The CERT center received the following information from Keith Bostic

from the Computer Systems Research Group at UC-Berkeley on Dec. 21, 1988.

This patch has also been posted to comp.bugs.4bsd.ucb-fixes.



Please note that this patch will only work with BSD 4.3.  If you have

4.2 please let me know and I will forward the correct patch.



Ed DeHart

Software Engineering Institute / Computer Emergency Response Team

cert@sei.cmu.edu

412-268-7090

------------------



Subject: security problem in passwd

Index: bin/passwd.c 4.3BSD



Description:

	There's a security problem associated with the passwd(1)

	program in all known Berkeley systems.  This problem is

	also in most Berkeley derived systems, see your vendor

	for more information.



Fix:

	Apply the following patch to the file src/bin/passwd.c and

	recompile/reinstall it.



*** passwd.c.orig	Wed Dec 21 08:57:41 1988

--- passwd.c	Wed Dec 21 09:00:25 1988

***************

*** 332,337 ****

--- 332,339 ----

  	return (crypt(pwbuf, saltc));

  }

  

+ #define	STRSIZE	100

+ 

  char *

  getloginshell(pwd, u, arg)

  	struct passwd *pwd;

***************

*** 338,344 ****

  	int u;

  	char *arg;

  {

! 	static char newshell[BUFSIZ];

  	char *cp, *valid, *getusershell();

  

  	if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')

--- 340,346 ----

  	int u;

  	char *arg;

  {

! 	static char newshell[STRSIZE];

  	char *cp, *valid, *getusershell();

  

  	if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')

***************

*** 415,423 ****

  getfingerinfo(pwd)

  	struct passwd *pwd;

  {

! 	char in_str[BUFSIZ];

  	struct default_values *defaults, *get_defaults();

! 	static char answer[4*BUFSIZ];

  

  	answer[0] = '\0';

  	defaults = get_defaults(pwd->pw_gecos);

--- 417,425 ----

  getfingerinfo(pwd)

  	struct passwd *pwd;

  {

! 	char in_str[STRSIZE];

  	struct default_values *defaults, *get_defaults();

! 	static char answer[4*STRSIZE];

  

  	answer[0] = '\0';

  	defaults = get_defaults(pwd->pw_gecos);

***************

*** 429,435 ****

  	 */

  	do {

  		printf("\nName [%s]: ", defaults->name);

! 		(void) fgets(in_str, BUFSIZ, stdin);

  		if (special_case(in_str, defaults->name)) 

  			break;

  	} while (illegal_input(in_str));

--- 431,437 ----

  	 */

  	do {

  		printf("\nName [%s]: ", defaults->name);

! 		(void) fgets(in_str, STRSIZE, stdin);

  		if (special_case(in_str, defaults->name)) 

  			break;

  	} while (illegal_input(in_str));

***************

*** 440,446 ****

  	do {

  		printf("Room number (Exs: 597E or 197C) [%s]: ",

  			defaults->office_num);

! 		(void) fgets(in_str, BUFSIZ, stdin);

  		if (special_case(in_str, defaults->office_num))

  			break;

  	} while (illegal_input(in_str) || illegal_building(in_str));

--- 442,448 ----

  	do {

  		printf("Room number (Exs: 597E or 197C) [%s]: ",

  			defaults->office_num);

! 		(void) fgets(in_str, STRSIZE, stdin);

  		if (special_case(in_str, defaults->office_num))

  			break;

  	} while (illegal_input(in_str) || illegal_building(in_str));

***************

*** 452,458 ****

  	do {

  		printf("Office Phone (Ex: 6426000) [%s]: ",

  			defaults->office_phone);

! 		(void) fgets(in_str, BUFSIZ, stdin);

  		if (special_case(in_str, defaults->office_phone))

  			break;

  		remove_hyphens(in_str);

--- 454,460 ----

  	do {

  		printf("Office Phone (Ex: 6426000) [%s]: ",

  			defaults->office_phone);

! 		(void) fgets(in_str, STRSIZE, stdin);

  		if (special_case(in_str, defaults->office_phone))

  			break;

  		remove_hyphens(in_str);

***************

*** 464,470 ****

  	 */

  	do {

  		printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);

! 		(void) fgets(in_str, BUFSIZ, stdin);

  		if (special_case(in_str, defaults->home_phone))

  			break;

  		remove_hyphens(in_str);

--- 466,472 ----

  	 */

  	do {

  		printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);

! 		(void) fgets(in_str, STRSIZE, stdin);

  		if (special_case(in_str, defaults->home_phone))

  			break;

  		remove_hyphens(in_str);

***************

*** 501,507 ****

  	if (input_str[length-1] != '\n') {

  		/* the newline and the '\0' eat up two characters */

  		printf("Maximum number of characters allowed is %d\n",

! 			BUFSIZ-2);

  		/* flush the rest of the input line */

  		while (getchar() != '\n')

  			/* void */;

--- 503,509 ----

  	if (input_str[length-1] != '\n') {

  		/* the newline and the '\0' eat up two characters */

  		printf("Maximum number of characters allowed is %d\n",

! 			STRSIZE-2);

  		/* flush the rest of the input line */

  		while (getchar() != '\n')

  			/* void */;



Downloaded From P-80 International Information Systems 304-744-2253
