BSD passwd buffer overflow Vulnerability

Solution:
Apply the following patch to the file src/bin/passwd.c and
recompile/reinstall it.

*** passwd.c.orig Wed Dec 21 08:57:41 1988
- --- passwd.c Wed Dec 21 09:00:25 1988
***************
*** 332,337 ****
- --- 332,339 ----
return (crypt(pwbuf, saltc));
}

+ #define STRSIZE 100
+
char *
getloginshell(pwd, u, arg)
struct passwd *pwd;
***************
*** 338,344 ****
int u;
char *arg;
{
! static char newshell[BUFSIZ];
char *cp, *valid, *getusershell();

if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
- --- 340,346 ----
int u;
char *arg;
{
! static char newshell[STRSIZE];
char *cp, *valid, *getusershell();

if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
***************
*** 415,423 ****
getfingerinfo(pwd)
struct passwd *pwd;
{
! char in_str[BUFSIZ];
struct default_values *defaults, *get_defaults();
! static char answer[4*BUFSIZ];

answer[0] = '\0';
defaults = get_defaults(pwd->pw_gecos);
- --- 417,425 ----
getfingerinfo(pwd)
struct passwd *pwd;
{
! char in_str[STRSIZE];
struct default_values *defaults, *get_defaults();
! static char answer[4*STRSIZE];

answer[0] = '\0';
defaults = get_defaults(pwd->pw_gecos);
***************
*** 429,435 ****
*/
do {
printf("\nName [%s]: ", defaults->name);
! (void) fgets(in_str, BUFSIZ, stdin);
if (special_case(in_str, defaults->name))
break;
} while (illegal_input(in_str));
- --- 431,437 ----
*/
do {
printf("\nName [%s]: ", defaults->name);
! (void) fgets(in_str, STRSIZE, stdin);
if (special_case(in_str, defaults->name))
break;
} while (illegal_input(in_str));
***************
*** 440,446 ****
do {
printf("Room number (Exs: 597E or 197C) [%s]: ",
defaults->office_num);
! (void) fgets(in_str, BUFSIZ, stdin);
if (special_case(in_str, defaults->office_num))
break;
} while (illegal_input(in_str) || illegal_building(in_str));
- --- 442,448 ----
do {
printf("Room number (Exs: 597E or 197C) [%s]: ",
defaults->office_num);
! (void) fgets(in_str, STRSIZE, stdin);
if (special_case(in_str, defaults->office_num))
break;
} while (illegal_input(in_str) || illegal_building(in_str));
***************
*** 452,458 ****
do {
printf("Office Phone (Ex: 6426000) [%s]: ",
defaults->office_phone);
! (void) fgets(in_str, BUFSIZ, stdin);
if (special_case(in_str, defaults->office_phone))
break;
remove_hyphens(in_str);
- --- 454,460 ----
do {
printf("Office Phone (Ex: 6426000) [%s]: ",
defaults->office_phone);
! (void) fgets(in_str, STRSIZE, stdin);
if (special_case(in_str, defaults->office_phone))
break;
remove_hyphens(in_str);
***************
*** 464,470 ****
*/
do {
printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
! (void) fgets(in_str, BUFSIZ, stdin);
if (special_case(in_str, defaults->home_phone))
break;
remove_hyphens(in_str);
- --- 466,472 ----
*/
do {
printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
! (void) fgets(in_str, STRSIZE, stdin);
if (special_case(in_str, defaults->home_phone))
break;
remove_hyphens(in_str);
***************
*** 501,507 ****
if (input_str[length-1] != '\n') {
/* the newline and the '\0' eat up two characters */
printf("Maximum number of characters allowed is %d\n",
! BUFSIZ-2);
/* flush the rest of the input line */
while (getchar() != '\n')
/* void */;
- --- 503,509 ----
if (input_str[length-1] != '\n') {
/* the newline and the '\0' eat up two characters */
printf("Maximum number of characters allowed is %d\n",
! STRSIZE-2);
/* flush the rest of the input line */
while (getchar() != '\n')
/* void */;



 

Privacy Statement
Copyright 2010, SecurityFocus