Date: Sun, 27 Oct 1996 07:47:04 -0800 (PST) From: tqbf@enteract.com To: freebsd-gnats-submit@freebsd.org Subject: bin/1904: /usr/bin/su is not careful enough in verifying command line input Message-ID: <199610271547.HAA27722@freefall.freebsd.org> Resent-Message-ID: <199610271550.HAA27980@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1904 >Category: bin >Synopsis: /usr/bin/su is not careful enough in verifying command line input >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Oct 27 07:50:02 PST 1996 >Last-Modified: >Originator: Thomas Ptacek >Organization: EnterAct, L.L.C. >Release: FreeBSD 2.1.5-RELEASE >Environment: FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep 9 03:07:45 CDT 1996 tqbf@adam:/home1/src/sys/compile/ADAMSTOMP i386 >Description: su takes an argument (the name of the user to 'su' to). It verifies that this name is sane by calling getpwnam() on it; if getpwnam() returns NULL, the username is considered insane and the program terminates. If getpwnam() returns anything besides NULL, the username is considered valid. If getpwnam() can be made to match any user as a result of an overly long, wacky string, that wacky string will be tossed around 'su' without bounds checking. 'su' should make a local copy of the pwent->pw_name from the record it matched, and use that instead. I can only see a problem with this on systems with a broken syslog() (the "user" variable, which is a pointer to an argument from the command line, is passed verbatim to syslog() in the event of a successful getpwnam() on it) - however, there's enough of those systems floating around for this to be of concern. >How-To-Repeat: >Fix: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610271547.HAA27722>