libpam: Upgrade v1.1.6 -> v1.2.1

Dropped upstreamed patches(commit-id):
- add-checks-for-crypt-returning-NULL.patch(8dc056c)
- destdirfix.patch(d7e6b92)
- libpam-fix-for-CVE-2010-4708.patch(4c430f6)

Dropped backported patches(commit-id):
- pam_timestamp-fix-potential-directory-traversal-issu.patch(9dcead8)
- reflect-the-enforce_for_root-semantics-change-in-pam.patch(bd07ad3)

Forward ported patches:
- pam-unix-nullok-secure.patch
- crypt_configure.patch

Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>

8 files changed, 127 insertions, 339 deletions

diff --git a/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch b/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch
deleted file mode 100644
index d364cea97e..0000000000
--- a/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-Backport from linux-pam git repo.
-
-[YOCTO #4107]
-
-Upstream-Status: Backport
-
-Signed-off-by: Kang Kai <kai.kang@windriver.com>
-
-From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Fri, 8 Feb 2013 15:04:26 +0100
-Subject: [PATCH] Add checks for crypt() returning NULL.
-
-modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
-modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
----
- modules/pam_pwhistory/opasswd.c |    2 +-
- modules/pam_unix/bigcrypt.c     |    9 +++++++++
- 2 files changed, 10 insertions(+), 1 deletions(-)
-
-diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
-index 274fdb9..836d713 100644
---- a/modules/pam_pwhistory/opasswd.c
-+++ b/modules/pam_pwhistory/opasswd.c
-@@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass)
-   outval = crypt (newpass, oldpass);
- #endif
- 
--  return strcmp(outval, oldpass) == 0;
-+  return outval != NULL && strcmp(outval, oldpass) == 0;
- }
- 
- /* Check, if the new password is already in the opasswd file.  */
-diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c
-index e10d1c5..e1d57a0 100644
---- a/modules/pam_unix/bigcrypt.c
-+++ b/modules/pam_unix/bigcrypt.c
-@@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt)
- #else
- 	tmp_ptr = crypt(plaintext_ptr, salt);	/* libc crypt() */
- #endif
-+	if (tmp_ptr == NULL) {
-+		free(dec_c2_cryptbuf);
-+		return NULL;
-+	}
- 	/* and place in the static area */
- 	strncpy(cipher_ptr, tmp_ptr, 13);
- 	cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
-@@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt)
- #else
- 			tmp_ptr = crypt(plaintext_ptr, salt_ptr);
- #endif
-+			if (tmp_ptr == NULL) {
-+				_pam_overwrite(dec_c2_cryptbuf);
-+				free(dec_c2_cryptbuf);
-+				return NULL;
-+			}
- 
- 			/* skip the salt for seg!=0 */
- 			strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
--- 
-1.7.5.4
-
diff --git a/meta/recipes-extended/pam/libpam/crypt_configure.patch b/meta/recipes-extended/pam/libpam/crypt_configure.patch
index efa82fb9b9..bec82a5f10 100644
--- a/meta/recipes-extended/pam/libpam/crypt_configure.patch
+++ b/meta/recipes-extended/pam/libpam/crypt_configure.patch
@@ -16,8 +16,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
 
 Index: Linux-PAM-1.1.6/configure.in
 ===================================================================
---- Linux-PAM-1.1.6.org/configure.in
-+++ Linux-PAM-1.1.6/configure.in
+--- Linux-PAM-1.1.6.org/configure.ac
++++ Linux-PAM-1.1.6/configure.ac
 @@ -400,7 +400,9 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" =
    [crypt_libs="crypt"])
  
