Bug 1209238

Summary: AUDIT-0: lastlog2: New pam_lastlog2 module replacing pam_lastlog
Product: [openSUSE] openSUSE Tumbleweed Reporter: Thorsten Kukuk <kukuk>
Component: SecurityAssignee: Wolfgang Frisch <wolfgang.frisch>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: filippo.bonazzi, matthias.gerstner, wolfgang.frisch
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1209587    
Bug Blocks:    

Description Thorsten Kukuk 2023-03-14 07:52:15 UTC 
Since lastlog and pam_lastlog are not Y2038 safe, there is a new lastlog2 package with a new PAM Module pam_lastlog2.so

https://build.opensuse.org/package/show/Linux-PAM/lastlog2
https://github.com/thkukuk/lastlog2
Comment 1 Matthias Gerstner 2023-03-14 08:40:26 UTC 
Thank you for opening the review bug. We will schedule the review.
Comment 2 Wolfgang Frisch 2023-03-14 15:05:07 UTC 
I will start working on the review shortly.
Comment 3 Wolfgang Frisch 2023-03-16 09:08:32 UTC 
[   26s] -lastlog2.x86_64: E: pam-file-unauthorized (Badness: 10) /usr/lib64/security/pam_lastlog2.so (sha256 file digest default filter:20e74c0807c7128001b57ca43e19ede0bcdfb510980834c0d246466397f348e6 shell filter:<failed-to-calculate> xml filter:<failed-to-calculate>)
[   26s] +lastlog2.x86_64: E: pam-file-unauthorized (Badness: 10) /usr/lib64/security/pam_lastlog2.so (sha256 file digest default filter:75b74dc37f43cdc41160f84300aaece3dc9fbebdc6931c34bbbc1c68092cf064 shell filter:<failed-to-calculate> xml filter:<failed-to-calculate>)
Comment 4 Thorsten Kukuk 2023-03-21 13:16:36 UTC 
Any update here?
Comment 6 Wolfgang Frisch 2023-03-22 14:47:01 UTC 
I'm done with the audit.

lastlog2 implements a PAM session interface that logs user information to a world-readable sqlite3 database. An accompanying binary /usr/bin/lastlog2 parses this information. The latter also includes an import feature to migrate old lastlog files.

The only finding (CWE-89) was discovered in the PAM part of the package:
https://bugzilla.suse.com/show_bug.cgi?id=1209587
Upstream addressed this promptly and correctly already,
so there's nothing in the way of a whitelisting.
Comment 8 Filippo Bonazzi 2023-03-22 15:34:50 UTC 
PR#1031 merged. Waiting to submit to OBS until existing rpmlint SR has gone through, as it's already in staging.
Comment 9 OBSbugzilla Bot 2023-03-24 08:55:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1209238) was mentioned in
https://build.opensuse.org/request/show/1074099 Factory / rpmlint
Comment 10 Wolfgang Frisch 2023-03-28 11:56:54 UTC 
Request accepted, resolved.