Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Feb 1997 15:34:56 +0300 (MSK)
From:      Andrew Kosyakov <caseq@magrathea.chance.ru>
To:        rbezuide@oskar.nanoteq.co.za (Reinier Bezuidenhout)
Cc:        dg@root.com, jas@flyingfox.COM, security@freebsd.org
Subject:   Re: Coredumps and setuids .. interesting..
Message-ID:  <199702191234.PAA10870@magrathea.chance.ru>
In-Reply-To: <199702190856.KAA26329@oskar.nanoteq.co.za> from "Reinier Bezuidenhout" at Feb 19, 97 10:56:11 am
next in thread | previous in thread | raw e-mail | index | archive | help 
Quoting Reinier Bezuidenhout:

> > to being killed in a way that would cause a core dump. Everyone prior to you
> > who has looked at the resulting core file (me included) has found that it
> > contained only the encrypted password for the user's own account, and not
> > any others. I'm rather surprised that you are saying that it contains other
> > users' encrypted passwords...
> and in there are ALL the users and their encrypted passwords, I can
> mail it ... but would rather not :) ...  but seeing that 2.1.7
Perhaps, many people fixed their libc since that similar case with wu-ftpd.
The solution is to patch dbm code the zero out all memory being free()'d, so
that when password database is closed by endpwent() called from some
getpwname(), all passwords (except the one being returned) are erased from
memory. The following changes were suggested by someone from OpenBSD project,
but still work great for FreeBSD (the file in question is in
/usr/src/lib/libc/db/hash/):


--- hash_buf.c.old	Tue Oct 15 14:24:48 1996
+++ hash_buf.c	Tue Oct 15 14:24:13 1996
@@ -324,7 +324,10 @@
 		/* Check if we are freeing stuff */
 		if (do_free) {
 			if (bp->page)
+			{
+				memset(bp->page,0,hashp->BSIZE);
 				free(bp->page);
+			}
 			BUF_REMOVE(bp);
 			free(bp);
 			bp = LRU;


-- 
Sincerely yours
							/&rew

***
Andrew V. Kosyakov, Chance Publishing House, System Administrator
caseq@chance.ru, 2:5030/31@Fidonet.Org, +7(812)210-8046
PGP key fingerprint: BA A8 48 20 E4 AE 9C 52  C5 5F C3 B8 1E 67 2C BF

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702191234.PAA10870>