[Bug 3934] check_pam_user() is an oracle for user names
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Mar 5 12:59:53 AEDT 2026
https://bugzilla.mindrot.org/show_bug.cgi?id=3934
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3880
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
This was fixed in commit 2425d7faf4154b back in October on git HEAD and
the V_10_2 branch, but hasn't made it into a release yet.
Similarly, the pam_start leak (I think) was fixed by commit
3adc47e161901, shortly after.
commit 2425d7faf4154b32b5f836596023cf2432b81eaf
Author: Damien Miller <djm at mindrot.org>
Date: Fri Oct 31 13:47:49 2025 +1100
check PAM user against previous user, not pw_name
Avoids early fatal() if the user doesn't exist.
Reported by Viswesh Narayanan; ok dtucker@
commit 3adc47e161901001816045c032fa61e94b0c9426
Author: Damien Miller <djm at mindrot.org>
Date: Tue Oct 14 14:52:50 2025 +1100
don't leak PAM handle on repeat invocations
Reported by Casper Dik via bz3882; ok dtucker@
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3880
[Bug 3880] Tracking bug for openssh-10.3
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list