Move all to deprecated folder.

deprecated/firmware/buildroot/package/linux-pam/0001-configure.patch

@@ -0,0 +1,19 @@
+Add check for ruserok
+
+ruserok is not available/functional in uclibc, provide conditions for compilation
+where needed.
+
+Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
+
+diff -urN a/configure.in b/configure.in
+--- a/configure.in	2012-08-17 03:48:24.000000000 -0500
++++ b/configure.in	2013-07-17 09:49:23.760254684 -0500
+@@ -526,7 +526,7 @@
+ AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
+ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
+ AC_CHECK_FUNCS(getgrouplist getline getdelim)
+-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
++AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok)
+ 
+ AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
+ AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])

deprecated/firmware/buildroot/package/linux-pam/0002-doc-makefile-am.patch

@@ -0,0 +1,31 @@
+Disable generation of documentation
+
+Generation of documentation is not necessary in Buildroot, disable it completely.
+
+Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
+
+diff -urN a/doc/Makefile.am b/doc/Makefile.am
+--- a/doc/Makefile.am	2012-08-15 06:08:43.000000000 -0500
++++ b/doc/Makefile.am	2013-07-17 09:54:53.000000000 -0500
+@@ -2,8 +2,6 @@
+ # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+ #
+ 
+-SUBDIRS = man specs sag adg mwg
+-
+ CLEANFILES = *~
+ 
+ dist_html_DATA = index.html
+@@ -11,11 +9,4 @@
+ #######################################################
+ 
+ releasedocs: all
+-	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs
+-	cp -av specs/draft-morgan-pam-current.txt \
+-		$(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/
+-	cp -av $(srcdir)/specs/rfc86.0.txt \
+-		$(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/
+-	make -C sag releasedocs
+-	make -C adg releasedocs
+-	make -C mwg releasedocs
++	/bin/true

deprecated/firmware/buildroot/package/linux-pam/0003-group.patch

@@ -0,0 +1,26 @@
+Conditionally compile per innetgr availability
+
+innetgr is not available/functional in uclibc, provide conditions for compilation.
+
+Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
+
+Index: linux-pam-1.1.4/modules/pam_group/pam_group.c
+============================================================================
+--- linux-pam-1.1.4/modules/pam_group/pam_group.c	2011-06-21 05:04:56.000000000 -0400
++++ linux-pam-1.1.4/modules/pam_group/pam_group.c	2012-08-09 21:35:06.000000000 -0400
+@@ -655,8 +655,14 @@
+ 	    continue;
+ 	}
+ 	/* If buffer starts with @, we are using netgroups */
+-	if (buffer[0] == '@')
++	if (buffer[0] == '@') {
++#ifdef HAVE_INNETGR
+ 	  good &= innetgr (&buffer[1], NULL, user, NULL);
++#else
++	  good = 0;
++	  pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
++#endif  /* HAVE_INNETGR */
++	}
+ 	/* otherwise, if the buffer starts with %, it's a UNIX group */
+ 	else if (buffer[0] == '%')
+           good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);

deprecated/firmware/buildroot/package/linux-pam/0004-mkdir.patch

@@ -0,0 +1,17 @@
+$(mkdir_p) is obsolete for newer automake, use $(MKDIR_P) instead.
+Upstream should really gettextize with a newer version before packing up.
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff -Nura Linux-PAM-1.1.7.orig/po/Makefile.in.in Linux-PAM-1.1.7/po/Makefile.in.in
+--- Linux-PAM-1.1.7.orig/po/Makefile.in.in	2013-09-11 20:45:16.610770002 -0300
++++ Linux-PAM-1.1.7/po/Makefile.in.in	2013-09-11 20:45:28.030145316 -0300
+@@ -31,7 +31,7 @@
+ INSTALL = @INSTALL@
+ INSTALL_DATA = @INSTALL_DATA@
+ mkinstalldirs = $(SHELL) @install_sh@ -d
+-mkdir_p = @mkdir_p@
++mkdir_p = @MKDIR_P@
+ 
+ GMSGFMT_ = @GMSGFMT@
+ GMSGFMT_no = @GMSGFMT@

