From owner-freebsd-security  Mon Oct 30 15:58: 0 2000
Delivered-To: freebsd-security@freebsd.org
Received: from static.unixfreak.org (static.unixfreak.org [63.198.170.139])
	by hub.freebsd.org (Postfix) with ESMTP id 0B40C37B4CF
	for <freebsd-security@freebsd.org>; Mon, 30 Oct 2000 15:57:56 -0800 (PST)
Received: by static.unixfreak.org (Postfix, from userid 1000)
	id CB3A21F27; Mon, 30 Oct 2000 15:57:55 -0800 (PST)
Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:58.chpass
In-Reply-To: <20001030231153.B618B37B4CF@hub.freebsd.org> "from FreeBSD Security
 Advisories at Oct 30, 2000 03:11:53 pm"
To: freebsd-security@freebsd.org
Date: Mon, 30 Oct 2000 15:57:55 -0800 (PST)
From: Dima Dorfman <dima@unixfreak.org>
Reply-To: dima@unixfreak.org
X-Mailer: ELM [version 2.4ME+ PL82 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20001030235755.CB3A21F27@static.unixfreak.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

[ PGP not available, raw data follows ]
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> =============================================================================
> FreeBSD-SA-00:58                                           Security Advisory
>                                                                 FreeBSD, Inc.
> 
> Topic:          chpass family contains local root vulnerability
> 
> Category:       core
> Module:         chfn/chpass/chsh/ypchfn/ypchpass/ypchsh/passwd

Forgive my ignorance, but I fail to see how 'passwd' is vulnerable.
Yes, it does link with the affected file (pw_util.c), and calls the
affected function (pw_error()), but, as far as I can tell, it never
calls it with any parameters which can be controlled by the user.

I did a 'grep -r' in src/usr.bin and src/usr.sbin for 'pw_error', and
I found that there is a limited set of parameters for the first
argument.  They are: NULL, tempname, _PATH_MASTERPASSWD, passfile,
_PATH_PWD_MKDB, editor, and masterpasswd.  It looks like only
parameter here which can be controlled by the user is 'editor', and
'passwd' never invokes an editor, so it never has to print an error
complaining that it can't do it!

If I have overlooked something, I apologize for wasting everybody's
time, but please let me know.

Thanks in advance

-- 
Dima Dorfman <dima@unixfreak.org>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message