File freeradius-server-CVE-2011-4966.patch of Package freeradius-server

From 1b1ec5ce75e224bd1755650c18ccdaa6dc53e605 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Tue, 7 Feb 2012 20:58:52 +0100
Subject: [PATCH 2/2] heck for account and password expiration

---
 src/modules/rlm_unix/rlm_unix.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/modules/rlm_unix/rlm_unix.c b/src/modules/rlm_unix/rlm_unix.c
index 5c0fe0f..abec68c 100644
--- a/src/modules/rlm_unix/rlm_unix.c
+++ b/src/modules/rlm_unix/rlm_unix.c
@@ -272,9 +272,17 @@ static int unix_getpw(UNUSED void *instance, REQUEST *request,
 	/*
 	 *      Check if password has expired.
 	 */
+	if (spwd && spwd->sp_lstchg > 0 && spwd->sp_max >= 0 &&
+	    (request->timestamp / 86400) > (spwd->sp_lstchg + spwd->sp_max)) {
+		radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name);
+		return RLM_MODULE_REJECT;
+	}
+	/*
+	 *      Check if account has expired.
+	 */
 	if (spwd && spwd->sp_expire > 0 &&
 	    (request->timestamp / 86400) > spwd->sp_expire) {
-		radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name);
+		radlog_request(L_AUTH, 0, request, "[%s]: account has expired", name);
 		return RLM_MODULE_REJECT;
 	}
 #endif
-- 
1.7.10.4