diff --git a/meta/recipes-extended/pam/libpam/destdirfix.patch b/meta/recipes-extended/pam/libpam/destdirfix.patch
deleted file mode 100644
index 52145ecb34..0000000000
--- a/meta/recipes-extended/pam/libpam/destdirfix.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Avoid the failure:
-
-| mkdir -p /etc/security/namespace.d
-| mkdir: cannot create directory `/etc/security/namespace.d': Permission denied
-
-if /etc/security/namespace.d doesn't exist. The DESTDIR prefix is missing.
-
-RP 2012/8/19
-
-Upstream-Status: Pending
-
-Index: Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am
-===================================================================
---- Linux-PAM-1.1.6.orig/modules/pam_namespace/Makefile.am	2012-08-15 11:08:43.000000000 +0000
-+++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am	2012-08-19 12:25:32.311038943 +0000
-@@ -40,7 +40,7 @@
-   secureconf_SCRIPTS = namespace.init
- 
- install-data-local:
--	mkdir -p $(namespaceddir)
-+	mkdir -p $(DESTDIR)$(namespaceddir)
- endif
- 
- 
diff --git a/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch b/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch
deleted file mode 100644
index 5d2b69aae0..0000000000
--- a/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Upstream-Status: Backport
-
-Fix for CVE-2010-4708
-
-Change default for user_readenv to 0 and document the 
-new default for user_readenv.
-
-This fix is got from:
-http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
-/pam_env.c?r1=1.22&r2=1.23&view=patch
-http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
-/pam_env.8.xml?r1=1.7&r2=1.8&view=patch
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-
----
---- a/modules/pam_env/pam_env.c	2012-09-05 13:57:47.000000000 +0800
-+++ b/modules/pam_env/pam_env.c	2012-09-05 13:58:05.000000000 +0800
-@@ -10,7 +10,7 @@
- #define DEFAULT_READ_ENVFILE    1
- 
- #define DEFAULT_USER_ENVFILE    ".pam_environment"
--#define DEFAULT_USER_READ_ENVFILE 1
-+#define DEFAULT_USER_READ_ENVFILE 0
- 
- #include "config.h"
- 
---- a/modules/pam_env/pam_env.8.xml	2012-09-05 13:58:24.000000000 +0800
-+++ b/modules/pam_env/pam_env.8.xml	2012-09-05 13:59:36.000000000 +0800
-@@ -147,7 +147,10 @@
-         <listitem>
-           <para>
-             Turns on or off the reading of the user specific environment
--            file. 0 is off, 1 is on. By default this option is on.
-+            file. 0 is off, 1 is on. By default this option is off as user
-+            supplied environment variables in the PAM environment could affect
-+            behavior of subsequent modules in the stack without the consent
-+            of the system administrator.
-           </para>
-         </listitem>
-       </varlistentry>
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
index b285e96c27..423267f707 100644
--- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
+++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
@@ -1,6 +1,9 @@
-Debian patch to add a new 'nullok_secure' option to pam_unix, which
-accepts users with null passwords only when the applicant is connected
-from a tty listed in /etc/securetty.
+From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001
+From: Amarnath Valluri <amarnath.valluri@intel.com>
+Date: Wed, 15 Jul 2015 13:07:20 +0300
+Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix,
+ which accepts users with null passwords only when the applicant is connected
+ from a tty listed in /etc/securetty.
 
 Authors: Sam Hartman <hartmans@debian.org>,
          Steve Langasek <vorlon@debian.org>
@@ -8,10 +11,24 @@ Authors: Sam Hartman <hartmans@debian.org>,
 Upstream-Status: Pending
 
 Signed-off-by: Ming Liu <ming.liu@windriver.com>
-===================================================================
-diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
---- a/modules/pam_unix/Makefile.am	2013-07-05 09:51:31.014483164 +0800
-+++ b/modules/pam_unix/Makefile.am	2013-07-05 10:26:12.884484000 +0800
+
+v2:
+	- Forward ported from v1.1.6 to v1.2.1
+
+Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
+---
+ modules/pam_unix/Makefile.am    |  3 ++-
+ modules/pam_unix/README         | 11 ++++++++++-
+ modules/pam_unix/pam_unix.8     |  9 ++++++++-
+ modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++-
+ modules/pam_unix/support.c      | 40 +++++++++++++++++++++++++++++++++++-----
+ modules/pam_unix/support.h      |  8 ++++++--
+ 6 files changed, 79 insertions(+), 11 deletions(-)
+
+diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
+index 56ed591..9a372ac 100644
+--- a/modules/pam_unix/Makefile.am
++++ b/modules/pam_unix/Makefile.am
 @@ -30,7 +30,8 @@ if HAVE_VERSIONING
    pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
  endif
@@ -22,10 +39,33 @@ diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
  
