CERT
search  


 
Historical Documents Authorized Users of "CERT" Vulnerability Notes Database Vulnerability Disclosure Policy Courses Link to US-CERT cylab
 

CERT® Advisory CA-1989-01 Passwd hole

Original issue date: January 1989
Last revised: September 16, 1997
Attached Copyright statement

A complete revision history is at the end of this file.

The CERT center received the following information from Keith Bostic from the Computer Systems Research Group at UC-Berkeley on Dec. 21, 1988. This patch has also been posted to comp.bugs.4bsd.ucb-fixes.

Please note that this patch will only work with BSD 4.3. If you have 4.2 please let me know and I will forward the correct patch.

Subject: security problem in passwd
Index: bin/passwd.c 4.3BSD
Description:
There's a security problem associated with the passwd(1) program in all known Berkeley systems. This problem is also in most Berkeley derived systems, see your vendor for more information.
Fix:
Apply the following patch to the file src/bin/passwd.c and recompile/reinstall it. 

*** passwd.c.orig       Wed Dec 21 08:57:41 1988
- --- passwd.c  Wed Dec 21 09:00:25 1988
***************
*** 332,337 ****
- --- 332,339 ----
        return (crypt(pwbuf, saltc));
  }
  
+ #define       STRSIZE 100
+ 
  char *
  getloginshell(pwd, u, arg)
        struct passwd *pwd;
***************
*** 338,344 ****
        int u;
        char *arg;
  {
!       static char newshell[BUFSIZ];
        char *cp, *valid, *getusershell();
  
        if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
- --- 340,346 ----
        int u;
        char *arg;
  {
!       static char newshell[STRSIZE];
        char *cp, *valid, *getusershell();
  
        if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0')
***************
*** 415,423 ****
  getfingerinfo(pwd)
        struct passwd *pwd;
  {
!       char in_str[BUFSIZ];
        struct default_values *defaults, *get_defaults();
!       static char answer[4*BUFSIZ];
  
        answer[0] = '\0';
        defaults = get_defaults(pwd->pw_gecos);
- --- 417,425 ----
  getfingerinfo(pwd)
        struct passwd *pwd;
  {
!       char in_str[STRSIZE];
        struct default_values *defaults, *get_defaults();
!       static char answer[4*STRSIZE];
  
        answer[0] = '\0';
        defaults = get_defaults(pwd->pw_gecos);
***************
*** 429,435 ****
         */
        do {
                printf("\nName [%s]: ", defaults->name);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->name)) 
                        break;
        } while (illegal_input(in_str));
- --- 431,437 ----
         */
        do {
                printf("\nName [%s]: ", defaults->name);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->name)) 
                        break;
        } while (illegal_input(in_str));
***************
*** 440,446 ****
        do {
                printf("Room number (Exs: 597E or 197C) [%s]: ",
                        defaults->office_num);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->office_num))
                        break;
        } while (illegal_input(in_str) || illegal_building(in_str));
- --- 442,448 ----
        do {
                printf("Room number (Exs: 597E or 197C) [%s]: ",
                        defaults->office_num);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->office_num))
                        break;
        } while (illegal_input(in_str) || illegal_building(in_str));
***************
*** 452,458 ****
        do {
                printf("Office Phone (Ex: 6426000) [%s]: ",
                        defaults->office_phone);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->office_phone))
                        break;
                remove_hyphens(in_str);
- --- 454,460 ----
        do {
                printf("Office Phone (Ex: 6426000) [%s]: ",
                        defaults->office_phone);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->office_phone))
                        break;
                remove_hyphens(in_str);
***************
*** 464,470 ****
         */
        do {
                printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
!               (void) fgets(in_str, BUFSIZ, stdin);
                if (special_case(in_str, defaults->home_phone))
                        break;
                remove_hyphens(in_str);
- --- 466,472 ----
         */
        do {
                printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone);
!               (void) fgets(in_str, STRSIZE, stdin);
                if (special_case(in_str, defaults->home_phone))
                        break;
                remove_hyphens(in_str);
***************
*** 501,507 ****
        if (input_str[length-1] != '\n') {
                /* the newline and the '\0' eat up two characters */
                printf("Maximum number of characters allowed is %d\n",
!                       BUFSIZ-2);
                /* flush the rest of the input line */
                while (getchar() != '\n')
                        /* void */;
- --- 503,509 ----
        if (input_str[length-1] != '\n') {
                /* the newline and the '\0' eat up two characters */
                printf("Maximum number of characters allowed is %d\n",
!                       STRSIZE-2);
                /* flush the rest of the input line */
                while (getchar() != '\n')
                        /* void */;
This document is available from: http://www.cert.org/advisories/CA-1989-01.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 1989 Carnegie Mellon University.

Revision History 
September 16, 1997  Attached copyright statement