Bug#1018879: finger segfaults with "finger: /dev//pts/6: No such file or directory"

Thu, 07 May 2026 06:23:20 -0700 

I’ve hit the same issue:

  Running `finger` can segfault when utmp contains entries whose tty paths do 
not exist, e.g. /dev//seat0 or /dev//pts/N.

  Observed:
    finger: /dev//seat0: No such file or directory
    Segmentation fault

  finger is segfaulting in bsd-finger’s short-format idle-time printer:

  finger/sprint.c:161, inside stimeprint():

  delta = gmtime(&w->idletime);
  if (!delta->tm_yday)

  gmtime() is returning NULL, then finger immediately dereferences delta.

  The bad input is the first logged-in WHERE record:

  tty = "seat0"
  loginat = 1777546298
  idletime = 4210143749954891109

  That huge idletime is garbage. It comes from 
finger/util.c:find_idle_and_ttywrite(): it tries to stat /dev//seat0, fails,
  prints:

  finger: /dev//seat0: No such file or directory

  and returns without initializing w->idletime or w->writable. Then 
sflag_print() treats the record as logged in and calls
  stimeprint(w), where the bogus idletime makes gmtime() fail.

  So the immediate segfault is sprint.c:161; the underlying bug is the failed 
stat() path in util.c:find_idle_and_ttywrite()
  leaving w->idletime uninitialized.

  The crash is in finger/sprint.c:stimeprint():
    delta = gmtime(&w->idletime);
    if (!delta->tm_yday)

  `w->idletime` is left uninitialized in finger/util.c:find_idle_and_ttywrite() 
when stat(tbuf, &sb) fails. In my case it
  contained a huge garbage value, causing gmtime() to return NULL and the next 
line to dereference it.

  In find_idle_and_ttywrite(), initialize idletime and writable to 0
  when stat() fails. this prevents a coredump later in stimeprint()
  due to gmtime() returning NULL for an uninitialized idletime.

  NetBSD appears to have fixed the same issue by initializing idletime and 
writable to 0 on stat failure:
  https://groups.google.com/g/linux.debian.bugs.dist/c/jEaGqvHwAmw

  Minimal fix:
    if (stat(tbuf, &sb) < 0) {
        eprintf("finger: %s: %s\n", tbuf, strerror(errno));
        w->idletime = 0;
        w->writable = 0;
        return;
    }


IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.

Reply via email to