passwd(1) does not clear memory used for the the second password
input. Use explicit_bzero(3) to zero the memory when we're done with
it. Utilities like bioctl(8) and signify(1) already do this.
Index: local_passwd.c
===================================================================
RCS file: /cvs/src/usr.bin/passwd/local_passwd.c,v
retrieving revision 1.52
diff -u -p -u -r1.52 local_passwd.c
--- local_passwd.c 2 Sep 2016 18:06:43 -0000 1.52
+++ local_passwd.c 28 Dec 2016 08:13:07 -0000
@@ -203,9 +203,12 @@ getnewpasswd(struct passwd *pw, login_ca
continue;
p = readpassphrase("Retype new password:", repeat,
sizeof(repeat),
RPP_ECHO_OFF);
- if (p != NULL && strcmp(newpass, p) == 0)
+ if (p != NULL && strcmp(newpass, p) == 0) {
+ explicit_bzero(repeat, sizeof(repeat));
break;
+ }
(void)printf("Mismatch; try again, EOF to quit.\n");
+ explicit_bzero(repeat, sizeof(repeat));
explicit_bzero(newpass, sizeof(newpass));
}