  securelib_LTLIBRARIES = pam_unix.la
  
-diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
---- a/modules/pam_unix/pam_unix.8	2013-07-05 09:52:16.825108201 +0800
-+++ b/modules/pam_unix/pam_unix.8	2013-07-05 10:28:34.724483774 +0800
-@@ -220,7 +220,14 @@ A little more extreme than debug\&.
+diff --git a/modules/pam_unix/README b/modules/pam_unix/README
+index 3935dba..7880d91 100644
+--- a/modules/pam_unix/README
++++ b/modules/pam_unix/README
+@@ -67,7 +67,16 @@ nullok
+ 
+     The default action of this module is to not permit the user access to a
+     service if their official password is blank. The nullok argument overrides
+-    this default.
++    this default and allows any user with a blank password to access the
++    service.
++
++nullok_secure
++
++    The default action of this module is to not permit the user access to a
++    service if their official password is blank. The nullok_secure argument
++    overrides this default and allows any user with a blank password to access
++    the service as long as the value of PAM_TTY is set to one of the values
++    found in /etc/securetty.
+ 
+ try_first_pass
+ 
+diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
+index 339178b..a4bd906 100644
+--- a/modules/pam_unix/pam_unix.8
++++ b/modules/pam_unix/pam_unix.8
+@@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi
  .RS 4
  The default action of this module is to not permit the user access to a service if their official password is blank\&. The
  \fBnullok\fR
@@ -41,10 +81,11 @@ diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
  .RE
  .PP
  \fBtry_first_pass\fR
-diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
---- a/modules/pam_unix/pam_unix.8.xml	2013-07-05 09:52:38.775108523 +0800
-+++ b/modules/pam_unix/pam_unix.8.xml	2013-07-05 10:30:23.084483630 +0800
-@@ -135,7 +135,24 @@
+diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
+index a8b64bb..1ced6f4 100644
+--- a/modules/pam_unix/pam_unix.8.xml
++++ b/modules/pam_unix/pam_unix.8.xml
+@@ -159,7 +159,24 @@
            <para>
              The default action of this module is to not permit the
              user access to a service if their official password is blank.
@@ -70,36 +111,15 @@ diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
            </para>
          </listitem>
        </varlistentry>
-diff -urpN a/modules/pam_unix/README b/modules/pam_unix/README
---- a/modules/pam_unix/README	2013-07-05 09:51:52.205107846 +0800
-+++ b/modules/pam_unix/README	2013-07-05 10:27:10.774484537 +0800
-@@ -57,7 +57,16 @@ nullok
- 
-     The default action of this module is to not permit the user access to a
-     service if their official password is blank. The nullok argument overrides
--    this default.
-+    this default and allows any user with a blank password to access the
-+    service.
-+
-+nullok_secure
-+
-+    The default action of this module is to not permit the user access to a
-+    service if their official password is blank. The nullok_secure argument
-+    overrides this default and allows any user with a blank password to access
-+    the service as long as the value of PAM_TTY is set to one of the values
-+    found in /etc/securetty.
- 
- try_first_pass
- 
-diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
---- a/modules/pam_unix/support.c	2013-07-05 09:50:49.134482523 +0800
-+++ b/modules/pam_unix/support.c	2013-07-05 09:56:26.924484267 +0800
-@@ -84,14 +84,22 @@ int _set_ctrl(pam_handle_t *pamh, int fl
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index abccd82..2361957 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
  	/* now parse the arguments to this module */
  
  	for (; argc-- > 0; ++argv) {
--		int j;
-+		int j, sl;
++		int sl;
  
  		D(("pam_unix arg: %s", *argv));
  
@@ -108,48 +128,46 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
 -			    && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
 -				break;
 +			if (unix_args[j].token) {
-+			    sl = strlen(unix_args[j].token);
-+			    if (unix_args[j].token[sl-1] == '=') {
-+				/* exclude argument from comparison */
-+				if (!strncmp(*argv, unix_args[j].token, sl))
-+				    break;
-+			    } else {
++				sl = strlen(unix_args[j].token);
++				if (unix_args[j].token[sl-1] == '=') {
++					/* exclude argument from comparison */
++					if (!strncmp(*argv, unix_args[j].token, sl))
++						break;
++				} else {
 +				/* compare full strings */
-+				if (!strcmp(*argv, unix_args[j].token))
-+				    break;
-+			    }
++					if (!strcmp(*argv, unix_args[j].token))
++						break;
++				}
  			}
  		}
  
