Description of problem:

I may be missing something here but I was looking at the login code to copy the
pam stuff out of it and I noticed if a user passes in his user name on the
command line it is strdup'ed but then the same variable 'username' is used again
by pam to get the username out of the passwd file without first freeing the
variable.

Relevant lines:

428    if (*argv) {
429	char *p = *argv;
430	username = strdup(p);

514    retcode = pam_start(hflag?"remote":"login",username, &conv, &pamh);

544    /*
545     * Grab the user information out of the password file for future usage
546     * First get the username that we are actually using, though.
547     */
548    retcode = pam_get_item(pamh, PAM_USER, (const void **) &username);
    
This code path assumes no password is required.  Nothing in the pam_get_item man
page suggests that pam frees the value itself.  Also nothing in pam_start
suggest pam takes ownership.  By taking a const char * it in fact suggests it
copies what is sent to it.