Description of problem: I may be missing something here but I was looking at the login code to copy the pam stuff out of it and I noticed if a user passes in his user name on the command line it is strdup'ed but then the same variable 'username' is used again by pam to get the username out of the passwd file without first freeing the variable. Relevant lines: 428 if (*argv) { 429 char *p = *argv; 430 username = strdup(p); 514 retcode = pam_start(hflag?"remote":"login",username, &conv, &pamh); 544 /* 545 * Grab the user information out of the password file for future usage 546 * First get the username that we are actually using, though. 547 */ 548 retcode = pam_get_item(pamh, PAM_USER, (const void **) &username); This code path assumes no password is required. Nothing in the pam_get_item man page suggests that pam frees the value itself. Also nothing in pam_start suggest pam takes ownership. By taking a const char * it in fact suggests it copies what is sent to it.
Fixed in the upstream code -- it will be available in Fedora 9 or 10. Thanks.