deprecated/firmware/buildroot/package/linux-pam/0005-succeed.patch

@@ -0,0 +1,31 @@
+Conditionally compile per innetgr availability
+
+innetgr is not available/functional in uclibc, provide conditions for compilation.
+
+Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
+
+Index: linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c
+============================================================================
+--- linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c	2011-06-21 05:04:56.000000000 -0400
++++ linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c	2012-08-09 21:05:02.000000000 -0400
+@@ -233,16 +233,20 @@
+ static int
+ evaluate_innetgr(const char *host, const char *user, const char *group)
+ {
++#ifdef HAVE_INNETGR
+ 	if (innetgr(group, host, user, NULL) == 1)
+ 		return PAM_SUCCESS;
++#endif /* HAVE_INNETGR */
+ 	return PAM_AUTH_ERR;
+ }
+ /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
+ static int
+ evaluate_notinnetgr(const char *host, const char *user, const char *group)
+ {
++#ifdef HAVE_INNETGR
+ 	if (innetgr(group, host, user, NULL) == 0)
+ 		return PAM_SUCCESS;
++#endif /* HAVE_INNETGR */
+ 	return PAM_AUTH_ERR;
+ }
+ 

deprecated/firmware/buildroot/package/linux-pam/0006-time.patch

@@ -0,0 +1,26 @@
+Conditionally compile per innetgr availability
+
+innetgr is not available/functional in uclibc, provide conditions for compilation.
+
+Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
+
+Index: linux-pam-1.1.4/modules/pam_time/pam_time.c
+============================================================================
+--- linux-pam-1.1.4/modules/pam_time/pam_time.c	2011-06-21 05:04:56.000000000 -0400
++++ linux-pam-1.1.4/modules/pam_time/pam_time.c	2012-08-09 21:02:29.000000000 -0400
+@@ -554,8 +554,14 @@
+ 	       continue;
+ 	  }
+ 	  /* If buffer starts with @, we are using netgroups */
+-	  if (buffer[0] == '@')
++	  if (buffer[0] == '@') {
++#ifdef HAVE_INNETGR
+ 	    good &= innetgr (&buffer[1], NULL, user, NULL);
++#else
++	    good = 0;
++	    pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
++#endif /* HAVE_INNETGR */
++	  }
+ 	  else
+ 	    good &= logic_field(pamh, user, buffer, count, is_same);
+ 	  D(("with user: %s", good ? "passes":"fails" ));

deprecated/firmware/buildroot/package/linux-pam/0007-rhosts.patch

@@ -0,0 +1,24 @@
+Conditionally compile per ruserok availability
+
+ruserok is not available/functional in uclibc, provide conditions for compilation.
+
+Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
+
+Index: linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c
+============================================================================
+--- linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c	2011-06-21 05:04:56.000000000 -0400
++++ linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c	2012-08-09 21:19:34.000000000 -0400
+@@ -114,8 +114,12 @@
+ #ifdef HAVE_RUSEROK_AF
+     retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
+ #else
++  #ifdef HAVE_RUSEROK
+     retval = ruserok (rhost, as_root, ruser, luser);
+-#endif
++  #else
++    retval = -1;
++  #endif  /* HAVE_RUSEROK */
++#endif  /*HAVE_RUSEROK_AF */
+     if (retval != 0) {
+       if (!opt_silent || opt_debug)
+ 	pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",

deprecated/firmware/buildroot/package/linux-pam/0008-fix-CVE-2014-2583.patch

@@ -0,0 +1,53 @@
+From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Wed, 26 Mar 2014 22:17:23 +0000
+Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
+
+pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
+the timestamp pathname it creates, so extra care should be taken to
+avoid potential directory traversal issues.
+
+* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
+"." and ".." tty values as invalid.
+(get_ruser): Treat "." and ".." ruser values, as well as any ruser
+value containing '/', as invalid.
+
+Fixes CVE-2014-2583.
+
+Reported-by: Sebastian Krahmer <krahmer@suse.de>
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
+index 5193733..b3f08b1 100644
+--- a/modules/pam_timestamp/pam_timestamp.c
++++ b/modules/pam_timestamp/pam_timestamp.c
+@@ -158,7 +158,7 @@ check_tty(const char *tty)
+ 		tty = strrchr(tty, '/') + 1;
+ 	}
+ 	/* Make sure the tty wasn't actually a directory (no basename). */
+-	if (strlen(tty) == 0) {
++	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
+ 		return NULL;
+ 	}
+ 	return tty;
+@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
+ 		if (pwd != NULL) {
+ 			ruser = pwd->pw_name;
+ 		}
++	} else {
++		/*
++		 * This ruser is used by format_timestamp_name as a component
++		 * of constructed timestamp pathname, so ".", "..", and '/'
++		 * are disallowed to avoid potential path traversal issues.
++		 */
++		if (!strcmp(ruser, ".") ||
++		    !strcmp(ruser, "..") ||
++		    strchr(ruser, '/')) {
++			ruser = NULL;
++		}
+ 	}
+ 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
+ 		*ruserbuf = '\0';
+-- 
+cgit v0.10.2
+

