In the cockpit component pam-ssh-add uses a call to atoi() to convert the environment variable `SSH_AGENT_PID` to a integer. This assumes that this env variable has not been tampered with and it the env variable has been mangled this can lead to an overflow. The solution proposed is to replace it with a call to strtol() with error checking.
> if the env variable has been mangled this can lead to an overflow. The solution proposed is to replace it with a call to strtol() with error checking. Note: This is *not at all* the problem/solution. This was an initial misunderstanding/misreporting. The subject describes it better. See #2290859 for details.
The embargo got lifted. @ahanwate can you please remove the "security" group from #2290859 ? I am unable to do this myself. The bug should become public now. Thanks!
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9325 https://access.redhat.com/errata/RHSA-2024:9325