------- Comment From holger.deng...@ibm.com 2024-01-11 13:09 EDT------- (In reply to comment #9) > Holger: I can't pretend speaking for the SRU team, but I'd be willing to bet > that having "the fix is trivial" as a test plan would result in the SRU > being trivially rejected :-).
@schopin: The API description of localtime_r() (man localtime_r) describes, that the function can return a NULL pointer on error. The API documentation of strftime() (man strftime) describes, that the last parameter of the function should not be a NULL pointer. If a program put the return value of localtime_r() as the last parameter in a strftime() call, than we have a classical programming error. It is just a missing NULL pointer check. That was the thing, that I meant with "trivial". There are a lot of patches in many projects, which introduces NULL pointer checks. For the most of them I guess, there was never a test case or test plan. So yes, if you find a way to cause a reproducible failure of localtime_r(), you can write a testcase. But I'm not sure, if it is worth to spend all that effort in a fix, which just fixes a missing NULL pointer check... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2045250 Title: pam_lastlog doesn't handle localtime_r related errors properly Status in Ubuntu on IBM z Systems: New Status in pam package in Ubuntu: New Status in pam package in Fedora: Fix Released Bug description: The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to noble) are affected by https://bugzilla.redhat.com/show_bug.cgi?id=2012871 Customers report a command going through PAM crashing for a given user. A potential follow on issue can be that no ssh remote connections to an affected server are possible anymore, esp. painful with headless systems (was reported on a different distro). This is caused by an issue in modules/pam_lastlog/pam_lastlog.c: with tm = localtime_r(...) that can be NULL and needs to be handled. There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble): 314- ll_time = last_login.ll_time; 315: if ((tm = localtime_r (&ll_time, &tm_buf)) != NULL) { 316- strftime (the_time, sizeof (the_time), 317- /* TRANSLATORS: "strftime options for date of last login" */ -- 574- 575- lf_time = utuser.ut_tv.tv_sec; 576: tm = localtime_r (&lf_time, &tm_buf); 577- strftime (the_time, sizeof (the_time), 578- /* TRANSLATORS: "strftime options for date of last login" */ Case 1 (line 315) is properly handled, but not case 2 (line 576). The second case got fixed by: https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c This fix should be included in Ubuntu (and Debian). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
