196 lines
5.5 KiB
Plaintext
196 lines
5.5 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
|
|
CA-89:01
|
|
CERT Advisory
|
|
January 1989
|
|
Passwd hole
|
|
- -----------------------------------------------------------------------------
|
|
|
|
The CERT center received the following information from Keith Bostic
|
|
from the Computer Systems Research Group at UC-Berkeley on Dec. 21, 1988.
|
|
This patch has also been posted to comp.bugs.4bsd.ucb-fixes.
|
|
|
|
Please note that this patch will only work with BSD 4.3. If you have
|
|
4.2 please let me know and I will forward the correct patch.
|
|
|
|
- -----------------------------------------------------------------------------
|
|
|
|
Computer Emergency Response Team (CERT)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Internet: cert@cert.org
|
|
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
|
|
7:30a.m.-6:00p.m. EST, on call for
|
|
emergencies other hours.
|
|
|
|
Past advisories and other information are available for anonymous ftp
|
|
from cert.org (192.88.209.5).
|
|
|
|
|
|
|
|
|
|
Subject: security problem in passwd
|
|
Index: bin/passwd.c 4.3BSD
|
|
|
|
Description:
|
|
There's a security problem associated with the passwd(1)
|
|
program in all known Berkeley systems. This problem is
|
|
also in most Berkeley derived systems, see your vendor
|
|
for more information.
|
|
|
|
Fix:
|
|
Apply the following patch to the file src/bin/passwd.c and
|
|
recompile/reinstall it.
|
|
|
|
*** passwd.c.orig Wed Dec 21 08:57:41 1988
|
|
- --- passwd.c Wed Dec 21 09:00:25 1988
|
|
***************
|
|
*** 332,337 ****
|
|
- --- 332,339 ----
|
|
return (crypt(pwbuf, saltc));
|
|
}
|
|
|
|
+ #define STRSIZE 100
|
|
+
|
|
char *
|
|
getloginshell(pwd, u, arg)
|
|
struct passwd *pwd;
|
|
***************
|
|
*** 338,344 ****
|
|
int u;
|
|
char *arg;
|
|
{
|
|
! static char newshell[BUFSIZ];
|
|
char *cp, *valid, *getusershell();
|
|
|
|
if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
|
|
- --- 340,346 ----
|
|
int u;
|
|
char *arg;
|
|
{
|
|
! static char newshell[STRSIZE];
|
|
char *cp, *valid, *getusershell();
|
|
|
|
if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
|
|
***************
|
|
*** 415,423 ****
|
|
getfingerinfo(pwd)
|
|
struct passwd *pwd;
|
|
{
|
|
! char in_str[BUFSIZ];
|
|
struct default_values *defaults, *get_defaults();
|
|
! static char answer[4*BUFSIZ];
|
|
|
|
answer[0] = '\0';
|
|
defaults = get_defaults(pwd->pw_gecos);
|
|
- --- 417,425 ----
|
|
getfingerinfo(pwd)
|
|
struct passwd *pwd;
|
|
{
|
|
! char in_str[STRSIZE];
|
|
struct default_values *defaults, *get_defaults();
|
|
! static char answer[4*STRSIZE];
|
|
|
|
answer[0] = '\0';
|
|
defaults = get_defaults(pwd->pw_gecos);
|
|
***************
|
|
*** 429,435 ****
|
|
*/
|
|
do {
|
|
printf("\nName [%s]: ", defaults->name);
|
|
! (void) fgets(in_str, BUFSIZ, stdin);
|
|
if (special_case(in_str, defaults->name))
|
|
break;
|
|
} while (illegal_input(in_str));
|
|
- --- 431,437 ----
|
|
*/
|
|
do {
|
|
printf("\nName [%s]: ", defaults->name);
|
|
! (void) fgets(in_str, STRSIZE, stdin);
|
|
if (special_case(in_str, defaults->name))
|
|
break;
|
|
} while (illegal_input(in_str));
|
|
***************
|
|
*** 440,446 ****
|
|
do {
|
|
printf("Room number (Exs: 597E or 197C) [%s]: ",
|
|
defaults->office_num);
|
|
! (void) fgets(in_str, BUFSIZ, stdin);
|
|
if (special_case(in_str, defaults->office_num))
|
|
break;
|
|
} while (illegal_input(in_str) || illegal_building(in_str));
|
|
- --- 442,448 ----
|
|
do {
|
|
printf("Room number (Exs: 597E or 197C) [%s]: ",
|
|
defaults->office_num);
|
|
! (void) fgets(in_str, STRSIZE, stdin);
|
|
if (special_case(in_str, defaults->office_num))
|
|
break;
|
|
} while (illegal_input(in_str) || illegal_building(in_str));
|
|
***************
|
|
*** 452,458 ****
|
|
do {
|
|
printf("Office Phone (Ex: 6426000) [%s]: ",
|
|
defaults->office_phone);
|
|
! (void) fgets(in_str, BUFSIZ, stdin);
|
|
if (special_case(in_str, defaults->office_phone))
|
|
break;
|
|
remove_hyphens(in_str);
|
|
- --- 454,460 ----
|
|
do {
|
|
printf("Office Phone (Ex: 6426000) [%s]: ",
|
|
defaults->office_phone);
|
|
! (void) fgets(in_str, STRSIZE, stdin);
|
|
if (special_case(in_str, defaults->office_phone))
|
|
break;
|
|
remove_hyphens(in_str);
|
|
***************
|
|
*** 464,470 ****
|
|
*/
|
|
do {
|
|
printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
|
|
! (void) fgets(in_str, BUFSIZ, stdin);
|
|
if (special_case(in_str, defaults->home_phone))
|
|
break;
|
|
remove_hyphens(in_str);
|
|
- --- 466,472 ----
|
|
*/
|
|
do {
|
|
printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
|
|
! (void) fgets(in_str, STRSIZE, stdin);
|
|
if (special_case(in_str, defaults->home_phone))
|
|
break;
|
|
remove_hyphens(in_str);
|
|
***************
|
|
*** 501,507 ****
|
|
if (input_str[length-1] != '\n') {
|
|
/* the newline and the '\0' eat up two characters */
|
|
printf("Maximum number of characters allowed is %d\n",
|
|
! BUFSIZ-2);
|
|
/* flush the rest of the input line */
|
|
while (getchar() != '\n')
|
|
/* void */;
|
|
- --- 503,509 ----
|
|
if (input_str[length-1] != '\n') {
|
|
/* the newline and the '\0' eat up two characters */
|
|
printf("Maximum number of characters allowed is %d\n",
|
|
! STRSIZE-2);
|
|
/* flush the rest of the input line */
|
|
while (getchar() != '\n')
|
|
/* void */;
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMwYnVP+x0t4w7BAQGIIQP+LHLWu+bwSc4HCJeEj0l48f0Y++YenSBn
|
|
wV/dU4Ky1g0BcgccKhDsQJBLW0jOQXqGIaSOAWTgcIaFcuFyFv/6OrgkeWupv+Q4
|
|
G+F0gbNXJrscCQYa7GRuS4YA8snpQmwrICrGGC6KKgIb6+2haAj+vHL1UQI+ujAL
|
|
OXJFbkBkVk4=
|
|
=Uifa
|
|
-----END PGP SIGNATURE-----
|
|
|