Consistently include documentation changes in patches, for clean source package

4 files changed, 170 insertions, 45 deletions

diff --git a/debian/changelog b/debian/changelog
index b3b3c045..0040ad26 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,8 @@ pam (1.1.8-4) UNRELEASED; urgency=medium
     Closes: #907492.
   * Don't include changes to autogenerated files in patches.
   * Use LC_ALL=C.UTF-8, not LC_ALL=C, when generating documentation.
+  * Consistently include documentation changes in patches, for clean source
+    package.
 
  -- Steve Langasek <vorlon@debian.org>  Wed, 09 Apr 2014 14:04:10 -0700
 
diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix
index 5dae4064..d88bb979 100644
--- a/debian/patches-applied/007_modules_pam_unix
+++ b/debian/patches-applied/007_modules_pam_unix
@@ -460,3 +460,71 @@ Index: pam.debian/modules/pam_unix/pam_unix.8
  .RE
  .PP
  Invalid arguments are logged with
+diff --git a/modules/pam_unix/README b/modules/pam_unix/README
+index 26c06e23..a1289409 100644
+--- a/modules/pam_unix/README
++++ b/modules/pam_unix/README
+@@ -12,9 +12,9 @@ shadow file as well if shadow is enabled.
+ The account component performs the task of establishing the status of the
+ user's account and password based on the following shadow elements: expire,
+ last_change, max_change, min_change, warn_change. In the case of the latter, it
+-may offer advice to the user on changing their password or, through the
++may offer advice to the user on changing their password or, through the 
+ PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have
+-established a new password. The entries listed above are documented in the
++established a new password. The entries listed above are documented in the 
+ shadow(5) manual page. Should the user's record not contain one or more of
+ these entries, the corresponding shadow check is not performed.
+ 
+@@ -100,7 +100,7 @@ remember=n
+ 
+     The last n passwords for each user are saved in /etc/security/opasswd in
+     order to force password change history and keep the user from alternating
+-    between the same password too frequently. Instead of this option the
++    between the same password too frequently. Instead of this option the 
+     pam_pwhistory module should be used.
+ 
+ shadow
+@@ -146,8 +146,40 @@ broken_shadow
+ 
+ minlen=n
+ 
+-    Set a minimum password length of n characters. The max. for DES crypt based
+-    passwords are 8 characters.
++    Set a minimum password length of n characters. The default value is 6. The
++    maximum for DES crypt-based passwords is 8 characters.
++
++obscure
++
++    Enable some extra checks on password strength. These checks are based on
++    the "obscure" checks in the original shadow package. The behavior is
++    similar to the pam_cracklib module, but for non-dictionary-based checks.
++    The following checks are implemented:
++
++    Palindrome
++
++        Verifies that the new password is not a palindrome of (i.e., the
++        reverse of) the previous one.
++
++    Case Change Only
++
++        Verifies that the new password isn't the same as the old one with a
++        change of case.
++
++    Similar
++
++        Verifies that the new password isn't too much like the previous one.
++
++    Simple
++
++        Is the new password too simple? This is based on the length of the
++        password and the number of different types of characters (alpha,
++        numeric, etc.) used.
++
++    Rotated
++
++        Is the new password a rotated version of the old password? (E.g.,
++        "billy" and "illyb")
+ 
+ Invalid arguments are logged with syslog(3).
+ 
diff --git a/debian/patches-applied/cve-2010-4708.patch b/debian/patches-applied/cve-2010-4708.patch
index cf23e318..10128284 100644
--- a/debian/patches-applied/cve-2010-4708.patch
+++ b/debian/patches-applied/cve-2010-4708.patch
@@ -1,8 +1,8 @@
 Description: fix cve-2010-4708: .pam_environment privilege issue
-Index: pam.debian/modules/pam_env/pam_env.c
+Index: pam/modules/pam_env/pam_env.c
 ===================================================================
---- pam.debian.orig/modules/pam_env/pam_env.c
-+++ pam.debian/modules/pam_env/pam_env.c
+--- pam.orig/modules/pam_env/pam_env.c
++++ pam/modules/pam_env/pam_env.c
 @@ -10,7 +10,7 @@
  #define DEFAULT_READ_ENVFILE    1
  
@@ -12,10 +12,10 @@ Index: pam.debian/modules/pam_env/pam_env.c
  
  #include "config.h"
  
