical Ltd. (http://www.canonical.com/) License: GPL-3 License: GPL-3 On Debian GNU/Linux system you can find the complete text of the GPL-3 license in '/usr/share/common-licenses/GPL-3' License: MIT Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. debian/watch0000664000000000000000000000032013200324727010214 0ustar version=3 opts="uversionmangle=s/-(alpha|beta)-/~$1/" \ http://java.net/projects/libpam4j/sources/svn/show/tags \ /projects/libpam4j/sources/svn/show/tags/libpam4j-(\d+).(\d+).* debian debian/orig-tar.sh debian/libpam4j-java-doc.doc-base.api0000664000000000000000000000050313200324727014521 0ustar Document: libpam4j-java Title: API Javadoc for Java binding for libpam.so Author: Java binding for libpam.so developers Abstract: This is the API Javadoc provided for the libpam4j-java library. Section: Programming Format: HTML Index: /usr/share/doc/libpam4j-java/api/index.html Files: /usr/share/doc/libpam4j-java/api/* debian/maven.cleanIgnoreRules0000664000000000000000000000143413200324727013463 0ustar # Maven ignore rules - ignore some Maven dependencies and plugins # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., this dependency is then removed # from the POM # junit junit jar s/3\\..*/3.x/ org.jvnet.wagon-svn wagon-svn * * * * debian/maven.rules0000664000000000000000000000166513200324727011362 0ustar # Maven rules - transform Maven dependencies and plugins # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # - a regular expression of the form s/match/replace/ # in this case, elements that match are transformed using # the regex rule. # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., replacing the version with 3.x # junit junit jar s/3\\..*/3.x/ junit junit jar s/3\..*/3.x/ * * org.jvnet.libpam4j libpam4j jar s/.*/debian/ * * debian/maven.properties0000664000000000000000000000014413200324727012413 0ustar # Include here properties to pass to Maven during the build. # For example: # maven.test.skip=true debian/rules0000775000000000000000000000043613200324727010253 0ustar #!/usr/bin/make -f include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/javahelper.mk include /usr/share/cdbs/1/class/maven.mk JAVA_HOME := /usr/lib/jvm/default-java get-orig-source: uscan --download-version $(DEB_UPSTREAM_VERSION) --force-download --rename debian/libpam4j-java.poms0000664000000000000000000000222113200324727012506 0ustar # List of POM files for the package # Format of this file is: # [option]* # where option can be: # --ignore: ignore this POM or # --no-parent: remove the tag from the POM # --package=: an alternative package to use when installing this POM # and its artifact # --has-package-version: to indicate that the original version of the POM is the same as the upstream part # of the version for the package. # --keep-elements=: a list of XML elements to keep in the POM # during a clean operation with mh_cleanpom or mh_installpom # --artifact=: path to the build artifact associated with this POM, # it will be installed when using the command mh_install # --java-lib: install the jar into /usr/share/java to comply with Debian # packaging guidelines # --usj-name=: name to use when installing the library in /usr/share/java # --usj-version=: version to use when installing the library in /usr/share/java # --no-usj-versionless: don't install the versionless link in /usr/share/java # --dest-jar=: the destination for the real jar # pom.xml --java-lib