Date: Mon, 30 Oct 2000 15:57:55 -0800 (PST) From: Dima Dorfman <dima@unixfreak.org> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:58.chpass Message-ID: <20001030235755.CB3A21F27@static.unixfreak.org> In-Reply-To: <20001030231153.B618B37B4CF@hub.freebsd.org> "from FreeBSD Security Advisories at Oct 30, 2000 03:11:53 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
[ PGP not available, raw data follows ] > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:58 Security Advisory > FreeBSD, Inc. > > Topic: chpass family contains local root vulnerability > > Category: core > Module: chfn/chpass/chsh/ypchfn/ypchpass/ypchsh/passwd Forgive my ignorance, but I fail to see how 'passwd' is vulnerable. Yes, it does link with the affected file (pw_util.c), and calls the affected function (pw_error()), but, as far as I can tell, it never calls it with any parameters which can be controlled by the user. I did a 'grep -r' in src/usr.bin and src/usr.sbin for 'pw_error', and I found that there is a limited set of parameters for the first argument. They are: NULL, tempname, _PATH_MASTERPASSWD, passfile, _PATH_PWD_MKDB, editor, and masterpasswd. It looks like only parameter here which can be controlled by the user is 'editor', and 'passwd' never invokes an editor, so it never has to print an error complaining that it can't do it! If I have overlooked something, I apologize for wasting everybody's time, but please let me know. Thanks in advance -- Dima Dorfman <dima@unixfreak.org> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001030235755.CB3A21F27>