From fb78a2cd3fdaf0cb45bb4b2f992d1c600715b275 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Wed, 6 May 2026 21:49:35 +0200
Subject: [PATCH] CVE-2026-44073: uams: treat seteuid failures as fatal

Reported-by: @00redbeer
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 etc/uams/uams_dhx2_pam.c | 13 +++++++++++++
 etc/uams/uams_randnum.c  | 12 ++++++++----
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/etc/uams/uams_dhx2_pam.c b/etc/uams/uams_dhx2_pam.c
index 1ff88790e..2d85a4420 100644
--- a/etc/uams/uams_dhx2_pam.c
+++ b/etc/uams/uams_dhx2_pam.c
@@ -905,6 +905,9 @@ static int changepw_3(void *obj _U_,
 
     if (seteuid(0) < 0) {
         LOG(log_error, logtype_uams, "DHX2 Chgpwd: could not seteuid(%i)", 0);
+        pam_end(lpamh, PAM_SUCCESS);
+        ret = AFPERR_MISC;
+        goto error_ctx;
     }
 
     PAM_error = pam_authenticate(lpamh, 0);
@@ -914,6 +917,9 @@ static int changepw_3(void *obj _U_,
 
         if (seteuid(uid) < 0) {
             LOG(log_error, logtype_uams, "DHX2 Chgpwd: could not seteuid(%i)", uid);
+            pam_end(lpamh, PAM_error);
+            ret = AFPERR_MISC;
+            goto error_ctx;
         }
 
         pam_end(lpamh, PAM_error);
@@ -928,6 +934,9 @@ static int changepw_3(void *obj _U_,
 
         if (seteuid(uid) < 0) {
             LOG(log_error, logtype_uams, "DHX2 Chgpwd: could not seteuid(%i)", uid);
+            pam_end(lpamh, PAM_error);
+            ret = AFPERR_MISC;
+            goto error_ctx;
         }
 
         pam_end(lpamh, PAM_error);
@@ -940,6 +949,10 @@ static int changepw_3(void *obj _U_,
 
     if (seteuid(uid) < 0) {
         LOG(log_error, logtype_uams, "DHX2 Chgpwd: could not seteuid(%i)", uid);
+        explicit_bzero(ibuf, 512);
+        pam_end(lpamh, PAM_SUCCESS);
+        ret = AFPERR_MISC;
+        goto error_ctx;
     }
 
     explicit_bzero(ibuf, 512);
diff --git a/etc/uams/uams_randnum.c b/etc/uams/uams_randnum.c
index f1a6a891e..227855330 100644
--- a/etc/uams/uams_randnum.c
+++ b/etc/uams/uams_randnum.c
@@ -313,15 +313,17 @@ static int randpass(const struct passwd *pwd, const char *file,
 
         /* change ourselves to the user */
         if (!uid && (seteuid(pwd->pw_uid) < 0)) {
-            LOG(log_info, logtype_uams, "seteuid(%i) failed (%s)", pwd->pw_uid,
+            LOG(log_error, logtype_uams, "seteuid(%i) failed (%s)", pwd->pw_uid,
                 strerror(errno));
+            return AFPERR_MISC;
         }
 
         i = home_passwd(pwd, path, i, passwd, len, set);
 
         /* change ourselves back to root */
         if (!uid && (seteuid(0) < 0)) {
-            LOG(log_info, logtype_uams, "seteuid(%i) failed (%s)", 0, strerror(errno));
+            LOG(log_error, logtype_uams, "seteuid(%i) failed (%s)", 0, strerror(errno));
+            return AFPERR_MISC;
         }
 
         return i;
@@ -334,13 +336,15 @@ static int randpass(const struct passwd *pwd, const char *file,
     /* handle afppasswd file. we need to make sure that we're root
      * when we do this. */
     if (uid && (seteuid(0) < 0)) {
-        LOG(log_info, logtype_uams, "seteuid(%i) failed (%s)", 0, strerror(errno));
+        LOG(log_error, logtype_uams, "seteuid(%i) failed (%s)", 0, strerror(errno));
+        return AFPERR_MISC;
     }
 
     i = afppasswd(pwd, file, i, passwd, len, set);
 
     if (uid && (seteuid(uid) < 0)) {
-        LOG(log_info, logtype_uams, "seteuid(%i) failed (%s)", uid, strerror(errno));
+        LOG(log_error, logtype_uams, "seteuid(%i) failed (%s)", uid, strerror(errno));
+        return AFPERR_MISC;
     }
 
     return i;