-Index: pam.debian/modules/pam_env/pam_env.8.xml
+Index: pam/modules/pam_env/pam_env.8.xml
 ===================================================================
---- pam.debian.orig/modules/pam_env/pam_env.8.xml
-+++ pam.debian/modules/pam_env/pam_env.8.xml
+--- pam.orig/modules/pam_env/pam_env.8.xml
++++ pam/modules/pam_env/pam_env.8.xml
 @@ -147,7 +147,7 @@
          <listitem>
            <para>
@@ -25,10 +25,10 @@ Index: pam.debian/modules/pam_env/pam_env.8.xml
            </para>
          </listitem>
        </varlistentry>
-Index: pam.debian/modules/pam_env/pam_env.8
+Index: pam/modules/pam_env/pam_env.8
 ===================================================================
---- pam.debian.orig/modules/pam_env/pam_env.8
-+++ pam.debian/modules/pam_env/pam_env.8
+--- pam.orig/modules/pam_env/pam_env.8
++++ pam/modules/pam_env/pam_env.8
 @@ -2,12 +2,12 @@
  .\"     Title: pam_env
  .\"    Author: [see the "AUTHOR" section]
@@ -62,3 +62,25 @@ Index: pam.debian/modules/pam_env/pam_env.8
  .SH "AUTHOR"
  .PP
  pam_env was written by Dave Kinchlea <kinch@kinch\&.ark\&.com>\&.
+Index: pam/modules/pam_env/README
+===================================================================
+--- pam.orig/modules/pam_env/README
++++ pam/modules/pam_env/README
+@@ -5,7 +5,7 @@
+ DESCRIPTION
+ 
+ The pam_env PAM module allows the (un)setting of environment variables.
+-Supported is the use of previously set environment variables as well as
++Supported is the use of previously set environment variables as well as 
+ PAM_ITEMs such as PAM_RHOST.
+ 
+ By default rules for (un)setting of variables is taken from the config file /
+@@ -50,7 +50,7 @@
+ user_readenv=0|1
+ 
+     Turns on or off the reading of the user specific environment file. 0 is
+-    off, 1 is on. By default this option is on.
++    off, 1 is on. By default this option is off.
+ 
+ EXAMPLES
+ 
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
index cb5e8c06..50dd746e 100644
--- a/debian/patches-applied/cve-2015-3238.patch
+++ b/debian/patches-applied/cve-2015-3238.patch
@@ -15,10 +15,10 @@ pipe that has a limited capacity.
 With this fix, the verifiable password length will be limited to
 PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
 
-diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
-index 2379366..d1b00a2 100644
---- a/modules/pam_exec/pam_exec.8.xml
-+++ b/modules/pam_exec/pam_exec.8.xml
+Index: pam/modules/pam_exec/pam_exec.8.xml
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8.xml
++++ pam/modules/pam_exec/pam_exec.8.xml
 @@ -106,7 +106,8 @@
                During authentication the calling command can read
                the password from <citerefentry>
@@ -29,11 +29,11 @@ index 2379366..d1b00a2 100644
              </para>
            </listitem>
          </varlistentry>
-diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
-index 5ab9630..17ba6ca 100644
---- a/modules/pam_exec/pam_exec.c
-+++ b/modules/pam_exec/pam_exec.c
-@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
+Index: pam/modules/pam_exec/pam_exec.c
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.c
++++ pam/modules/pam_exec/pam_exec.c
+@@ -178,11 +178,11 @@
  		}
  
  	      pam_set_item (pamh, PAM_AUTHTOK, resp);
@@ -47,10 +47,10 @@ index 5ab9630..17ba6ca 100644
  
  	  if (pipe(fds) != 0)
  	    {
-diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
-index 4008402..a8b64bb 100644
---- a/modules/pam_unix/pam_unix.8.xml
-+++ b/modules/pam_unix/pam_unix.8.xml
+Index: pam/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8.xml
++++ pam/modules/pam_unix/pam_unix.8.xml
 @@ -80,6 +80,13 @@
      </para>
  
