2011-10-25 Thorsten Kukuk <kukuk@thkukuk.de>

* release version 1.1.5 * configure.in: Bump version number. * modules/pam_tally2/pam_tally2.8.xml: Remove never used option "no_lock_time".
author: Thorsten Kukuk <kukuk@thkukuk.de> 2011-10-25 14:24:50 +0200
committer: Thorsten Kukuk <kukuk@thkukuk.de> 2011-10-25 14:24:50 +0200
commit: fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a (patch)
tree: 3c0cad2f3bf8c592b5f2d4a9f9f25da0a807b062
parent: 109823cb621c900c07c4b6cdc99070d354d19444 (diff)
download: pam-fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a.tar.gz
pam-fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a.tar.bz2
pam-fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a.zip
5 files changed, 43 insertions, 31 deletions
diff --git a/ChangeLog b/ChangeLog
index 107f7651..d7d808b0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2011-10-25  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* release version 1.1.5
+
+	* configure.in: Bump version number.
+
+	* modules/pam_tally2/pam_tally2.8.xml: Remove never used option
+	"no_lock_time".
+
 2011-10-14  Kees Cook <kees@debian.org>
 
 	* modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
diff --git a/NEWS b/NEWS
index a80a2ab9..81f961f1 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,11 @@
 Linux-PAM NEWS -- history of user-visible changes.
 
+Release 1.1.5
+* pam_env: Fix CVE-2011-3148 and CVE-2011-3149
+* pam_access: Add hostname resolution cache
+* Documentation: Improvements/fixes 
+
+
 Release 1.1.4
 
 * Add vietnamese translation
diff --git a/configure.in b/configure.in
index 7940a94e..5058155f 100644
--- a/configure.in
+++ b/configure.in
@@ -1,7 +1,7 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_INIT
 AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
-AM_INIT_AUTOMAKE("Linux-PAM", 1.1.4)
+AM_INIT_AUTOMAKE("Linux-PAM", 1.1.5)
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml
index 4ad529fd..5fecea24 100644
--- a/modules/pam_tally2/pam_tally2.8.xml
+++ b/modules/pam_tally2/pam_tally2.8.xml
@@ -238,17 +238,6 @@
             </varlistentry>
             <varlistentry>
               <term>
-                <option>no_lock_time</option>
-              </term>
-              <listitem>
-                <para>
-                  Do not use the .fail_locktime field in
-                  <filename>/var/log/faillog</filename> for this user.
-                </para>
-              </listitem>
-            </varlistentry>
-            <varlistentry>
-              <term>
                 <option>even_deny_root</option>
               </term>
               <listitem>
@@ -446,4 +435,3 @@ session  optional       pam_mail.so standard
   </refsect1>
 
 </refentry>
-
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
index a64ae89f..88624b1c 100644
--- a/modules/pam_xauth/pam_xauth.c
+++ b/modules/pam_xauth/pam_xauth.c
@@ -459,24 +459,33 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
 		goto cleanup;
 	}
 
-	/* Check that both users are amenable to this.  By default, this
-	 * boils down to this policy:
-	 * export(ruser=root): only if <user> is listed in .xauth/export
-	 * export(ruser=*) if <user> is listed in .xauth/export, or
-	 *                 if .xauth/export does not exist
-	 * import(user=*): if <ruser> is listed in .xauth/import, or
-	 *                 if .xauth/import does not exist */
-	i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED;
-	i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug);
-	if (i != PAM_SUCCESS) {
-		retval = PAM_SESSION_ERR;
-		goto cleanup;
-	}
-	i = PAM_SUCCESS;
-	i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug);
-	if (i != PAM_SUCCESS) {
-		retval = PAM_SESSION_ERR;
-		goto cleanup;
+
+	/* If current user and the target user are the same, don't
+	   check the ACL list, but forward X11 */
+	if (strcmp (rpwd->pw_name, tpwd->pw_name) != 0) {
+
+	  /* Check that both users are amenable to this.  By default, this
+	   * boils down to this policy:
+	   * export(ruser=root): only if <user> is listed in .xauth/export
+	   * export(ruser=*) if <user> is listed in .xauth/export, or
+	   *                 if .xauth/export does not exist
+	   * import(user=*): if <ruser> is listed in .xauth/import, or
+	   *                 if .xauth/import does not exist */
+	  i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED;
+	  i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug);
+	  if (i != PAM_SUCCESS) {
+	    retval = PAM_SESSION_ERR;
+	    goto cleanup;
+	  }
+	  i = PAM_SUCCESS;
+	  i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug);
+	  if (i != PAM_SUCCESS) {
+	    retval = PAM_SESSION_ERR;
+	    goto cleanup;
+	  }
+	}  else {
+	  if (debug)
+	    pam_syslog (pamh, LOG_DEBUG, "current and target user are the same, forward X11");
 	}
 
 	/* Figure out where the source user's .Xauthority file is. */
author	Thorsten Kukuk <kukuk@thkukuk.de>	2011-10-25 14:24:50 +0200
committer	Thorsten Kukuk <kukuk@thkukuk.de>	2011-10-25 14:24:50 +0200
commit	fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a (patch)
tree	3c0cad2f3bf8c592b5f2d4a9f9f25da0a807b062
parent	109823cb621c900c07c4b6cdc99070d354d19444 (diff)
download	pam-fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a.tar.gz pam-fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a.tar.bz2 pam-fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a.zip