|
CERT Advisory #4
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
The CERT center received the following information from Keith Bostic
from the Computer Systems Research Group at UC-Berkeley on Dec. 21, 1988.
This patch has also been posted to comp.bugs.4bsd.ucb-fixes.
Please note that this patch will only work with BSD 4.3. If you have
4.2 please let me know and I will forward the correct patch.
Ed DeHart
Software Engineering Institute / Computer Emergency Response Team
[email protected]
412-268-7090
------------------
Subject: security problem in passwd
Index: bin/passwd.c 4.3BSD
Description:
There's a security problem associated with the passwd(1)
program in all known Berkeley systems. This problem is
also in most Berkeley derived systems, see your vendor
for more information.
Fix:
Apply the following patch to the file src/bin/passwd.c and
recompile/reinstall it.
*** passwd.c.orig Wed Dec 21 08:57:41 1988
--- passwd.c Wed Dec 21 09:00:25 1988
***************
*** 332,337 ****
--- 332,339 ----
return (crypt(pwbuf, saltc));
}
+ #define STRSIZE 100
+
char *
getloginshell(pwd, u, arg)
struct passwd *pwd;
***************
*** 338,344 ****
int u;
char *arg;
{
! static char newshell[BUFSIZ];
char *cp, *valid, *getusershell();
if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
--- 340,346 ----
int u;
char *arg;
{
! static char newshell[STRSIZE];
char *cp, *valid, *getusershell();
if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
***************
*** 415,423 ****
getfingerinfo(pwd)
struct passwd *pwd;
{
! char in_str[BUFSIZ];
struct default_values *defaults, *get_defaults();
! static char answer[4*BUFSIZ];
answer[0] = '\0';
defaults = get_defaults(pwd->pw_gecos);
--- 417,425 ----
getfingerinfo(pwd)
struct passwd *pwd;
{
! char in_str[STRSIZE];
struct default_values *defaults, *get_defaults();
! static char answer[4*STRSIZE];
answer[0] = '\0';
defaults = get_defaults(pwd->pw_gecos);
***************
*** 429,435 ****
*/
do {
printf("\nName [%s]: ", defaults->name);
! (void) fgets(in_str, BUFSIZ, stdin);
if (special_case(in_str, defaults->name))
break;
} while (illegal_input(in_str));
--- 431,437 ----
*/
do {
printf("\nName [%s]: ", defaults->name);
! (void) fgets(in_str, STRSIZE, stdin);
if (special_case(in_str, defaults->name))
break;
} while (illegal_input(in_str));
***************
*** 440,446 ****
do {
printf("Room number (Exs: 597E or 197C) [%s]: ",
defaults->office_num);
! (void) fgets(in_str, BUFSIZ, stdin);
if (special_case(in_str, defaults->office_num))
break;
} while (illegal_input(in_str) || illegal_building(in_str));
--- 442,448 ----
do {
printf("Room number (Exs: 597E or 197C) [%s]: ",
defaults->office_num);
! (void) fgets(in_str, STRSIZE, stdin);
if (special_case(in_str, defaults->office_num))
break;
} while (illegal_input(in_str) || illegal_building(in_str));
***************
*** 452,458 ****
do {
printf("Office Phone (Ex: 6426000) [%s]: ",
defaults->office_phone);
! (void) fgets(in_str, BUFSIZ, stdin);
if (special_case(in_str, defaults->office_phone))
break;
remove_hyphens(in_str);
--- 454,460 ----
do {
printf("Office Phone (Ex: 6426000) [%s]: ",
defaults->office_phone);
! (void) fgets(in_str, STRSIZE, stdin);
if (special_case(in_str, defaults->office_phone))
break;
remove_hyphens(in_str);
***************
*** 464,470 ****
*/
do {
printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
! (void) fgets(in_str, BUFSIZ, stdin);
if (special_case(in_str, defaults->home_phone))
break;
remove_hyphens(in_str);
--- 466,472 ----
*/
do {
printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
! (void) fgets(in_str, STRSIZE, stdin);
if (special_case(in_str, defaults->home_phone))
break;
remove_hyphens(in_str);
***************
*** 501,507 ****
if (input_str[length-1] != '\n') {
/* the newline and the '\0' eat up two characters */
printf("Maximum number of characters allowed is %d\n",
! BUFSIZ-2);
/* flush the rest of the input line */
while (getchar() != '\n')
/* void */;
--- 503,509 ----
if (input_str[length-1] != '\n') {
/* the newline and the '\0' eat up two characters */
printf("Maximum number of characters allowed is %d\n",
! STRSIZE-2);
/* flush the rest of the input line */
while (getchar() != '\n')
/* void */;
|
|