[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
Included in pam | 1.5.3-5ubuntu3.
** Changed in: pam (Ubuntu)
Status: Fix Committed => Fix Released
** Changed in: ubuntu-z-systems
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in Ubuntu on IBM z Systems:
Fix Released
Status in pam package in Ubuntu:
Fix Released
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
On Thu, Feb 29, 2024 at 10:19:40AM -, Frank Heimes wrote:
> Fix Committed with having:
> pam | 1.5.3-4ubuntu1 | noble-proposed | source
FTR this has been temporarily reverted, but it will be fix-committed again
shortly
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in pam package in Ubuntu:
Fix Committed
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
Fix Committed with having:
pam | 1.5.3-4ubuntu1 | noble-proposed | source
** Changed in: pam (Ubuntu)
Status: New => Fix Committed
** Changed in: ubuntu-z-systems
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in pam package in Ubuntu:
Fix Committed
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
** Changed in: ubuntu-z-systems
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in Ubuntu on IBM z Systems:
New
Status in pam package in Ubuntu:
New
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
sarnold, good point!
Holger: I can't pretend speaking for the SRU team, but I'd be willing to
bet that having "the fix is trivial" as a test plan would result in the
SRU being trivially rejected :-).
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in Ubuntu on IBM z Systems:
New
Status in pam package in Ubuntu:
New
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
I'm uncomfortable with the idea of printing nothing when the routines
fail.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in Ubuntu on IBM z Systems:
New
Status in pam package in Ubuntu:
New
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
** Also affects: ubuntu-z-systems
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in Ubuntu on IBM z Systems:
New
Status in pam package in Ubuntu:
New
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
** Tags added: architecture-s39064 bugnameltc-204450 severity-medium
targetmilestone-inin---
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in pam package in Ubuntu:
New
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
There aren't many ways to make localtime() fail and we still don't know
how this happened in this case. We expect this happens maybe on a 32-bit
machine. You can't have a really huge value in btmp anyway because
everything is stored on 32-bit signed integers but maybe seconds are
negative or microseconds are more than a million (or negative?). It's
very difficult to tell and I think we could reproduce the issue but we
might also find several ways to get the same behavior.
I'm also wondering if the bug is really in pam _if_ the behavior is
different between 32-bit and 64-bit arches. This could be worth
investigating.
Do we have a *tmp file that exhibit the issue? I think it would be worth
diving into the binary to see if anything stands out.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in pam package in Ubuntu:
New
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
** Tags removed: rls-ff-incoming rls-jj-incoming rls-ll-incoming
rls-mm-incoming rls-nn-incoming
** Tags added: foundations-todo
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in pam package in Ubuntu:
New
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
Launchpad has imported 5 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=2012871.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
On 2021-10-11T13:47:24+00:00 rmetrich wrote:
Description of problem:
We got a customer report of a command going through PAM crashing for a given
user.
It appears that the pam_lastlog code doesn't check the result of localtime_r(),
which leads to crashing in glibc's strftime():
~~~
494 static int
495 last_login_failed(pam_handle_t *pamh, int announce, const char *user,
time_t lltime)
496 {
:
502 char the_time[256];
:
535 if (failed) {
536 /* we want the date? */
537 if (announce & LASTLOG_DATE) {
538 struct tm *tm, tm_buf;
539 time_t lf_time;
540
541 lf_time = utuser.ut_tv.tv_sec;
542 tm = localtime_r (_time, _buf);
543 strftime (the_time, sizeof (the_time),
544 /* TRANSLATORS: "strftime options for date of last login" */
545 _(" %a %b %e %H:%M:%S %Z %Y"), tm);
546
547 date = the_time;
548 }
~~~
Here above, assuming "lf_time" is very large, due to a corruption in btmp
database, this leads to:
1. having "tm" = NULL
2. calling strftime(..., NULL), which crashes
Hence, checking the result is mandatory.
Version-Release number of selected component (if applicable):
PAM from RHEL7 and later
How reproducible:
Don't know, need to have a corrupted "btmp" entry
Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/0
On 2021-10-18T07:08:52+00:00 ipedrosa wrote:
It would help us if you could ask the customer for the reproduction
steps
Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/1
On 2021-10-18T07:51:50+00:00 rmetrich wrote:
The customer gave me his btmp database but unfortunately I couldn't
reproduce with it either: PAM was detecting the corruption for me,
whereas not for the customer.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/2
On 2022-09-27T09:22:53+00:00 ipedrosa wrote:
master:
pam_lastlog: check localtime_r() return value -
40c271164dbcebfc5304d0537a42fb42e6b6803c
Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/3
On 2023-05-16T09:02:48+00:00 errata-xmlrpc wrote:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (pam bug fix and enhancement update), and where
to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:2954
Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/4
** Changed in: pam (Fedora)
Status: Unknown => Fix Released
** Changed in: pam (Fedora)
Importance: Unknown => High
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in pam package in Ubuntu:
New
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (_time, _buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (_time, _buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not
