shadow: Update to 4.1.5.1

Fixes CVE-2005-4890 and CVE-2011-0721.

pkgs/os-specific/linux/shadow/default.nix

@@ -1,21 +1,25 @@
 { stdenv, fetchurl, pam ? null, glibcCross ? null }:
 
 let
-  glibc = if stdenv ? cross
-          then glibcCross
-          else assert stdenv ? glibc; stdenv.glibc;
+
+  glibc =
+    if stdenv ? cross
+    then glibcCross
+    else assert stdenv ? glibc; stdenv.glibc;
+
 in
+
 stdenv.mkDerivation rec {
-  name = "shadow-4.1.4.2";
+  name = "shadow-4.1.5.1";
 
   src = fetchurl {
     url = "http://pkg-shadow.alioth.debian.org/releases/${name}.tar.bz2";
-    sha256 = "1449ny7pdnwkavg92wvibapnkgdq5pas38nvl1m5xa37g5m7z64p";
+    sha256 = "1yvqx57vzih0jdy3grir8vfbkxp0cl0myql37bnmi2yn90vk6cma";
   };
 
   buildInputs = stdenv.lib.optional (pam != null && stdenv.isLinux) pam;
 
-  patches = [ ./no-sanitize-env.patch ./su-name.patch ./keep-path.patch ];
+  patches = [ ./keep-path.patch ];
 
   # Assume System V `setpgrp (void)', which is the default on GNU variants
   # (`AC_FUNC_SETPGRP' is not cross-compilation capable.)

pkgs/os-specific/linux/shadow/keep-path.patch

@@ -1,18 +1,15 @@
-Don't reset $PATH to /bin:/usr/bin.  This is consistent with `su' in
-coreutils and important on NixOS.
-
-diff -ru -x '*~' shadow-4.1.4.2-orig/src/su.c shadow-4.1.4.2/src/su.c
---- shadow-4.1.4.2-orig/src/su.c	2009-07-23 22:38:56.000000000 +0200
-+++ shadow-4.1.4.2/src/su.c	2010-06-04 13:23:11.000000000 +0200
-@@ -827,6 +827,7 @@
- 	(void) signal (SIGINT, SIG_DFL);
- 	(void) signal (SIGQUIT, SIG_DFL);
+diff -ru shadow-4.1.5.1-orig/src/su.c shadow-4.1.5.1/src/su.c
+--- shadow-4.1.5.1-orig/src/su.c	2012-05-25 07:51:55.000000000 -0400
++++ shadow-4.1.5.1/src/su.c	2012-07-25 17:22:57.013547930 -0400
+@@ -879,6 +879,7 @@
+ 		}
+ 	}
  
 +#if 0
- 	cp = getdef_str ((pwent.pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
+ 	cp = getdef_str ((pw->pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
  	if (NULL == cp) {
- 		addenv ("PATH=/bin:/usr/bin", NULL);
-@@ -835,6 +836,7 @@
+ 		addenv ((pw->pw_uid == 0) ? "PATH=/sbin:/bin:/usr/sbin:/usr/bin" : "PATH=/bin:/usr/bin", NULL);
+@@ -887,6 +888,7 @@
  	} else {
  		addenv ("PATH", cp);
  	}

pkgs/os-specific/linux/shadow/no-sanitize-env.patch

@@ -1,16 +0,0 @@
-Don't remove environment variables such as PATH or SHELL.
-
-http://bugs.gentoo.org/show_bug.cgi?id=301957
-https://alioth.debian.org/scm/browser.php?group_id=30580
-
---- a/src/su.c
-+++ b/src/su.c
-@@ -342,7 +342,7 @@
- #endif
- #endif				/* !USE_PAM */
- 
--	sanitize_env ();
-+	/* sanitize_env (); */
- 
- 	(void) setlocale (LC_ALL, "");
- 	(void) bindtextdomain (PACKAGE, LOCALEDIR);

pkgs/os-specific/linux/shadow/su-name.patch

@@ -1,20 +0,0 @@
-When su is invoked with command line arguments for the shell (e.g. "su
-- -c 'cmd'"), set argv[0] in the shell to "-su" or "-<basename>" (as
-determined by the SU_NAME option in /etc/login.defs).  This is
-necessary to make Bash compiled with the NON_INTERACTIVE_LOGIN_SHELLS
-option to read startup files.  It is also consistent with the
-behaviour of `su' in coreutils, and with the case where there are no
-arguments ("su -").
-
-diff -ru -x '*~' shadow-4.1.4.2-orig/src/su.c shadow-4.1.4.2/src/su.c
---- shadow-4.1.4.2-orig/src/su.c	2009-07-23 22:38:56.000000000 +0200
-+++ shadow-4.1.4.2/src/su.c	2010-06-04 13:02:24.000000000 +0200
-@@ -983,7 +983,7 @@
- 		 * Use the shell and create an argv
- 		 * with the rest of the command line included.
- 		 */
--		argv[-1] = shellstr;
-+		argv[-1] = cp;
- #ifndef USE_PAM
- 		execve_shell (shellstr, &argv[-1], environ);
- 		err = errno;