Last revised: September 16, 1997
Attached Copyright statement
A complete revision history is at the end of this file.
The CERT center received the following information from Keith Bostic from the Computer Systems Research Group at UC-Berkeley on Dec. 21, 1988. This patch has also been posted to comp.bugs.4bsd.ucb-fixes.
Please note that this patch will only work with BSD 4.3. If you have 4.2 please let me know and I will forward the correct patch.
Subject: security problem in passwd
Index: bin/passwd.c 4.3BSD
Description:
There's a security problem associated with the passwd(1)
program in all known Berkeley systems. This problem is
also in most Berkeley derived systems, see your vendor
for more information.
Fix:
Apply the following patch to the file src/bin/passwd.c and
recompile/reinstall it.
*** passwd.c.orig Wed Dec 21 08:57:41 1988 - --- passwd.c Wed Dec 21 09:00:25 1988 *************** *** 332,337 **** - --- 332,339 ---- return (crypt(pwbuf, saltc)); } + #define STRSIZE 100 + char * getloginshell(pwd, u, arg) struct passwd *pwd; *************** *** 338,344 **** int u; char *arg; { ! static char newshell[BUFSIZ]; char *cp, *valid, *getusershell(); if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0') - --- 340,346 ---- int u; char *arg; { ! static char newshell[STRSIZE]; char *cp, *valid, *getusershell(); if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0') *************** *** 415,423 **** getfingerinfo(pwd) struct passwd *pwd; { ! char in_str[BUFSIZ]; struct default_values *defaults, *get_defaults(); ! static char answer[4*BUFSIZ]; answer[0] = '\0'; defaults = get_defaults(pwd->pw_gecos); - --- 417,425 ---- getfingerinfo(pwd) struct passwd *pwd; { ! char in_str[STRSIZE]; struct default_values *defaults, *get_defaults(); ! static char answer[4*STRSIZE]; answer[0] = '\0'; defaults = get_defaults(pwd->pw_gecos); *************** *** 429,435 **** */ do { printf("\nName [%s]: ", defaults->name); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->name)) break; } while (illegal_input(in_str)); - --- 431,437 ---- */ do { printf("\nName [%s]: ", defaults->name); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->name)) break; } while (illegal_input(in_str)); *************** *** 440,446 **** do { printf("Room number (Exs: 597E or 197C) [%s]: ", defaults->office_num); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->office_num)) break; } while (illegal_input(in_str) || illegal_building(in_str)); - --- 442,448 ---- do { printf("Room number (Exs: 597E or 197C) [%s]: ", defaults->office_num); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->office_num)) break; } while (illegal_input(in_str) || illegal_building(in_str)); *************** *** 452,458 **** do { printf("Office Phone (Ex: 6426000) [%s]: ", defaults->office_phone); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->office_phone)) break; remove_hyphens(in_str); - --- 454,460 ---- do { printf("Office Phone (Ex: 6426000) [%s]: ", defaults->office_phone); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->office_phone)) break; remove_hyphens(in_str); *************** *** 464,470 **** */ do { printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->home_phone)) break; remove_hyphens(in_str); - --- 466,472 ---- */ do { printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->home_phone)) break; remove_hyphens(in_str); *************** *** 501,507 **** if (input_str[length-1] != '\n') { /* the newline and the '\0' eat up two characters */ printf("Maximum number of characters allowed is %d\n", ! BUFSIZ-2); /* flush the rest of the input line */ while (getchar() != '\n') /* void */; - --- 503,509 ---- if (input_str[length-1] != '\n') { /* the newline and the '\0' eat up two characters */ printf("Maximum number of characters allowed is %d\n", ! STRSIZE-2); /* flush the rest of the input line */ while (getchar() != '\n') /* void */;
Copyright 1989 Carnegie Mellon University.
Revision History
September 16, 1997 Attached copyright statement