[hackers] [ubase][PATCH] passwd: fix crashes when authentication is unnecessary.
From: Mario Rugiero
When running with root or a password for the user is missing,
authentication is bypassed.
However, it is later attempted to compare the new password
against the missing one, causing crypt to crash due to a null
salt.
In the case of a missing password, there's no prior password
to compare to, so the only choice is to avoid the comparison.
In the case of root, reading a password (if present) is possible,
to avoid resetting to the same password. However, it seems benign
to just let it be to avoid more confusion.
Anyway, the fix consists on doing the check only if we got an
old password to begin with.
---
passwd.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/passwd.c b/passwd.c
index 52b70a8..92c59fd 100644
--- a/passwd.c
+++ b/passwd.c
@@ -235,11 +235,13 @@ newpass:
eprintf("getpass:");
if (inpass[0] == '\0')
eprintf("no password supplied\n");
- p = crypt(inpass, prevhash);
- if (!p)
- eprintf("crypt:");
- if (cryptpass1 && strcmp(cryptpass1, p) == 0)
- eprintf("password left unchanged\n");
+ if (prevhash) {
+ p = crypt(inpass, prevhash);
+ if (!p)
+ eprintf("crypt:");
+ if (strcmp(cryptpass1, p) == 0)
+ eprintf("password left unchanged\n");
+ }
gensalt(salt + strlen(salt));
p = crypt(inpass, salt);
if (!p)
--
2.17.1
[hackers] [ubase][PATCH] passwd: fix crashes for unencrypted passwords starting with 'x'.
From: Mario Rugiero
When deciding where the previous hash should come from, is is
assumed that 'x' started strings all mean to look in shadow.
This is probably harmless in practice, since modern Linux still
use only hashes instead of raw passwords.
However, this is more robust, and more importantly, it is more
consistent with the previous check, which explicitly tests for
the string to be "x".
---
passwd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/passwd.c b/passwd.c
index 92c59fd..53e01e8 100644
--- a/passwd.c
+++ b/passwd.c
@@ -210,7 +210,8 @@ main(int argc, char *argv[])
if (pw->pw_passwd[0] == '\0') {
goto newpass;
}
- if (pw->pw_passwd[0] == 'x')
+ if (pw->pw_passwd[0] == 'x' &&
+ pw->pw_passwd[1] == '\0')
prevhash = spw->sp_pwdp;
else
prevhash = pw->pw_passwd;
--
2.17.1
[hackers] [ubase][PATCH] passwd: fix crashes when authentication is unnecessary.
From: Mario Rugiero
When running with root or a password for the user is missing,
authentication is bypassed.
However, it is later attempted to compare the new password
against the missing one, causing crypt to crash due to a null
salt.
In the case of a missing password, there's no prior password
to compare to, so the only choice is to avoid the comparison.
In the case of root, reading a password (if present) is possible,
to avoid resetting to the same password. However, it seems benign
to just let it be to avoid more confusion.
Anyway, the fix consists on doing the check only if we got an
old password to begin with.
---
passwd.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/passwd.c b/passwd.c
index 52b70a8..0b54537 100644
--- a/passwd.c
+++ b/passwd.c
@@ -235,11 +235,13 @@ newpass:
eprintf("getpass:");
if (inpass[0] == '\0')
eprintf("no password supplied\n");
- p = crypt(inpass, prevhash);
- if (!p)
- eprintf("crypt:");
- if (cryptpass1 && strcmp(cryptpass1, p) == 0)
- eprintf("password left unchanged\n");
+ if (cryptpass1) {
+ p = crypt(inpass, prevhash);
+ if (!p)
+ eprintf("crypt:");
+ if (strcmp(cryptpass1, p) == 0)
+ eprintf("password left unchanged\n");
+ }
gensalt(salt + strlen(salt));
p = crypt(inpass, salt);
if (!p)
--
2.17.1
[hackers] [ubase][PATCH] passwd: fix crashes for unencrypted passwords starting with 'x'.
From: Mario Rugiero
When deciding where the previous hash should come from, is is
assumed that 'x' started strings all mean to look in shadow.
This is probably harmless in practice, since modern Linux still
use only hashes instead of raw passwords.
However, this is more robust, and more importantly, it is more
consistent with the previous check, which explicitly tests for
the string to be "x".
---
passwd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/passwd.c b/passwd.c
index 0b54537..dca2e58 100644
--- a/passwd.c
+++ b/passwd.c
@@ -210,7 +210,8 @@ main(int argc, char *argv[])
if (pw->pw_passwd[0] == '\0') {
goto newpass;
}
- if (pw->pw_passwd[0] == 'x')
+ if (pw->pw_passwd[0] == 'x' &&
+ pw->pw_passwd[0] == '\0')
prevhash = spw->sp_pwdp;
else
prevhash = pw->pw_passwd;
--
2.17.1
[hackers] [dwm][PATCH] Fix use-after-free on cleanup.
From: Mario Rugiero
When cleaning up the stack the stack member for the first
monitor wasn't being updated to reflect this, with the following
(possible) consequences:
- An infinite loop. If things wouldn't crash, not updating the
guard of the loop would lead to this.
- Garbage being read and passed to functions.
- A double free on m->stack.
---
dwm.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/dwm.c b/dwm.c
index 4465af1..06720c6 100644
--- a/dwm.c
+++ b/dwm.c
@@ -472,13 +472,17 @@ cleanup(void)
Arg a = {.ui = ~0};
Layout foo = { "", NULL };
Monitor *m;
+ Client *c;
size_t i;
view(&a);
selmon->lt[selmon->sellt] = &foo;
for (m = mons; m; m = m->next)
- while (m->stack)
+ while (m->stack) {
+ c = m->stack->snext;
unmanage(m->stack, 0);
+ m->stack = c;
+ }
XUngrabKey(dpy, AnyKey, AnyModifier, root);
while (mons)
cleanupmon(mons);
--
2.17.1
[hackers] [dwm][PATCH] Fail zoom on no selection.
From: Mario Rugiero Continuing on '!selmon->sel' leads to a NULL pointer dereference. Reading the code, it seems it was intended to fail when either there's no selected client or it's running in floating mode. --- dwm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dwm.c b/dwm.c index 06720c6..787f149 100644 --- a/dwm.c +++ b/dwm.c @@ -2120,7 +2120,7 @@ zoom(const Arg *arg) Client *c = selmon->sel; if (!selmon->lt[selmon->sellt]->arrange - || (selmon->sel && selmon->sel->isfloating)) + || !selmon->sel || selmon->sel->isfloating) return; if (c == nexttiled(selmon->clients)) if (!c || !(c = nexttiled(c->next))) -- 2.17.1