-@@ -461,6 +469,7 @@ static int _unix_run_helper_binary(pam_h
-     child = fork();
+@@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
      if (child == 0) {
-         int i=0;
-+        int nullok = off(UNIX__NONULL, ctrl);
-         struct rlimit rlim;
  	static char *envp[] = { NULL };
- 	char *args[] = { NULL, NULL, NULL, NULL };
-@@ -488,7 +497,18 @@ static int _unix_run_helper_binary(pam_h
+ 	const char *args[] = { NULL, NULL, NULL, NULL };
++	int nullok = off(UNIX__NONULL, ctrl);
+ 
+ 	/* XXX - should really tidy up PAM here too */
+ 
+@@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
  	/* exec binary helper */
- 	args[0] = strdup(CHKPWD_HELPER);
- 	args[1] = x_strdup(user);
+ 	args[0] = CHKPWD_HELPER;
+ 	args[1] = user;
 -	if (off(UNIX__NONULL, ctrl)) {	/* this means we've succeeded */
-+
 +	if (on(UNIX_NULLOK_SECURE, ctrl)) {
-+	    const void *uttyname;
-+	    retval = pam_get_item(pamh, PAM_TTY, &uttyname);
-+	    if (retval != PAM_SUCCESS || uttyname == NULL
-+	        || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
-+	    {
-+	        nullok = 0;
-+	    }
++		const void *uttyname;
++		retval = pam_get_item(pamh, PAM_TTY, &uttyname);
++		if (retval != PAM_SUCCESS || uttyname == NULL
++			|| _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) {
++			nullok = 0;
++		}
 +	}
 +
 +	if (nullok) {
- 	  args[2]=strdup("nullok");
+ 	  args[2]="nullok";
  	} else {
- 	  args[2]=strdup("nonull");
-@@ -567,6 +587,17 @@ _unix_blankpasswd (pam_handle_t *pamh, u
+ 	  args[2]="nonull";
+@@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
  	if (on(UNIX__NONULL, ctrl))
  		return 0;	/* will fail but don't let on yet */
  
@@ -167,56 +185,56 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
  	/* UNIX passwords area */
  
  	retval = get_pwd_hash(pamh, name, &pwd, &salt);
-@@ -653,7 +684,8 @@ int _unix_verify_password(pam_handle_t *
+@@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
  			}
  		}
  	} else {
 -		retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
-+		retval = verify_pwd_hash(p, salt,
-+		                         _unix_blankpasswd(pamh, ctrl, name));
++		retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name));
  	}
  
  	if (retval == PAM_SUCCESS) {
-diff -urpN a/modules/pam_unix/support.h b/modules/pam_unix/support.h
---- a/modules/pam_unix/support.h	2013-07-05 09:51:10.385107934 +0800
-+++ b/modules/pam_unix/support.h	2013-07-05 10:23:54.815107842 +0800
-@@ -90,8 +90,9 @@ typedef struct {
- 					   password hash algorithms */
- #define UNIX_BLOWFISH_PASS       26	/* new password hashes will use blowfish */
+diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
+index 3729ce0..43cdbea 100644
+--- a/modules/pam_unix/support.h
++++ b/modules/pam_unix/support.h
+@@ -99,8 +99,9 @@ typedef struct {
  #define UNIX_MIN_PASS_LEN        27	/* min length for password */
-+#define UNIX_NULLOK_SECURE       28	/* NULL passwords allowed only on secure ttys */
+ #define UNIX_QUIET		 28	/* Don't print informational messages */
+ #define UNIX_DES                 29     /* DES, default */
++#define UNIX_NULLOK_SECURE       30     /* NULL passwords allowed only on secure ttys */
  /* -------------- */
--#define UNIX_CTRLS_              28	/* number of ctrl arguments defined */
-+#define UNIX_CTRLS_              29	/* number of ctrl arguments defined */
+-#define UNIX_CTRLS_              30	/* number of ctrl arguments defined */
++#define UNIX_CTRLS_              31	/* number of ctrl arguments defined */
  
