Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Oct 2000 12:25:25 -0700
From:      Kris Kennaway <kris@FreeBSD.org>
To:        Warner Losh <imp@village.org>
Cc:        Trevor Johnson <trevor@jpj.net>, Peter Wemm <peter@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/usr.sbin/vipw pw_util.c
Message-ID:  <20001004122525.E73561@freefall.freebsd.org>
In-Reply-To: <200010041544.JAA36951@harmony.village.org>; from imp@village.org on Wed, Oct 04, 2000 at 09:44:40AM -0600
References:  <Pine.BSI.4.21.0010040207580.12229-100000@blues.jpj.net> <200010041544.JAA36951@harmony.village.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 04, 2000 at 09:44:40AM -0600, Warner Losh wrote:
> In message <Pine.BSI.4.21.0010040207580.12229-100000@blues.jpj.net> Trevor Johnson writes:
> : > peter       2000/10/03 22:42:23 PDT
> : > 
> : >   Modified files:        (Branch: RELENG_3)
> : >     usr.sbin/vipw        pw_util.c 
> : >   Log:
> : >   MFC: printf-style format fix.  warn(string) -> warn("%s", string)
> : 
> : Any relation to the "format string vulnerability in libutil pw_error(3)
> : function" advisory from OpenBSD?
> 
> Yes.  We fixed this months ago in all but the old branches...  OpenBSD
> fixed it in about the same time period.  There was a bugtraq posting
> that included exploit code for this that triggered the back merge.
> Peter and I had the same idea, because I made the merge and got
> uptodate check failed from CVS when I went to commit it.

At the time, it wasn't obvious the problem was a local root hole,
because the code is in the vipw directory and vipw runs without
privs. But it turns out chpass and friends also steal code from that
directory, and they are setuid root :-(

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001004122525.E73561>