Pages in the Historical section of this site are provided for historical purposes, they are no longer maintained. Links may not work.

Original issue date: January 1989
Last revised: September 16, 1997
Attached Copyright statement

A complete revision history is at the end of this file.

The CERT center received the following information from Keith Bostic from the Computer Systems Research Group at UC-Berkeley on Dec. 21, 1988. This patch has also been posted to comp.bugs.4bsd.ucb-fixes.

Please note that this patch will only work with BSD 4.3. If you have 4.2 please let me know and I will forward the correct patch.


Subject: security problem in passwd
Index: bin/passwd.c 4.3BSD
Description:
There's a security problem associated with the passwd(1) program in all known Berkeley systems. This problem is also in most Berkeley derived systems, see your vendor for more information.
Fix:
Apply the following patch to the file src/bin/passwd.c and recompile/reinstall it.

*** passwd.c.orig       Wed Dec 21 08:57:41 1988
- --- passwd.c  Wed Dec 21 09:00:25 1988
***************
*** 332,337 ****
- --- 332,339 ----
        return (crypt(pwbuf, saltc));
  }
  
+ #define       STRSIZE 100
+ 
  char *
  getloginshell(pwd, u, arg)
        struct passwd *pwd;
***************
*** 338,344 ****
        int u;
        char *arg;
  {
!       static char newshell[BUFSIZ];
        char *cp, *valid, *getusershell();
  
        if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
- --- 340,346 ----
        int u;
        char *arg;
  {
!       static char newshell[STRSIZE];
        char *cp, *valid, *getusershell();
  
        if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
***************
*** 415,423 ****
  getfingerinfo(pwd)
        struct passwd *pwd;
  {
!       char in_str[BUFSIZ];
        struct default_values *defaults, *get_defaults();
!       static char answer[4*BUFSIZ];
  
        answer[0] = '\0';
        defaults = get_defaults(pwd->pw_gecos);
- --- 417,425 ----
  getfingerinfo(pwd)
        struct passwd *pwd;
  {
!       char in_str[STRSIZE];
        struct default_values *defaults, *get_defaults();
!       static char answer[4*STRSIZE];
  
        answer[0] = '\0';
        defaults = get_defaults(pwd->pw_gecos);
***************
*** 429,435 ****
         */
        do {
                printf("\nName [%s]: ", defaults->name);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->name)) 
                        break;
        } while (illegal_input(in_str));
- --- 431,437 ----
         */
        do {
                printf("\nName [%s]: ", defaults->name);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->name)) 
                        break;
        } while (illegal_input(in_str));
***************
*** 440,446 ****
        do {
                printf("Room number (Exs: 597E or 197C) [%s]: ",
                        defaults->office_num);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->office_num))
                        break;
        } while (illegal_input(in_str) || illegal_building(in_str));
- --- 442,448 ----
        do {
                printf("Room number (Exs: 597E or 197C) [%s]: ",
                        defaults->office_num);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->office_num))
                        break;
        } while (illegal_input(in_str) || illegal_building(in_str));
***************
*** 452,458 ****
        do {
                printf("Office Phone (Ex: 6426000) [%s]: ",
                        defaults->office_phone);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->office_phone))
                        break;
                remove_hyphens(in_str);
- --- 454,460 ----
        do {
                printf("Office Phone (Ex: 6426000) [%s]: ",
                        defaults->office_phone);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->office_phone))
                        break;
                remove_hyphens(in_str);
***************
*** 464,470 ****
         */
        do {
                printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->home_phone))
                        break;
                remove_hyphens(in_str);
- --- 466,472 ----
         */
        do {
                printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->home_phone))
                        break;
                remove_hyphens(in_str);
***************
*** 501,507 ****
        if (input_str[length-1] != '\n') {
                /* the newline and the '\0' eat up two characters */
                printf("Maximum number of characters allowed is %d\n",
!                       BUFSIZ-2);
                /* flush the rest of the input line */
                while (getchar() != '\n')
                        /* void */;
- --- 503,509 ----
        if (input_str[length-1] != '\n') {
                /* the newline and the '\0' eat up two characters */
                printf("Maximum number of characters allowed is %d\n",
!                       STRSIZE-2);
                /* flush the rest of the input line */
                while (getchar() != '\n')
                        /* void */;

Copyright 1989 Carnegie Mellon University.


Revision History
September 16, 1997  Attached copyright statement
  • No labels