Your message dated Tue, 11 Jul 2006 18:25:29 +0200 with message-id <[EMAIL PROTECTED]> has caused the Debian Bug report #377825, regarding passwd: chpasswd/chgpasswd break if compiled with SSP to be marked as having been forwarded to the upstream software author(s) Tomasz Kłoczko <[EMAIL PROTECTED]>.
(NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---tags 377825 patch thanks Tomasz, it seems that this BR and the attached patch is worth all your attention. ----- Forwarded message from Colin Watson <[EMAIL PROTECTED]> ----- Date: Tue, 11 Jul 2006 14:27:36 +0100 From: Colin Watson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Pkg-shadow-devel] Bug#377825: passwd: chpasswd/chgpasswd break if compiled with SSP Reply-To: Colin Watson <[EMAIL PROTECTED]>, [EMAIL PROTECTED] X-CRM114-Status: Good ( pR: 14.4615 ) Package: passwd Version: 1:4.0.16-2 Severity: normal When chpasswd or chgpasswd are compiled with SSP (the -fstack-protector option in gcc 4.1), and you attempt to use the -m option with either of them, they crash on exit from main() with "stack smashing detected". This turns out to be due to an overflow of the 'salt' array. The attached patch fixes this by making sure the salt returned from crypt_make_salt is properly truncated if MD5_CRYPT_ENAB is disabled, and by making chpasswd and chgpasswd more careful to avoid a buffer overflow while handling that salt in their MD5 modes. I believe that either change alone would fix the bug, but I made both changes just to be absolutely sure. Thanks, -- Colin Watson [EMAIL PROTECTED] Index: shadow-4.0.16/libmisc/salt.c =================================================================== --- shadow-4.0.16.orig/libmisc/salt.c 2006-07-11 12:52:27.000000000 +0100 +++ shadow-4.0.16/libmisc/salt.c 2006-07-11 12:54:20.000000000 +0100 @@ -24,11 +24,13 @@ { struct timeval tv; static char result[40]; + int max_salt_len = 8; result[0] = '\0'; #ifndef USE_PAM if (getdef_bool ("MD5_CRYPT_ENAB")) { strcpy (result, "$1$"); /* magic for the new MD5 crypt() */ + max_salt_len += 3; } #endif @@ -39,8 +41,8 @@ strcat (result, l64a (tv.tv_usec)); strcat (result, l64a (tv.tv_sec + getpid () + clock ())); - if (strlen (result) > 3 + 8) /* magic+salt */ - result[11] = '\0'; + if (strlen (result) > max_salt_len) + result[max_salt_len] = '\0'; return result; } Index: shadow-4.0.16/src/chgpasswd.c =================================================================== --- shadow-4.0.16.orig/src/chgpasswd.c 2006-07-11 13:17:08.000000000 +0100 +++ shadow-4.0.16/src/chgpasswd.c 2006-07-11 13:18:08.000000000 +0100 @@ -243,10 +243,16 @@ newpwd = cp; if (!eflg) { if (md5flg) { - char salt[12] = "$1$"; + char md5salt[12] = "$1$"; + char *salt = crypt_make_salt (); - strcat (salt, crypt_make_salt ()); - cp = pw_encrypt (newpwd, salt); + if (strncmp (salt, "$1$", 3) == 0) { + strncat (md5salt, salt, 11); + } else { + strcat (md5salt, "$1$"); + strncat (md5salt, salt, 8); + } + cp = pw_encrypt (newpwd, md5salt); } else cp = pw_encrypt (newpwd, crypt_make_salt ()); } Index: shadow-4.0.16/src/chpasswd.c =================================================================== --- shadow-4.0.16.orig/src/chpasswd.c 2006-07-11 12:54:25.000000000 +0100 +++ shadow-4.0.16/src/chpasswd.c 2006-07-11 13:17:00.000000000 +0100 @@ -238,10 +238,16 @@ newpwd = cp; if (!eflg) { if (md5flg) { - char salt[12] = "$1$"; + char md5salt[12] = ""; + char *salt = crypt_make_salt (); - strcat (salt, crypt_make_salt ()); - cp = pw_encrypt (newpwd, salt); + if (strncmp (salt, "$1$", 3) == 0) { + strncat (md5salt, salt, 11); + } else { + strcat (md5salt, "$1$"); + strncat (md5salt, salt, 8); + } + cp = pw_encrypt (newpwd, md5salt); } else cp = pw_encrypt (newpwd, crypt_make_salt ()); } _______________________________________________ Pkg-shadow-devel mailing list [EMAIL PROTECTED] http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-devel ----- End forwarded message -----
--- End Message ---