@@ -65,11 +65,11 @@ index 4008402..a8b64bb 100644
        The password component of this module performs the task of updating
        the user's password. The default encryption hash is taken from the
        <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
-diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
-index 2d330e5..c2e5de5 100644
---- a/modules/pam_unix/pam_unix_passwd.c
-+++ b/modules/pam_unix/pam_unix_passwd.c
-@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
+Index: pam/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam/modules/pam_unix/pam_unix_passwd.c
+@@ -245,15 +245,22 @@
  	/* wait for child */
  	/* if the stored password is NULL */
          int rc=0;
@@ -100,11 +100,11 @@ index 2d330e5..c2e5de5 100644
  
  	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
  	close(fds[1]);
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index b325602..e79b55e 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -1115,12 +1115,15 @@ getuidname(uid_t uid)
+Index: pam/modules/pam_unix/passverify.c
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.c
++++ pam/modules/pam_unix/passverify.c
+@@ -1086,12 +1086,15 @@
  int
  read_passwords(int fd, int npass, char **passwords)
  {
@@ -121,10 +121,10 @@ index b325602..e79b55e 100644
  
                  if (rbytes < 0) {
                          if (errno == EINTR) continue;
-diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
-index 3de6759..caf7ae8 100644
---- a/modules/pam_unix/passverify.h
-+++ b/modules/pam_unix/passverify.h
+Index: pam/modules/pam_unix/passverify.h
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.h
++++ pam/modules/pam_unix/passverify.h
 @@ -8,7 +8,7 @@
  
  #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
@@ -134,11 +134,11 @@ index 3de6759..caf7ae8 100644
  
  #define OLD_PASSWORDS_FILE      "/etc/security/opasswd"
  
-diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index fdb45c2..abccd82 100644
---- a/modules/pam_unix/support.c
-+++ b/modules/pam_unix/support.c
-@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+Index: pam/modules/pam_unix/support.c
+===================================================================
+--- pam.orig/modules/pam_unix/support.c
++++ pam/modules/pam_unix/support.c
+@@ -632,7 +632,12 @@
  	/* if the stored password is NULL */
          int rc=0;
  	if (passwd != NULL) {            /* send the password to the child */
@@ -152,8 +152,10 @@ index fdb45c2..abccd82 100644
  	      pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
  	      retval = PAM_AUTH_ERR;
  	    }
---- a/modules/pam_unix/pam_unix.8	2017-05-27 15:38:27.000000000 +0000
-+++ b/modules/pam_unix/pam_unix.8	2017-05-27 15:34:49.000000000 +0000
+Index: pam/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8
++++ pam/modules/pam_unix/pam_unix.8
 @@ -56,6 +56,10 @@
  \fBnoreap\fR
  module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&.
@@ -165,8 +167,10 @@ index fdb45c2..abccd82 100644
  The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the
  \fBENCRYPT_METHOD\fR
  variable from
---- a/modules/pam_exec/pam_exec.8	2017-05-27 15:38:27.000000000 +0000
-+++ b/modules/pam_exec/pam_exec.8	2017-05-27 15:56:25.000000000 +0000
+Index: pam/modules/pam_exec/pam_exec.8
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8
++++ pam/modules/pam_exec/pam_exec.8
 @@ -65,7 +65,9 @@
  \fBexpose_authtok\fR
  .RS 4
@@ -178,3 +182,32 @@ index fdb45c2..abccd82 100644
  .RE
  .PP
  \fBlog=\fR\fB\fIfile\fR\fR
+Index: pam/modules/pam_exec/README
+===================================================================
+--- pam.orig/modules/pam_exec/README
++++ pam/modules/pam_exec/README
+@@ -24,7 +24,8 @@
+ expose_authtok
+ 
+     During authentication the calling command can read the password from stdin
+-    (3).
++    (3). Only first PAM_MAX_RESP_SIZE bytes of a password are provided to the
++    command.
+ 
+ log=file
+ 
+Index: pam/modules/pam_unix/README
+===================================================================
+--- pam.orig/modules/pam_unix/README
++++ pam/modules/pam_unix/README
+@@ -34,6 +34,10 @@
+ suppress this temporary shielding and may be needed for use with certain
+ applications.
+ 
++The maximum length of a password supported by the pam_unix module via the
++helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the
++password provided by the conversation function to the module will be ignored.
++
+ The password component of this module performs the task of updating the user's
+ password. The default encryption hash is taken from the ENCRYPT_METHOD variable
+ from /etc/login.defs