2011-10-25 Thorsten Kukuk <kukuk@thkukuk.de>

        * release version 1.1.5

        * configure.in: Bump version number.

        * modules/pam_tally2/pam_tally2.8.xml: Remove never used option
        "no_lock_time".

diff --git a/ChangeLog b/ChangeLog
index 107f765135fe4341aac4106ad7f6f9599c108e82..d7d808b0f11e450708356a8448aac92df51bab88 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2011-10-25  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+       * release version 1.1.5
+
+       * configure.in: Bump version number.
+
+       * modules/pam_tally2/pam_tally2.8.xml: Remove never used option
+       "no_lock_time".
+
 2011-10-14  Kees Cook <kees@debian.org>
 
        * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an

diff --git a/NEWS b/NEWS
index a80a2ab96aecfb4b81b6eb39cffbb01bd43f4442..81f961f1f15b285f473d7f00bbfcd5aaf31d76e0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,11 @@
 Linux-PAM NEWS -- history of user-visible changes.
 
+Release 1.1.5
+* pam_env: Fix CVE-2011-3148 and CVE-2011-3149
+* pam_access: Add hostname resolution cache
+* Documentation: Improvements/fixes 
+
+
 Release 1.1.4
 
 * Add vietnamese translation

diff --git a/configure.in b/configure.in
index 7940a94e1d564f519b88e083956978ac133ea865..5058155f6d05d818dd059f4d46ee0cf1cdeb6348 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1,7 +1,7 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_INIT
 AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
-AM_INIT_AUTOMAKE("Linux-PAM", 1.1.4)
+AM_INIT_AUTOMAKE("Linux-PAM", 1.1.5)
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])

diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml
index 4ad529fda51a12c55ad7b21c54f40108ceb49f4e..5fecea2466c8564a53acb8ecc92fd5f704c83960 100644 (file)
--- a/modules/pam_tally2/pam_tally2.8.xml
+++ b/modules/pam_tally2/pam_tally2.8.xml
@@ -236,17 +236,6 @@
                 </para>
               </listitem>
             </varlistentry>
-            <varlistentry>
-              <term>
-                <option>no_lock_time</option>
-              </term>
-              <listitem>
-                <para>
-                  Do not use the .fail_locktime field in
-                  <filename>/var/log/faillog</filename> for this user.
-                </para>
-              </listitem>
-            </varlistentry>
             <varlistentry>
               <term>
                 <option>even_deny_root</option>
@@ -446,4 +435,3 @@ session  optional       pam_mail.so standard
   </refsect1>
 
 </refentry>
-

diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
index a64ae89f7ce48151104432df8217d52831e803b6..88624b1ce73aafb971fd13893be2e444ac740f01 100644 (file)
--- a/modules/pam_xauth/pam_xauth.c
+++ b/modules/pam_xauth/pam_xauth.c
@@ -459,24 +459,33 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
                goto cleanup;
        }
 
-       /* Check that both users are amenable to this.  By default, this
-        * boils down to this policy:
-        * export(ruser=root): only if <user> is listed in .xauth/export
-        * export(ruser=*) if <user> is listed in .xauth/export, or
-        *                 if .xauth/export does not exist
-        * import(user=*): if <ruser> is listed in .xauth/import, or
-        *                 if .xauth/import does not exist */
-       i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED;
-       i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug);
-       if (i != PAM_SUCCESS) {
-               retval = PAM_SESSION_ERR;
-               goto cleanup;
-       }
-       i = PAM_SUCCESS;
-       i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug);
-       if (i != PAM_SUCCESS) {
-               retval = PAM_SESSION_ERR;
-               goto cleanup;
+
+       /* If current user and the target user are the same, don't
+          check the ACL list, but forward X11 */
+       if (strcmp (rpwd->pw_name, tpwd->pw_name) != 0) {
+
+         /* Check that both users are amenable to this.  By default, this
+          * boils down to this policy:
+          * export(ruser=root): only if <user> is listed in .xauth/export
+          * export(ruser=*) if <user> is listed in .xauth/export, or
+          *                 if .xauth/export does not exist
+          * import(user=*): if <ruser> is listed in .xauth/import, or
+          *                 if .xauth/import does not exist */
+         i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED;
+         i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug);
+         if (i != PAM_SUCCESS) {
+           retval = PAM_SESSION_ERR;
+           goto cleanup;
+         }
+         i = PAM_SUCCESS;
+         i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug);
+         if (i != PAM_SUCCESS) {
+           retval = PAM_SESSION_ERR;
+           goto cleanup;
+         }
+       }  else {
+         if (debug)
+           pam_syslog (pamh, LOG_DEBUG, "current and target user are the same, forward X11");
        }
 
        /* Figure out where the source user's .Xauthority file is. */