Child pages
  • CERT Advisory CA-1989-01 Passwd hole

Pages in the Historical section of this site are provided for historical purposes, they are no longer maintained. Links may not work.

Skip to end of metadata
Go to start of metadata
Original issue date: January 1989
Last revised: September 16, 1997
Attached Copyright statement

A complete revision history is at the end of this file.

The CERT center received the following information from Keith Bostic from the Computer Systems Research Group at UC-Berkeley on Dec. 21, 1988. This patch has also been posted to comp.bugs.4bsd.ucb-fixes.

Please note that this patch will only work with BSD 4.3. If you have 4.2 please let me know and I will forward the correct patch.


Subject: security problem in passwd
Index: bin/passwd.c 4.3BSD
Description:
There's a security problem associated with the passwd(1) program in all known Berkeley systems. This problem is also in most Berkeley derived systems, see your vendor for more information.
Fix:
Apply the following patch to the file src/bin/passwd.c and recompile/reinstall it.

*** passwd.c.orig       Wed Dec 21 08:57:41 1988
- --- passwd.c  Wed Dec 21 09:00:25 1988
***************
*** 332,337 ****
- --- 332,339 ----
        return (crypt(pwbuf, saltc));
  }
  
+ #define       STRSIZE 100
+ 
  char *
  getloginshell(pwd, u, arg)
        struct passwd *pwd;
***************
*** 338,344 ****
        int u;
        char *arg;
  {
!       static char newshell[BUFSIZ];
        char *cp, *valid, *getusershell();
  
        if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
- --- 340,346 ----
        int u;
        char *arg;
  {
!       static char newshell[STRSIZE];
        char *cp, *valid, *getusershell();
  
        if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
***************
*** 415,423 ****
  getfingerinfo(pwd)
        struct passwd *pwd;
  {
!       char in_str[BUFSIZ];
        struct default_values *defaults, *get_defaults();
!       static char answer[4*BUFSIZ];
  
        answer[0] = '\0';
        defaults = get_defaults(pwd->pw_gecos);
- --- 417,425 ----
  getfingerinfo(pwd)
        struct passwd *pwd;
  {
!       char in_str[STRSIZE];
        struct default_values *defaults, *get_defaults();
!       static char answer[4*STRSIZE];
  
        answer[0] = '\0';
        defaults = get_defaults(pwd->pw_gecos);
***************
*** 429,435 ****
         */
        do {
                printf("\nName [%s]: ", defaults->name);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->name)) 
                        break;
        } while (illegal_input(in_str));
- --- 431,437 ----
         */
        do {
                printf("\nName [%s]: ", defaults->name);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->name)) 
                        break;
        } while (illegal_input(in_str));
***************
*** 440,446 ****
        do {
                printf("Room number (Exs: 597E or 197C) [%s]: ",
                        defaults->office_num);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->office_num))
                        break;
        } while (illegal_input(in_str) || illegal_building(in_str));
- --- 442,448 ----
        do {
                printf("Room number (Exs: 597E or 197C) [%s]: ",
                        defaults->office_num);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->office_num))
                        break;
        } while (illegal_input(in_str) || illegal_building(in_str));
***************
*** 452,458 ****
        do {
                printf("Office Phone (Ex: 6426000) [%s]: ",
                        defaults->office_phone);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->office_phone))
                        break;
                remove_hyphens(in_str);
- --- 454,460 ----
        do {
                printf("Office Phone (Ex: 6426000) [%s]: ",
                        defaults->office_phone);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->office_phone))
                        break;
                remove_hyphens(in_str);
***************
*** 464,470 ****
         */
        do {
                printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->home_phone))
                        break;
                remove_hyphens(in_str);
- --- 466,472 ----
         */
        do {
                printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->home_phone))
                        break;
                remove_hyphens(in_str);
***************
*** 501,507 ****
        if (input_str[length-1] != '\n') {
                /* the newline and the '\0' eat up two characters */
                printf("Maximum number of characters allowed is %d\n",
!                       BUFSIZ-2);
                /* flush the rest of the input line */
                while (getchar() != '\n')
                        /* void */;
- --- 503,509 ----
        if (input_str[length-1] != '\n') {
                /* the newline and the '\0' eat up two characters */
                printf("Maximum number of characters allowed is %d\n",
!                       STRSIZE-2);
                /* flush the rest of the input line */
                while (getchar() != '\n')
                        /* void */;

Copyright 1989 Carnegie Mellon University.


Revision History
September 16, 1997  Attached copyright statement
  • No labels