[Bug 2045250] Comment bridged from LTC Bugzilla

bugproxy 2045250 at bugs.launchpad.net
Mon Dec 11 09:09:34 UTC 2023 

------- Comment From holger.dengler at ibm.com 2023-12-11 02:24 EDT-------
Even if the problem can be reproduced easier on 32-bit architectures, the architecture doesn't matter at all. If you do a syscall in userspace programs, you have to check the returned value for errors. Period.

In my opinion, the fix for the problem is trivial (just do not call
strftime() with a NULL pointer), so the reproduction of a failure and a
test of the fix can be skipped here. It is more important, that the fix
is pushed into the field as soon as possible.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250

Title:
  pam_lastlog doesn't handle localtime_r related errors properly

Status in pam package in Ubuntu:
  New
Status in pam package in Fedora:
  Fix Released

Bug description:
  The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to noble) are affected by
  https://bugzilla.redhat.com/show_bug.cgi?id=2012871

  Customers report a command going through PAM crashing for a given user.
  A potential follow on issue can be that no ssh remote connections to an affected server are possible anymore, esp. painful with headless systems (was reported on a different distro).

  This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
  with tm = localtime_r(...) that can be NULL and needs to be handled.

  There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
  314-		ll_time = last_login.ll_time;
  315:		if ((tm = localtime_r (&ll_time, &tm_buf)) != NULL) {
  316-			strftime (the_time, sizeof (the_time),
  317-		        /* TRANSLATORS: "strftime options for date of last login" */
  --
  574-
  575-	    lf_time = utuser.ut_tv.tv_sec;
  576:	    tm = localtime_r (&lf_time, &tm_buf);
  577-	    strftime (the_time, sizeof (the_time),
  578-	        /* TRANSLATORS: "strftime options for date of last login" */

  Case 1 (line 315) is properly handled, but not case 2 (line 576).

  The second case got fixed by:
  https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c

  This fix should be included in Ubuntu (and Debian).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/+subscriptions

More information about the foundations-bugs mailing list