-----BEGIN PGP SIGNED MESSAGE----- CA-89:01 CERT Advisory January 1989 Passwd hole - ----------------------------------------------------------------------------- The CERT center received the following information from Keith Bostic from the Computer Systems Research Group at UC-Berkeley on Dec. 21, 1988. This patch has also been posted to comp.bugs.4bsd.ucb-fixes. Please note that this patch will only work with BSD 4.3. If you have 4.2 please let me know and I will forward the correct patch. - ----------------------------------------------------------------------------- Computer Emergency Response Team (CERT) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet: cert@cert.org Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies other hours. Past advisories and other information are available for anonymous ftp from cert.org (192.88.209.5). Subject: security problem in passwd Index: bin/passwd.c 4.3BSD Description: There's a security problem associated with the passwd(1) program in all known Berkeley systems. This problem is also in most Berkeley derived systems, see your vendor for more information. Fix: Apply the following patch to the file src/bin/passwd.c and recompile/reinstall it. *** passwd.c.orig Wed Dec 21 08:57:41 1988 - --- passwd.c Wed Dec 21 09:00:25 1988 *************** *** 332,337 **** - --- 332,339 ---- return (crypt(pwbuf, saltc)); } + #define STRSIZE 100 + char * getloginshell(pwd, u, arg) struct passwd *pwd; *************** *** 338,344 **** int u; char *arg; { ! static char newshell[BUFSIZ]; char *cp, *valid, *getusershell(); if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0') - --- 340,346 ---- int u; char *arg; { ! static char newshell[STRSIZE]; char *cp, *valid, *getusershell(); if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0') *************** *** 415,423 **** getfingerinfo(pwd) struct passwd *pwd; { ! char in_str[BUFSIZ]; struct default_values *defaults, *get_defaults(); ! static char answer[4*BUFSIZ]; answer[0] = '\0'; defaults = get_defaults(pwd->pw_gecos); - --- 417,425 ---- getfingerinfo(pwd) struct passwd *pwd; { ! char in_str[STRSIZE]; struct default_values *defaults, *get_defaults(); ! static char answer[4*STRSIZE]; answer[0] = '\0'; defaults = get_defaults(pwd->pw_gecos); *************** *** 429,435 **** */ do { printf("\nName [%s]: ", defaults->name); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->name)) break; } while (illegal_input(in_str)); - --- 431,437 ---- */ do { printf("\nName [%s]: ", defaults->name); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->name)) break; } while (illegal_input(in_str)); *************** *** 440,446 **** do { printf("Room number (Exs: 597E or 197C) [%s]: ", defaults->office_num); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->office_num)) break; } while (illegal_input(in_str) || illegal_building(in_str)); - --- 442,448 ---- do { printf("Room number (Exs: 597E or 197C) [%s]: ", defaults->office_num); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->office_num)) break; } while (illegal_input(in_str) || illegal_building(in_str)); *************** *** 452,458 **** do { printf("Office Phone (Ex: 6426000) [%s]: ", defaults->office_phone); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->office_phone)) break; remove_hyphens(in_str); - --- 454,460 ---- do { printf("Office Phone (Ex: 6426000) [%s]: ", defaults->office_phone); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->office_phone)) break; remove_hyphens(in_str); *************** *** 464,470 **** */ do { printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->home_phone)) break; remove_hyphens(in_str); - --- 466,472 ---- */ do { printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->home_phone)) break; remove_hyphens(in_str); *************** *** 501,507 **** if (input_str[length-1] != '\n') { /* the newline and the '\0' eat up two characters */ printf("Maximum number of characters allowed is %d\n", ! BUFSIZ-2); /* flush the rest of the input line */ while (getchar() != '\n') /* void */; - --- 503,509 ---- if (input_str[length-1] != '\n') { /* the newline and the '\0' eat up two characters */ printf("Maximum number of characters allowed is %d\n", ! STRSIZE-2); /* flush the rest of the input line */ while (getchar() != '\n') /* void */; -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaMwYnVP+x0t4w7BAQGIIQP+LHLWu+bwSc4HCJeEj0l48f0Y++YenSBn wV/dU4Ky1g0BcgccKhDsQJBLW0jOQXqGIaSOAWTgcIaFcuFyFv/6OrgkeWupv+Q4 G+F0gbNXJrscCQYa7GRuS4YA8snpQmwrICrGGC6KKgIb6+2haAj+vHL1UQI+ujAL OXJFbkBkVk4= =Uifa -----END PGP SIGNATURE-----