  #define UNIX_DES_CRYPT(ctrl)	(off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
  
-@@ -109,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_C
- /* UNIX_NOT_SET_PASS */    {"not_set_pass",    _ALL_ON_,                0100},
- /* UNIX__PRELIM */         {NULL,              _ALL_ON_^(0600),         0200},
- /* UNIX__UPDATE */         {NULL,              _ALL_ON_^(0600),         0400},
--/* UNIX__NONULL */         {NULL,              _ALL_ON_,               01000},
-+/* UNIX__NONULL */         {NULL,              _ALL_ON_^(0x10000000),  0x200},
- /* UNIX__QUIET */          {NULL,              _ALL_ON_,               02000},
- /* UNIX_USE_AUTHTOK */     {"use_authtok",     _ALL_ON_,               04000},
- /* UNIX_SHADOW */          {"shadow",          _ALL_ON_,              010000},
-@@ -127,7 +128,8 @@ static const UNIX_Ctrls unix_args[UNIX_C
- /* UNIX_SHA512_PASS */     {"sha512",       _ALL_ON_^(0260420000), 040000000},
- /* UNIX_ALGO_ROUNDS */     {"rounds=",         _ALL_ON_,          0100000000},
- /* UNIX_BLOWFISH_PASS */   {"blowfish",    _ALL_ON_^(0260420000), 0200000000},
--/* UNIX_MIN_PASS_LEN */    {"minlen=",		_ALL_ON_,          0400000000},
-+/* UNIX_MIN_PASS_LEN */    {"minlen=",	        _ALL_ON_,          0400000000},
-+/* UNIX_NULLOK_SECURE */   {"nullok_secure",   _ALL_ON_^(0x200),  0x10000000},
+@@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
+ /* UNIX_NOT_SET_PASS */    {"not_set_pass",    _ALL_ON_,                0100, 0},
+ /* UNIX__PRELIM */         {NULL,              _ALL_ON_^(0600),         0200, 0},
+ /* UNIX__UPDATE */         {NULL,              _ALL_ON_^(0600),         0400, 0},
+-/* UNIX__NONULL */         {NULL,              _ALL_ON_,               01000, 0},
++/* UNIX__NONULL */         {NULL,              _ALL_ON_^(0x10000000),   0200, 0},
+ /* UNIX__QUIET */          {NULL,              _ALL_ON_,               02000, 0},
+ /* UNIX_USE_AUTHTOK */     {"use_authtok",     _ALL_ON_,               04000, 0},
+ /* UNIX_SHADOW */          {"shadow",          _ALL_ON_,              010000, 0},
+@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
+ /* UNIX_MIN_PASS_LEN */    {"minlen=",		_ALL_ON_,         0400000000, 0},
+ /* UNIX_QUIET */           {"quiet",           _ALL_ON_,         01000000000, 0},
+ /* UNIX_DES */             {"des",             _ALL_ON_^(0260420000),      0, 1},
++/* UNIX_NULLOK_SECURE */   {"nullok_secure",   _ALL_ON_^(0x200),  0x10000000, 0},
  };
  
