login: audit log injection attack via login

A while back I found a couple audit log injection attacks which became
CVE-2007-3102. I forgot to look at login to see if its vulnerable and Mirek
found that it is. To verify the problem, type:

root addr=xyz.com

for the account name while logging in. It will look like root logged in with
an address of xyz.com.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>

diff --git a/login-utils/login.c b/login-utils/login.c
index 1af87925a81b4ae61215702cf1f52c2f18a69859..fec8da332ee1172fa782eaef9f8f45d8c821de06 100644 (file)
--- a/login-utils/login.c
+++ b/login-utils/login.c
@@ -324,7 +324,6 @@ static void
 logaudit(const char *tty, const char *username, const char *hostname,
                                        struct passwd *pwd, int status)
 {
-       char buf[64];
        int audit_fd;
 
        audit_fd = audit_open();
@@ -332,13 +331,10 @@ logaudit(const char *tty, const char *username, const char *hostname,
                return;
        if (!pwd && username)
                pwd = getpwnam(username);
-       if (pwd)
-               snprintf(buf, sizeof(buf), "uid=%d", pwd->pw_uid);
-       else
-               snprintf(buf, sizeof(buf), "acct=%s", username ? username : "(unknown)");
 
-       audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
-               buf, hostname, NULL, tty, status);
+       audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+               NULL, "login", username ? username : "(unknown)",
+               pwd ? pwd->pw_uid : -1, hostname, NULL, tty, status);
 
        close(audit_fd);
 }