1 files changed, 271 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 247a4f14..d7d808b0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,274 @@
+2011-10-25  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* release version 1.1.5
+
+	* configure.in: Bump version number.
+
+	* modules/pam_tally2/pam_tally2.8.xml: Remove never used option
+	"no_lock_time".
+
+2011-10-14  Kees Cook <kees@debian.org>
+
+	* modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
+	overflowed environment variable expansion.
+	Fixes CVE-2011-3149.
+	Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
+
+	* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
+	whitespace.
+	Fixes CVE-2011-3148.
+	Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
+
+2011-10-10  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_access/pam_access.c: Add hostname resolution
+	cache.
+	(user_match): Clear the cache in fake_item.
+	(from_match): If from is not hostname, do not try to resolve it.
+	Cache the getaddrinfo() result.
+	(network_netmask_match): Cache the getaddrinfo() result.
+	(pam_sm_authenticate): Free the getaddrinfo() result.
+
+	* modules/pam_access/pam_access.c (netgroup_match): If getdomainname()
+	fails or domainname not set use NULL as domain in innetgr().
+
+2011-09-30  Tomas Mraz  <tm@t8m.info>
+
+	* doc/man/pam.conf-syntax.xml: Improve documentation of the
+	sufficient and requisite control values. (Red Hat Bug #742413)
+
+2011-08-25  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_access/pam_access.c (user_match): Fix the split
+	on @ in the user field. (Red Hat Bug #732081)
+
+	* modules/pam_loginuid/pam_loginuid.c: Correct the FSF address.
+
+2011-08-23  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_env/pam_env.c (_pam_parse): Fix missing dereference.
+
+2011-06-22  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* release version 1.1.4
+
+	* configure.in: Bump version number.
+	* NEWS: Document changes since 1.1.3
+	* libpam/Makefile.am: Bump release number of shared library
+	* po/de.po: Translate new string.
+
+	* modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Reorder
+	Libraries.
+
+2011-06-21  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_limits/pam_limits.c: Add set_all option,
+	read limits from PID one if no limit is specified and set_all
+	is set.
+	* modules/pam_limits/pam_limits.8.xml: Document set_all option.
+	Based on Patch by Kees Cook.
+
+2011-06-15  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_sepermit/pam_sepermit.c (check_running): Avoid
+	leaking memory and dir handle on realloc failure.
+	(sepermit_unlock): Cast fcntl() and close() calls to void.
+
+	* modules/pam_pwhistory/opasswd.c (check_old_password): Do not
+	needlessly call strdupa().
+	(save_old_password): Avoid memleaks in error paths. Avoid memleak of
+	buf. Make the opasswd entry parsing more robust.
+	* modules/pam_pwhistory/pam_pwhistory.8.xml: Document the
+	special meaning of remember=0.
+
+	* modules/pam_unix/support.c (_set_ctrl): Do not crash when remember,
+	minlen, or rounds options are used with wrong module type.
+
+	* modules/pam_timestamp/pam_timestamp.c (pam_sm_authenticate): Avoid
+	memleak in error path.
+	(pam_sm_open_session): Avoid memleak and fd leak in error path.
+
+	* modules/pam_access/pam_access.c (user_match): Initialize the
+	fake_item from item.
+
+2011-06-14  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* configure.in: Check for libtirpc by default.
+	* libpam/Makefile.am: Add support for libtirpc.
+	* modules/pam_access/Makefile.am: Likewise.
+	* modules/pam_unix/Makefile.am: Likewise.
+	* modules/pam_unix/pam_unix_passwd.c: Change ifdefs for
+	new libtirpc support.
+	* modules/pam_unix/yppasswd_xdr.c: Only compile if we have rpc/rpc.h.
+
+2011-06-13  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_securetty/pam_securetty.c (securetty_perform_check): Test
+	also whether the tty is in the /sys/class/tty/console/active file.
+	* modules/pam_securetty/pam_securetty.8.xml: Document the new check of
+	/sys/class/tty/console/active/file.
+
+2011-06-07  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_namespace/pam_namespace.c (root_shared): New
+	function to detect shared / mount.
+	(pam_sm_open_session): Call the root_shared() and enable
+	private mounts based on that.
+	* modules/pam_namespace/pam_namespace.8.xml: Document the
+	automatic detection of shared / mount.
+
+2011-06-06  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_group/pam_group.c (shift_bytes): Removed.
+	(shift_buf, trim_spaces): Added new functions.
+	(read_field): Thorough rewrite of the parsing.
+	(check_account): read_field() now uses state information. No
+	extra read_field() call at the end of configuration line.
+	* modules/pam_time/pam_time.c (shift_bytes): Removed.
+	(shift_buf, trim_spaces): Added new functions.
+	(read_field): Thorough rewrite of the parsing.
+	(check_account): read_field() now uses state information. No
+	extra read_field() call at the end of configuration line.