  #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
-@@ -163,6 +165,9 @@ extern int _unix_read_password(pam_handl
+@@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh
+ 			,const char *prompt2
  			,const char *data_name
  			,const void **pass);
- 
 +extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
-+				  const char *uttyname);
-+
++         const char *uttyname);
+ 
  extern int _unix_run_verify_binary(pam_handle_t *pamh,
  			unsigned int ctrl, const char *user, int *daysleft);
- #endif /* _PAM_UNIX_SUPPORT_H */
+-- 
+2.1.4
+
diff --git a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch b/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch
deleted file mode 100644
index 06cca13abe..0000000000
--- a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Wed, 26 Mar 2014 22:17:23 +0000
-Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
- (ticket #27)
-
-commit 9dcead87e6d7f66d34e7a56d11a30daca367dffb upstream
-
-pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
-the timestamp pathname it creates, so extra care should be taken to
-avoid potential directory traversal issues.
-
-* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
-"." and ".." tty values as invalid.
-(get_ruser): Treat "." and ".." ruser values, as well as any ruser
-value containing '/', as invalid.
-
-Fixes CVE-2014-2583.
-
-Reported-by: Sebastian Krahmer <krahmer@suse.de>
-
-Upstream-Status: Backport
-
-Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- modules/pam_timestamp/pam_timestamp.c |   13 ++++++++++++-
- 1 files changed, 12 insertions(+), 1 deletions(-)
-
-diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
-index 5193733..b3f08b1 100644
---- a/modules/pam_timestamp/pam_timestamp.c
-+++ b/modules/pam_timestamp/pam_timestamp.c
-@@ -158,7 +158,7 @@ check_tty(const char *tty)
- 		tty = strrchr(tty, '/') + 1;
- 	}
- 	/* Make sure the tty wasn't actually a directory (no basename). */
--	if (strlen(tty) == 0) {
-+	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
- 		return NULL;
- 	}
- 	return tty;
-@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
- 		if (pwd != NULL) {
- 			ruser = pwd->pw_name;
- 		}
-+	} else {
-+		/*
-+		 * This ruser is used by format_timestamp_name as a component
-+		 * of constructed timestamp pathname, so ".", "..", and '/'
-+		 * are disallowed to avoid potential path traversal issues.
-+		 */
-+		if (!strcmp(ruser, ".") ||
-+		    !strcmp(ruser, "..") ||
-+		    strchr(ruser, '/')) {
-+			ruser = NULL;
-+		}
- 	}
- 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
- 		*ruserbuf = '\0';
--- 
-1.7.5.4
-
diff --git a/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch b/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch
deleted file mode 100644
index c13535ecc2..0000000000
--- a/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-Backport from linux-pam git repo.
-
-[YOCTO #4107]
-
-Upstream-Status: Backport
-
-Signed-off-by: Kang Kai <kai.kang@windriver.com>
-
-From bd07ad3adc626f842a4391d256541883426fd389 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Tue, 13 Nov 2012 09:19:05 +0100
-Subject: [PATCH] Reflect the enforce_for_root semantics change in
- pam_pwhistory xtest.
-
-xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
-running with real uid == 0.
----
- xtests/tst-pam_pwhistory1.pamd | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/xtests/tst-pam_pwhistory1.pamd b/xtests/tst-pam_pwhistory1.pamd
-index 68e1b94..d60db7c 100644
---- a/xtests/tst-pam_pwhistory1.pamd
-+++ b/xtests/tst-pam_pwhistory1.pamd
-@@ -1,6 +1,6 @@
- #%PAM-1.0
- auth     required       pam_permit.so
- account  required       pam_permit.so
--password required	pam_pwhistory.so remember=10 retry=1
-+password required	pam_pwhistory.so remember=10 retry=1 enforce_for_root
- password required	pam_unix.so	use_authtok md5
- session  required       pam_permit.so
--- 
-1.7.11.7
-
diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.2.1.bb
index d347bdc43b..ac3097ef7c 100644
--- a/meta/recipes-extended/pam/libpam_1.1.6.bb
+++ b/meta/recipes-extended/pam/libpam_1.2.1.bb
@@ -18,19 +18,15 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \
            file://pam.d/common-session-noninteractive \
            file://pam.d/other \
            file://libpam-xtests.patch \
-           file://destdirfix.patch \
            file://fixsepbuild.patch \
-           file://reflect-the-enforce_for_root-semantics-change-in-pam.patch \
-           file://add-checks-for-crypt-returning-NULL.patch \
-           file://libpam-fix-for-CVE-2010-4708.patch \
            file://pam-security-abstract-securetty-handling.patch \
            file://pam-unix-nullok-secure.patch \
-           file://pam_timestamp-fix-potential-directory-traversal-issu.patch \
            file://libpam-xtests-remove-bash-dependency.patch \
            file://crypt_configure.patch \
           "
-SRC_URI[md5sum] = "7b73e58b7ce79ffa321d408de06db2c4"
-SRC_URI[sha256sum] = "bab887d6280f47fc3963df3b95735a27a16f0f663636163ddf3acab5f1149fc2"
+
+SRC_URI[md5sum] = "9dc53067556d2dd567808fd509519dd6"
+SRC_URI[sha256sum] = "342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9"
 
 SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch"
 SRC_URI_append_libc-musl = " file://pam-no-innetgr.patch"