From owner-cvs-all  Wed Oct  4 12:25:28 2000
Delivered-To: cvs-all@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4BCDE37B503; Wed,  4 Oct 2000 12:25:25 -0700 (PDT)
Received: (from kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id MAA79313;
	Wed, 4 Oct 2000 12:25:25 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Date: Wed, 4 Oct 2000 12:25:25 -0700
From: Kris Kennaway <kris@FreeBSD.org>
To: Warner Losh <imp@village.org>
Cc: Trevor Johnson <trevor@jpj.net>, Peter Wemm <peter@FreeBSD.org>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/usr.sbin/vipw pw_util.c
Message-ID: <20001004122525.E73561@freefall.freebsd.org>
References: <Pine.BSI.4.21.0010040207580.12229-100000@blues.jpj.net> <200010041544.JAA36951@harmony.village.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200010041544.JAA36951@harmony.village.org>; from imp@village.org on Wed, Oct 04, 2000 at 09:44:40AM -0600
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Oct 04, 2000 at 09:44:40AM -0600, Warner Losh wrote:
> In message <Pine.BSI.4.21.0010040207580.12229-100000@blues.jpj.net> Trevor Johnson writes:
> : > peter       2000/10/03 22:42:23 PDT
> : > 
> : >   Modified files:        (Branch: RELENG_3)
> : >     usr.sbin/vipw        pw_util.c 
> : >   Log:
> : >   MFC: printf-style format fix.  warn(string) -> warn("%s", string)
> : 
> : Any relation to the "format string vulnerability in libutil pw_error(3)
> : function" advisory from OpenBSD?
> 
> Yes.  We fixed this months ago in all but the old branches...  OpenBSD
> fixed it in about the same time period.  There was a bugtraq posting
> that included exploit code for this that triggered the back merge.
> Peter and I had the same idea, because I made the merge and got
> uptodate check failed from CVS when I went to commit it.

At the time, it wasn't obvious the problem was a local root hole,
because the code is in the vipw directory and vipw runs without
privs. But it turns out chpass and friends also steal code from that
directory, and they are setuid root :-(

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message