auth-pam: don't leak PAM env strings after pam_putenv()
Avinash Duduskar
avinash.duduskar at gmail.com
Tue May 19 06:43:34 AEST 2026
The strdup-on-entry contract is stable across all auditable
releases of each implementation:
- Linux-PAM 0-72 (~2001): libpam/pam_env.c pam_putenv ends
the value-setting path with
pamh->env->list[item] = _pam_strdup(name_value);
strdup on entry.
- OpenPAM 20050616 (Jun 2005): lib/pam_putenv.c, both
replace and append paths call strdup(namevalue).
- illumos 7c478bd (OpenSolaris Launch, 14 Jun 2005):
usr/src/lib/libpam/pam_framework.c splits name_value
into local name and value buffers, stores strdup'd
copies into the env_list. The caller's input is never
retained.
Pre-tag Linux-PAM (pre-2001) and pre-OpenSolaris-Launch
Sun PAM are outside any plausible current deployment
window.
More information about the openssh-unix-dev
mailing list