Your message dated Fri, 14 Jul 2006 05:17:11 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#377825: fixed in shadow 1:4.0.17-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: passwd
Version: 1:4.0.16-2
Severity: normal

When chpasswd or chgpasswd are compiled with SSP (the -fstack-protector
option in gcc 4.1), and you attempt to use the -m option with either of
them, they crash on exit from main() with "stack smashing detected".
This turns out to be due to an overflow of the 'salt' array.

The attached patch fixes this by making sure the salt returned from
crypt_make_salt is properly truncated if MD5_CRYPT_ENAB is disabled, and
by making chpasswd and chgpasswd more careful to avoid a buffer overflow
while handling that salt in their MD5 modes. I believe that either
change alone would fix the bug, but I made both changes just to be
absolutely sure.

Thanks,

-- 
Colin Watson                                       [EMAIL PROTECTED]
Index: shadow-4.0.16/libmisc/salt.c
===================================================================
--- shadow-4.0.16.orig/libmisc/salt.c   2006-07-11 12:52:27.000000000 +0100
+++ shadow-4.0.16/libmisc/salt.c        2006-07-11 12:54:20.000000000 +0100
@@ -24,11 +24,13 @@
 {
        struct timeval tv;
        static char result[40];
+       int max_salt_len = 8;
 
        result[0] = '\0';
 #ifndef USE_PAM
        if (getdef_bool ("MD5_CRYPT_ENAB")) {
                strcpy (result, "$1$"); /* magic for the new MD5 crypt() */
+               max_salt_len += 3;
        }
 #endif
 
@@ -39,8 +41,8 @@
        strcat (result, l64a (tv.tv_usec));
        strcat (result, l64a (tv.tv_sec + getpid () + clock ()));
 
-       if (strlen (result) > 3 + 8)    /* magic+salt */
-               result[11] = '\0';
+       if (strlen (result) > max_salt_len)
+               result[max_salt_len] = '\0';
 
        return result;
 }
Index: shadow-4.0.16/src/chgpasswd.c
===================================================================
--- shadow-4.0.16.orig/src/chgpasswd.c  2006-07-11 13:17:08.000000000 +0100
+++ shadow-4.0.16/src/chgpasswd.c       2006-07-11 13:18:08.000000000 +0100
@@ -243,10 +243,16 @@
                newpwd = cp;
                if (!eflg) {
                        if (md5flg) {
-                               char salt[12] = "$1$";
+                               char md5salt[12] = "$1$";
+                               char *salt = crypt_make_salt ();
 
-                               strcat (salt, crypt_make_salt ());
-                               cp = pw_encrypt (newpwd, salt);
+                               if (strncmp (salt, "$1$", 3) == 0) {
+                                       strncat (md5salt, salt, 11);
+                               } else {
+                                       strcat (md5salt, "$1$");
+                                       strncat (md5salt, salt, 8);
+                               }
+                               cp = pw_encrypt (newpwd, md5salt);
                        } else
                                cp = pw_encrypt (newpwd, crypt_make_salt ());
                }
Index: shadow-4.0.16/src/chpasswd.c
===================================================================
--- shadow-4.0.16.orig/src/chpasswd.c   2006-07-11 12:54:25.000000000 +0100
+++ shadow-4.0.16/src/chpasswd.c        2006-07-11 13:17:00.000000000 +0100
@@ -238,10 +238,16 @@
                newpwd = cp;
                if (!eflg) {
                        if (md5flg) {
-                               char salt[12] = "$1$";
+                               char md5salt[12] = "";
+                               char *salt = crypt_make_salt ();
 
-                               strcat (salt, crypt_make_salt ());
-                               cp = pw_encrypt (newpwd, salt);
+                               if (strncmp (salt, "$1$", 3) == 0) {
+                                       strncat (md5salt, salt, 11);
+                               } else {
+                                       strcat (md5salt, "$1$");
+                                       strncat (md5salt, salt, 8);
+                               }
+                               cp = pw_encrypt (newpwd, md5salt);
                        } else
                                cp = pw_encrypt (newpwd, crypt_make_salt ());
                }

--- End Message ---
--- Begin Message ---
Source: shadow
Source-Version: 1:4.0.17-2

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.17-2_i386.deb
  to pool/main/s/shadow/login_4.0.17-2_i386.deb
passwd_4.0.17-2_i386.deb
  to pool/main/s/shadow/passwd_4.0.17-2_i386.deb
shadow_4.0.17-2.diff.gz
  to pool/main/s/shadow/shadow_4.0.17-2.diff.gz
shadow_4.0.17-2.dsc
  to pool/main/s/shadow/shadow_4.0.17-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <[EMAIL PROTECTED]> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 14 Jul 2006 13:05:53 +0200
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.17-2
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <[EMAIL PROTECTED]>
Changed-By: Christian Perrier <[EMAIL PROTECTED]>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 374547 377825
Changes: 
 shadow (1:4.0.17-2) unstable; urgency=low
 .
   * The "La Marseillaise 2006" release
   * Upstream bugs not yet fixed in upstream releases or CVS:
     - 495_salt_stack_smash: chpasswd/chgpasswd does not break if compiled
       with SSP. Closes: #377825
     - 496_login_init_session: Make login initialize a session so that
       ^C and ^Z work when used while booting with "init=/bin/login"
       Closes: #374547
Files: 
 4ba63636afa1c8b5c4fc152670d2bcdd 981 admin required shadow_4.0.17-2.dsc
 51e7835402774bd065770681c440c61c 162289 admin required shadow_4.0.17-2.diff.gz
 6963cb48995d3dc65550fbc58e16907c 752594 admin required passwd_4.0.17-2_i386.deb
 5f613a33b6279a4cd9adeab105ab9360 783052 admin required login_4.0.17-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEt4nI1OXtrMAUPS0RAggLAJwPe/oyKQnlMVQiXS4+oCnoOGPS5ACglCM6
YVroB+rNgftmJssMdhKdils=
=HOt/
-----END PGP SIGNATURE-----


--- End Message ---

Reply via email to