Bug 2012871
| Summary: | pam_lastlog doesn't handle time related errors | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> | |
| Component: | pam | Assignee: | Iker Pedrosa <ipedrosa> | |
| Status: | CLOSED ERRATA | QA Contact: | Anuj Borah <aborah> | |
| Severity: | high | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.4 | CC: | aborah, pbrezina | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | pam-1.3.1-25.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2130124 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-16 09:02:48 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2130124 | |||
It would help us if you could ask the customer for the reproduction steps The customer gave me his btmp database but unfortunately I couldn't reproduce with it either: PAM was detecting the corruption for me, whereas not for the customer. master:
pam_lastlog: check localtime_r() return value - 40c271164dbcebfc5304d0537a42fb42e6b6803c
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (pam bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2954 |
Description of problem: We got a customer report of a command going through PAM crashing for a given user. It appears that the pam_lastlog code doesn't check the result of localtime_r(), which leads to crashing in glibc's strftime(): ~~~ 494 static int 495 last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t lltime) 496 { : 502 char the_time[256]; : 535 if (failed) { 536 /* we want the date? */ 537 if (announce & LASTLOG_DATE) { 538 struct tm *tm, tm_buf; 539 time_t lf_time; 540 541 lf_time = utuser.ut_tv.tv_sec; 542 tm = localtime_r (&lf_time, &tm_buf); 543 strftime (the_time, sizeof (the_time), 544 /* TRANSLATORS: "strftime options for date of last login" */ 545 _(" %a %b %e %H:%M:%S %Z %Y"), tm); 546 547 date = the_time; 548 } ~~~ Here above, assuming "lf_time" is very large, due to a corruption in btmp database, this leads to: 1. having "tm" = NULL 2. calling strftime(..., NULL), which crashes Hence, checking the result is mandatory. Version-Release number of selected component (if applicable): PAM from RHEL7 and later How reproducible: Don't know, need to have a corrupted "btmp" entry