File util-linux-CVE-2026-3184.patch of Package util-linux
From 8b29aeb081e297e48c4c1ac53d88ae07e1331984 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 19 Feb 2026 12:20:28 +0100
Subject: [PATCH] login: use original FQDN for PAM_RHOST
When login -h <remotehost> is invoked, init_remote_info() strips the
local domain suffix from the hostname (FQDN to short name) before
storing it in cxt->hostname. This truncated value is then used for
PAM_RHOST, which can bypass pam_access host deny rules that match on
the FQDN.
Preserve the original -h hostname in a new cmd_hostname field and use
it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp
and logging unchanged.
Note, the real-world impact is low -- login -h is only used by legacy
telnet/rlogin daemons, and exploitation requires FQDN-specific
pam_access rules on a system still using these obsolete services.
Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
login-utils/login.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/login-utils/login.c b/login-utils/login.c
index 74c42f422..0990d5e8f 100644
--- a/login-utils/login.c
+++ b/login-utils/login.c
@@ -130,6 +130,7 @@ struct login_context {
char *thishost; /* this machine */
char *thisdomain; /* this machine's domain */
char *hostname; /* remote machine */
+ char *cmd_hostname; /* remote machine as specified on command line */
char hostaddress[16]; /* remote address */
pid_t pid;
@@ -912,7 +913,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt)
/* hostname & tty are either set to NULL or their correct values,
* depending on how much we know. */
- rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname);
+ rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname);
if (is_pam_failure(rc))
loginpam_err(pamh, rc);
@@ -1250,6 +1251,8 @@ static void init_remote_info(struct login_context *cxt, char *remotehost)
get_thishost(cxt, &domain);
+ cxt->cmd_hostname = xstrdup(remotehost);
+
if (domain && (p = strchr(remotehost, '.')) &&
strcasecmp(p + 1, domain) == 0)
*p = '\0';
--
2.51.0
