From owner-freebsd-security  Wed Oct 16 14:34:55 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id OAA07968
          for security-outgoing; Wed, 16 Oct 1996 14:34:55 -0700 (PDT)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA07960
          for <freebsd-security@FreeBSD.org>; Wed, 16 Oct 1996 14:34:43 -0700 (PDT)
Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id PAA15020; Wed, 16 Oct 1996 15:34:17 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id PAA19426; Wed, 16 Oct 1996 15:24:47 -0600 (MDT)
Date: Wed, 16 Oct 1996 15:24:47 -0600 (MDT)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@alive.ampr.ab.ca
To: Guido van Rooij <guido@gvr.win.tue.nl>, Assar Westerlund <assar@sics.se>
cc: freebsd-security@FreeBSD.org
Subject: Re: bin/1805: Bug in ftpd
In-Reply-To: <5laftm6aj1.fsf@assaris.sics.se>
Message-ID: <Pine.BSF.3.95.961016151749.19361E-100000@alive.ampr.ab.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Wed, 16 Oct 1996, Guido van Rooij wrote:

> Assar Westerlund wrote:
> > 
> > Some what other programs should we check to see that they really call
> > endpwent?
> 
> The ones that call getpw*.

No, only the ones that call getpwent(3) _or_ call setpassent(3) or
setpwent(3).  Things like getpwnam call endpwent before they return.

On 16 Oct 1996, Assar Westerlund wrote:

> guido@gvr.win.tue.nl (Guido van Rooij) writes:
> > > guido@gvr.win.tue.nl (Guido van Rooij) writes:
> > > > > After the setuid, I will be able to make it dump core, or even better
> > > > > use `ptrace' and then login will still have the file descriptor
> > > > > pointing to /etc/spwd.db open and I can make it read the complete
> > > > > shadow file.
> > > > 
> > > > endpwent closes the spwd.db if I'm right so that would be impossible.
> > > 
> > > Of course, it should call endpwent and endpwent should zero any
> > > incriminating memory, but it doesn't do that now.
> > 
> > Yes it does. Check the code.

Is the "yes it does" referring to endpwent being called or to endpwent
zeroing memory?

endpwent is being called in ftpd (indirectly), but I don't see where
endpwent is zeroing memory.  Even if it was zeroing its memory, the DB
routines are the ones that are leaving the junk behind.