From owner-freebsd-bugs  Tue May 29 16:10:11 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 1EEB037B424
	for <freebsd-bugs@hub.freebsd.org>; Tue, 29 May 2001 16:10:03 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f4TNA3k31486;
	Tue, 29 May 2001 16:10:03 -0700 (PDT)
	(envelope-from gnats)
Received: from mgate11.so-net.ne.jp (mgate11.so-net.ne.jp [210.139.254.158])
	by hub.freebsd.org (Postfix) with ESMTP id 3A1F037B422
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 29 May 2001 16:07:15 -0700 (PDT)
	(envelope-from ipfw@ya3.so-net.ne.jp)
Received: from mail.ya3.so-net.ne.jp (mspool11.so-net.ne.jp [210.139.248.11])
	by mgate11.so-net.ne.jp (8.9.3/3.7W01050922) with ESMTP id IAA12484
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 May 2001 08:07:13 +0900 (JST)
Received: from localhost (pdf4822.kngwnt01.ap.so-net.ne.jp [202.223.72.34])
	by mail.ya3.so-net.ne.jp  with ESMTP id f4TN7C426341
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 May 2001 08:07:12 +0900 (JST)
Message-Id: <20010530080644E.koya@pluto.math.yokohama-cu.ac.jp>
Date: Wed, 30 May 2001 08:06:44 +0900
From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: bin/27757: Wrong format specifiers in chpass(1)
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         27757
>Category:       bin
>Synopsis:       chapss(1) converts a large uid to a negative one
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 29 16:10:02 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Yoshihiro Koya
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
Dept. of Math. Sci, Yokohama City Univ.
>Environment:
System: FreeBSD presario.my.domain 4.3-STABLE FreeBSD 4.3-STABLE #0: Wed May 23 23:23:02 JST 2001 root@presario.my.domain:/usr/obj/usr/src/sys/presario i386

Also for 5.0-CURRENT as of May 30
>Description:
	A wrong format specifier of snprintf used in sources of
	chpass(1) generate a negative uid as a string.
>How-To-Repeat:

# vipw
(add some user with arbitrary uid)
# chapss foo
(edit as follows, for example)

#Changing user database information for foo.
Login: foo
Password: *
Uid [#]: 4294967295
Gid [# or name]: 20
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /home/foo
Shell: /bin/csh
Full Name: User &
Office Location:
Office Phone:
Home Phone:
Other information:

(quit the editor. Then you would have ...)
/etc/pw.CRUoUQ: 15 lines, 291 characters.
chpass: -1 > recommended max uid value (65535)
chpass: updating the database...
pwd_mkdb: -1 > recommended max uid value (65535)
chpass: done

Also, you would find the following entry in your /etc/master.passwd

foo:*:-1:20:User &:/home/foo:/bin/csh

>Fix:

Index: edit.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/chpass/edit.c,v
retrieving revision 1.18
diff -u -r1.18 edit.c
--- edit.c	2000/09/06 18:16:46	1.18
+++ edit.c	2001/05/29 21:53:59
@@ -255,7 +255,7 @@
 		pw->pw_gecos[len - 1] = '\0';
 
 	if (snprintf(buf, sizeof(buf),
-	    "%s:%s:%d:%d:%s:%ld:%ld:%s:%s:%s",
+	    "%s:%s:%u:%u:%s:%ld:%ld:%s:%s:%s",
 	    pw->pw_name, pw->pw_passwd, pw->pw_uid, pw->pw_gid, pw->pw_class,
 	    pw->pw_change, pw->pw_expire, pw->pw_gecos, pw->pw_dir,
 	    pw->pw_shell) >= sizeof(buf)) {
Index: pw_copy.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/chpass/pw_copy.c,v
retrieving revision 1.9
diff -u -r1.9 pw_copy.c
--- pw_copy.c	1999/09/06 17:30:02	1.9
+++ pw_copy.c	2001/05/29 22:18:06
@@ -64,8 +64,8 @@
 	char chgstr[20];
 	char expstr[20];
 
-	snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid);
-	snprintf(gidstr, sizeof(gidstr), "%d", pw->pw_gid);
+	snprintf(uidstr, sizeof(uidstr), "%u", pw->pw_uid);
+	snprintf(gidstr, sizeof(gidstr), "%u", pw->pw_gid);
 	snprintf(chgstr, sizeof(chgstr), "%ld", (long)pw->pw_change);
 	snprintf(expstr, sizeof(expstr), "%ld", (long)pw->pw_expire);
 
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message