Linux passwd May Truncate Passwords Supplied Via stdin
SecurityTracker Alert ID: 1010182|
SecurityTracker URL: http://securitytracker.com/id/1010182
(Links to External Site)
Date: May 18 2004
Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability was reported in passwd when accepting input from stdin. The password may be truncated.|
Steve Grubb reported that an error in the passwd program may occur when passwords are read from stdin. The buffer is 80 characters, but the length passed to the read function is 79 and location 78 is zeroed. As a result, passwords may be truncated.
Passwords supplied via stdin may be truncated by one character in a certain case.|
A patch against version 0.68 is available at:|
|Underlying OS: Linux (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Opened by (Steve Grubb) on 2004-04-05 13:50
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Description of problem:
During a code review, I found several issues with the programs in the
passwd rpm. Notibly, the passwd program has an off by 1 in the case of
--stdin. buffer is 80, len passed to read is 79, location 78 is 0'ed.
This is more noticeable if you imagine i == 1 after read. Also, if
read returns an error, the program continues as if nothing bad
happened and tries to zero buffer[-2];
Also, pam_start was not being checked for its return code.
Various minor memory leaks.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Found during code review.
I will attach a patch that fixes these. I did not look at prior
versions to see if these issues exist.