+
+	* modules/pam_namespace/pam_namespace.h: Define the MS_PRIVATE and
+	MS_REC flags if they are not in sys/mount.h.
+
+2011-06-06  Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
+
+	* po/LINGUAS: Add vietnamese.
+	* po/vi.po: Add vietnamese translation.
+
+2011-06-02  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_namespace/pam_namespace.c (protect_dir): Add parameter
+	to always do protect mount the last directory in the path.
+	(check_inst_parent, create_polydir): Update the protect_dir() call.
+	(ns_setup): Likewise and add the MS_PRIVATE mount() call.
+	(pam_sm_open_session): Check the mount_private option.
+	* modules/pam_namespace/pam_namespace.h: Add the PAMNS_MOUNT_PRIVATE.
+	* modules/pam_namespace/pam_namespace.8.xml: Document the mount_private
+	option.
+
+	* modules/pam_cracklib/pam_cracklib.c (str_lower): Make it no-op
+	on NULL strings.
+	(password_check): Guard for NULLs returned from memory allocation.
+
+	* modules/pam_filter/pam_filter.c (process_args): Guard for error return
+	from pam_get_user().
+
+	* modules/pam_echo/pam_echo.c (replace_and_print): Guard for error return
+	from pam_get_item().
+
+2011-05-30  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_timestamp/pam_timestamp.c (main): Remove unsused
+	variable pretval.
+
+	* modules/pam_stress/pam_stress.c (converse): **message is const.
+	(stress_get_password): pmsg is const.
+	(pam_sm_chauthtok): Likewise.
+	* libpam/pam_item.c (pam_get_user): Make pmsg const and remove
+	casts.
+
+2011-05-30  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_env/pam_env.c (_pam_parse): Implement debug option.
+	Based on patch by Tomas Mraz.
+
+2011-05-24  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): quiet
+	option has no argument, print no missing file if quiet is set
+	[sf#3194930].
+
+2011-05-04  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_lastlog/pam_lastlog.c (last_login_failed): Don't
+	abort with error if btmp file does not exist.
+
+2011-03-21  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_unix/md5.c (MD5Final): Clear the whole ctx.
+
+2011-03-18  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_namespace/md5.c (MD5Final): Clear the whole ctx.
+	* modules/pam_namespace/pam_namespace.c (del_polydir): Guard for NULL poly.
+	(protect_dir): Guard for -1 passing to close().
+	(ns_setup): Likewise.
+	(pam_sm_open_session): Correctly test for SELinux enabled flag.
+
+2011-03-17  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_selinux/pam_selinux.c (config_context): Fix leak of type.
+	(manual_context): Likewise.
+	(context_from_env): Remove extraneous auditing in success case.
+
+	* modules/pam_unix/support.c (_unix_run_helper_binary): Remove extra
+	close() call.
+
+2011-02-22  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_nologin/pam_nologin.8.xml: Add missing space.
+	* modules/pam_limits/limits.conf.5.xml: Fix typo.
+
+2010-12-21  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_selinux/pam_selinux.c (mls_range_allowed): Unhardcode
+	values for security class and av permission bit.
+
+2010-12-14  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_limits/pam_limits.c (parse_uid_range): New function
+	to parse the range of uids or gids.
+	(parse_config_file): Call parse_uid_range() and if uid/gid range
+	is identified, setup the limits if the range matches. New parameters
+	containing user's uid and primary gid.
+	(pam_sm_open_session): Pass the user's uid and primary gid to
+	parse_config_file().
+	* modules/pam_limits/limits.conf.5.xml: Document the uid/gid ranges.
+
+2010-12-14  Bahadır Kandemir <bahadir@pardus.org.tr>
+
+	* po/tr.po: Updated translations.
+
+2010-11-25  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_securetty/pam_securetty.8.xml: Improve documentation
+	of the kernel console feature and the noconsole option.
+
+2010-11-24  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_securetty/pam_securetty.c: Parse console= kernel
+	option, add noconsole option.
+	* modules/pam_securetty/pam_securetty.8.xml: Document new behavior
+	for serial console.
+	Patch from Lennart Poettering.
+
+2010-11-24  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_limits/limits.conf.5.xml: Document the %group syntax.
+
+2010-11-18  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_limits/pam_limits.c (pam_parse,pam_sm_open_session):
+	Drop obsolete and broken option change_uid.
+	* modules/pam_limits/pam_limits.8.xml: Likewise.
+
+2010-11-16  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Remove
+	dead and duplicate code. Return PAM_INCOMPLETE instead of
+	PAM_CONV_AGAIN.
+
+2010-11-11  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Fix
+	potential use after free in case SELinux is misconfigured.
+
+	* modules/pam_namespace/pam_namespace.c (process_line): Fix memory
+	leak when parsing empty config file lines.
+
 2010-10-28  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* release version 1.1.3