The CERT center received the following information from Keith Bostic from the Computer Systems Research Group at UC-Berkeley on Dec. 21, 1988. This patch has also been posted to comp.bugs.4bsd.ucb-fixes. Please note that this patch will only work with BSD 4.3. If you have 4.2 please let me know and I will forward the correct patch. Ed DeHart Software Engineering Institute / Computer Emergency Response Team cert@sei.cmu.edu 412-268-7090 ------------------ Subject: security problem in passwd Index: bin/passwd.c 4.3BSD Description: There's a security problem associated with the passwd(1) program in all known Berkeley systems. This problem is also in most Berkeley derived systems, see your vendor for more information. Fix: Apply the following patch to the file src/bin/passwd.c and recompile/reinstall it. *** passwd.c.orig Wed Dec 21 08:57:41 1988 --- passwd.c Wed Dec 21 09:00:25 1988 *************** *** 332,337 **** --- 332,339 ---- return (crypt(pwbuf, saltc)); } + #define STRSIZE 100 + char * getloginshell(pwd, u, arg) struct passwd *pwd; *************** *** 338,344 **** int u; char *arg; { ! static char newshell[BUFSIZ]; char *cp, *valid, *getusershell(); if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0') --- 340,346 ---- int u; char *arg; { ! static char newshell[STRSIZE]; char *cp, *valid, *getusershell(); if (pwd->pw_shell == 0 || *pwd->pw_shell == '\0') *************** *** 415,423 **** getfingerinfo(pwd) struct passwd *pwd; { ! char in_str[BUFSIZ]; struct default_values *defaults, *get_defaults(); ! static char answer[4*BUFSIZ]; answer[0] = '\0'; defaults = get_defaults(pwd->pw_gecos); --- 417,425 ---- getfingerinfo(pwd) struct passwd *pwd; { ! char in_str[STRSIZE]; struct default_values *defaults, *get_defaults(); ! static char answer[4*STRSIZE]; answer[0] = '\0'; defaults = get_defaults(pwd->pw_gecos); *************** *** 429,435 **** */ do { printf("\nName [%s]: ", defaults->name); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->name)) break; } while (illegal_input(in_str)); --- 431,437 ---- */ do { printf("\nName [%s]: ", defaults->name); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->name)) break; } while (illegal_input(in_str)); *************** *** 440,446 **** do { printf("Room number (Exs: 597E or 197C) [%s]: ", defaults->office_num); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->office_num)) break; } while (illegal_input(in_str) || illegal_building(in_str)); --- 442,448 ---- do { printf("Room number (Exs: 597E or 197C) [%s]: ", defaults->office_num); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->office_num)) break; } while (illegal_input(in_str) || illegal_building(in_str)); *************** *** 452,458 **** do { printf("Office Phone (Ex: 6426000) [%s]: ", defaults->office_phone); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->office_phone)) break; remove_hyphens(in_str); --- 454,460 ---- do { printf("Office Phone (Ex: 6426000) [%s]: ", defaults->office_phone); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->office_phone)) break; remove_hyphens(in_str); *************** *** 464,470 **** */ do { printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone); ! (void) fgets(in_str, BUFSIZ, stdin); if (special_case(in_str, defaults->home_phone)) break; remove_hyphens(in_str); --- 466,472 ---- */ do { printf("Home Phone (Ex: 9875432) [%s]: ", defaults->home_phone); ! (void) fgets(in_str, STRSIZE, stdin); if (special_case(in_str, defaults->home_phone)) break; remove_hyphens(in_str); *************** *** 501,507 **** if (input_str[length-1] != '\n') { /* the newline and the '\0' eat up two characters */ printf("Maximum number of characters allowed is %d\n", ! BUFSIZ-2); /* flush the rest of the input line */ while (getchar() != '\n') /* void */; --- 503,509 ---- if (input_str[length-1] != '\n') { /* the newline and the '\0' eat up two characters */ printf("Maximum number of characters allowed is %d\n", ! STRSIZE-2); /* flush the rest of the input line */ while (getchar() != '\n') /* void */;  Downloaded From P-80 International Information Systems 304-744-2253