[Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly

Bug Watch Updater 2045250 at bugs.launchpad.net
Thu Nov 30 11:03:42 UTC 2023 

Launchpad has imported 5 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=2012871.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2021-10-11T13:47:24+00:00 rmetrich wrote:

Description of problem:

We got a customer report of a command going through PAM crashing for a given user.
It appears that the pam_lastlog code doesn't check the result of localtime_r(), which leads to crashing in glibc's strftime():

~~~
494 static int
495 last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t lltime)
496 {
 :
502     char the_time[256];
 :
535     if (failed) {
536         /* we want the date? */
537         if (announce & LASTLOG_DATE) {
538             struct tm *tm, tm_buf;
539             time_t lf_time;
540 
541             lf_time = utuser.ut_tv.tv_sec;
542             tm = localtime_r (&lf_time, &tm_buf);
543             strftime (the_time, sizeof (the_time),
544                 /* TRANSLATORS: "strftime options for date of last login" */
545                 _(" %a %b %e %H:%M:%S %Z %Y"), tm);
546 
547             date = the_time;
548         }
~~~

Here above, assuming "lf_time" is very large, due to a corruption in btmp database, this leads to:
1. having "tm" = NULL
2. calling strftime(..., NULL), which crashes

Hence, checking the result is mandatory.


Version-Release number of selected component (if applicable):

PAM from RHEL7 and later


How reproducible:

Don't know, need to have a corrupted "btmp" entry

Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/0

------------------------------------------------------------------------
On 2021-10-18T07:08:52+00:00 ipedrosa wrote:

It would help us if you could ask the customer for the reproduction
steps

Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/1

------------------------------------------------------------------------
On 2021-10-18T07:51:50+00:00 rmetrich wrote:

The customer gave me his btmp database but unfortunately I couldn't
reproduce with it either: PAM was detecting the corruption for me,
whereas not for the customer.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/2

------------------------------------------------------------------------
On 2022-09-27T09:22:53+00:00 ipedrosa wrote:

master:
    pam_lastlog: check localtime_r() return value - 40c271164dbcebfc5304d0537a42fb42e6b6803c

Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/3

------------------------------------------------------------------------
On 2023-05-16T09:02:48+00:00 errata-xmlrpc wrote:

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pam bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2954

Reply at:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/comments/4


** Changed in: pam (Fedora)
       Status: Unknown => Fix Released

** Changed in: pam (Fedora)
   Importance: Unknown => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250

Title:
  pam_lastlog doesn't handle localtime_r related errors properly

Status in pam package in Ubuntu:
  New
Status in pam package in Fedora:
  Fix Released

Bug description:
  The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to noble) are affected by
  https://bugzilla.redhat.com/show_bug.cgi?id=2012871

  Customers report a command going through PAM crashing for a given user.
  A potential follow on issue can be that no ssh remote connections to an affected server are possible anymore, esp. painful with headless systems (was reported on a different distro).

  This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
  with tm = localtime_r(...) that can be NULL and needs to be handled.

  There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
  314-		ll_time = last_login.ll_time;
  315:		if ((tm = localtime_r (&ll_time, &tm_buf)) != NULL) {
  316-			strftime (the_time, sizeof (the_time),
  317-		        /* TRANSLATORS: "strftime options for date of last login" */
  --
  574-
  575-	    lf_time = utuser.ut_tv.tv_sec;
  576:	    tm = localtime_r (&lf_time, &tm_buf);
  577-	    strftime (the_time, sizeof (the_time),
  578-	        /* TRANSLATORS: "strftime options for date of last login" */

  Case 1 (line 315) is properly handled, but not case 2 (line 576).

  The second case got fixed by:
  https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c

  This fix should be included in Ubuntu (and Debian).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2045250/+subscriptions

More information about the foundations-bugs mailing list