util-linux-CVE-2026-3184.patch

From 8b29aeb081e297e48c4c1ac53d88ae07e1331984 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 19 Feb 2026 12:20:28 +0100
Subject: [PATCH] login: use original FQDN for PAM_RHOST

When login -h <remotehost> is invoked, init_remote_info() strips the
local domain suffix from the hostname (FQDN to short name) before
storing it in cxt->hostname. This truncated value is then used for
PAM_RHOST, which can bypass pam_access host deny rules that match on
the FQDN.

Preserve the original -h hostname in a new cmd_hostname field and use
it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp
and logging unchanged.

Note, the real-world impact is low -- login -h is only used by legacy
telnet/rlogin daemons, and exploitation requires FQDN-specific
pam_access rules on a system still using these obsolete services.

Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 login-utils/login.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/login-utils/login.c b/login-utils/login.c
index 74c42f422..0990d5e8f 100644
--- a/login-utils/login.c
+++ b/login-utils/login.c
@@ -130,6 +130,7 @@ struct login_context {
 	char		*thishost;		/* this machine */
 	char		*thisdomain;		/* this machine's domain */
 	char		*hostname;		/* remote machine */
+	char		*cmd_hostname;		/* remote machine as specified on command line */
 	char		hostaddress[16];	/* remote address */
 
 	pid_t		pid;
@@ -912,7 +913,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt)
 
 	/* hostname & tty are either set to NULL or their correct values,
 	 * depending on how much we know. */
-	rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname);
+	rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname);
 	if (is_pam_failure(rc))
 		loginpam_err(pamh, rc);
 
@@ -1250,6 +1251,8 @@ static void init_remote_info(struct login_context *cxt, char *remotehost)
 
 	get_thishost(cxt, &domain);
 
+	cxt->cmd_hostname = xstrdup(remotehost);
+
 	if (domain && (p = strchr(remotehost, '.')) &&
 	    strcasecmp(p + 1, domain) == 0)
 		*p = '\0';
-- 
2.51.0
- Use full hostname for PAM to ensure correct access control for "login -h" (bsc#1258859, CVE-2026-3184, util-linux-CVE-2026-3184.patch). OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=620 2026-03-01 23:48:58 +00:00			`From 8b29aeb081e297e48c4c1ac53d88ae07e1331984 Mon Sep 17 00:00:00 2001`
			`From: Karel Zak <kzak@redhat.com>`
			`Date: Thu, 19 Feb 2026 12:20:28 +0100`
			`Subject: [PATCH] login: use original FQDN for PAM_RHOST`

			`When login -h <remotehost> is invoked, init_remote_info() strips the`
			`local domain suffix from the hostname (FQDN to short name) before`
			`storing it in cxt->hostname. This truncated value is then used for`
			`PAM_RHOST, which can bypass pam_access host deny rules that match on`
			`the FQDN.`

			`Preserve the original -h hostname in a new cmd_hostname field and use`
			`it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp`
			`and logging unchanged.`

			`Note, the real-world impact is low -- login -h is only used by legacy`
			`telnet/rlogin daemons, and exploitation requires FQDN-specific`
			`pam_access rules on a system still using these obsolete services.`

			`Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>`
			`Signed-off-by: Karel Zak <kzak@redhat.com>`
			`---`
			`login-utils/login.c \| 5 ++++-`
			`1 file changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/login-utils/login.c b/login-utils/login.c`
			`index 74c42f422..0990d5e8f 100644`
			`--- a/login-utils/login.c`
			`+++ b/login-utils/login.c`
			`@@ -130,6 +130,7 @@ struct login_context {`
			`char thishost; / this machine */`
			`char thisdomain; / this machine's domain */`
			`char hostname; / remote machine */`
			`+ char cmd_hostname; / remote machine as specified on command line */`
			`char hostaddress[16]; /* remote address */`

			`pid_t pid;`
			`@@ -912,7 +913,7 @@ static pam_handle_t init_loginpam(struct login_context cxt)`

			`/* hostname & tty are either set to NULL or their correct values,`
			`* depending on how much we know. */`
			`- rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname);`
			`+ rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname);`
			`if (is_pam_failure(rc))`
			`loginpam_err(pamh, rc);`

			`@@ -1250,6 +1251,8 @@ static void init_remote_info(struct login_context cxt, char remotehost)`

			`get_thishost(cxt, &domain);`

			`+ cxt->cmd_hostname = xstrdup(remotehost);`
			`+`
			`if (domain && (p = strchr(remotehost, '.')) &&`
			`strcasecmp(p + 1, domain) == 0)`
			`*p = '\0';`
			`--`
			`2.51.0`