deprecated/firmware/buildroot/package/linux-pam/0009-fix-CVE-2013-7041.patch

@@ -0,0 +1,50 @@
+From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Fri, 24 Jan 2014 22:18:32 +0000
+Subject: pam_userdb: fix password hash comparison
+
+Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
+passwords support in pam_userdb, hashes are compared case-insensitively.
+This bug leads to accepting hashes for completely different passwords in
+addition to those that should be accepted.
+
+Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
+modern password hashes with different lengths and settings, did not
+update the hash comparison accordingly, which leads to accepting
+computed hashes longer than stored hashes when the latter is a prefix
+of the former.
+
+* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
+hash whose length differs from the stored hash length.
+Compare computed and stored hashes case-sensitively.
+Fixes CVE-2013-7041.
+
+Bug-Debian: http://bugs.debian.org/731368
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
+index de8b5b1..ff040e6 100644
+--- a/modules/pam_userdb/pam_userdb.c
++++ b/modules/pam_userdb/pam_userdb.c
+@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
+ 	  } else {
+ 	    cryptpw = crypt (pass, data.dptr);
+ 
+-	    if (cryptpw) {
+-	      compare = strncasecmp (data.dptr, cryptpw, data.dsize);
++	    if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
++	      compare = memcmp(data.dptr, cryptpw, data.dsize);
+ 	    } else {
+ 	      compare = -2;
+ 	      if (ctrl & PAM_DEBUG_ARG) {
+-		pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
++		if (cryptpw)
++		  pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
++		else
++		  pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+ 	      }
+ 	    };
+ 
+-- 
+cgit v0.10.2
+

deprecated/firmware/buildroot/package/linux-pam/Config.in

@@ -0,0 +1,21 @@
+config BR2_PACKAGE_LINUX_PAM
+	bool "linux-pam"
+	select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT_IF_LOCALE
+	select BR2_PACKAGE_FLEX
+	depends on (BR2_ENABLE_LOCALE && BR2_USE_WCHAR)
+	# While linux-pam does have some support for statically linked
+	# modules (through --enable-static-modules), it doesn't work
+	# properly due to a build cycle between libpam and
+	# modules. See
+	# https://lists.fedorahosted.org/pipermail/linux-pam-commits/2012-February/000105.html
+	# for details.
+	depends on !BR2_STATIC_LIBS
+	depends on !BR2_TOOLCHAIN_USES_MUSL # linux-pam
+	help
+	  A Security Framework that Provides Authentication for Applications
+
+	  http://linux-pam.org
+
+comment "linux-pam needs a uClibc or (e)glibc toolchain w/ wchar, locale, dynamic library"
+	depends on !(BR2_ENABLE_LOCALE && BR2_USE_WCHAR) \
+		|| BR2_STATIC_LIBS || BR2_TOOLCHAIN_USES_MUSL

deprecated/firmware/buildroot/package/linux-pam/linux-pam.hash

@@ -0,0 +1,2 @@
+# Locally computed hashes, not provided by upstream
+sha256	c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55	Linux-PAM-1.1.8.tar.bz2

deprecated/firmware/buildroot/package/linux-pam/linux-pam.mk

@@ -0,0 +1,37 @@
+################################################################################
+#
+# linux-pam
+#
+################################################################################
+
+LINUX_PAM_VERSION = 1.1.8
+LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2
+LINUX_PAM_SITE = http://linux-pam.org/library
+LINUX_PAM_INSTALL_STAGING = YES
+LINUX_PAM_CONF_OPTS = \
+	--disable-prelude \
+	--disable-isadir \
+	--disable-nis \
+	--disable-db \
+	--disable-regenerate-docu \
+	--enable-securedir=/lib/security \
+	--libdir=/lib
+LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf
+LINUX_PAM_AUTORECONF = YES
+LINUX_PAM_LICENSE = BSD-3c
+LINUX_PAM_LICENSE_FILES = Copyright
+
+ifeq ($(BR2_NEEDS_GETTEXT_IF_LOCALE),y)
+LINUX_PAM_DEPENDENCIES += gettext
+LINUX_PAM_MAKE_OPTS += LIBS=-lintl
+endif
+
+# Install default pam config (deny everything)
+define LINUX_PAM_INSTALL_CONFIG
+	$(INSTALL) -m 0644 -D package/linux-pam/other.pam \
+		$(TARGET_DIR)/etc/pam.d/other
+endef
+
+LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG
+
+$(eval $(autotools-package))

deprecated/firmware/buildroot/package/linux-pam/other.pam

@@ -0,0 +1,7 @@
+auth		required	pam_deny.so
+
+account		required	pam_deny.so
+
+password	required	pam_deny.so
+
+session		required	pam_deny.so