[1405] in linux-security and linux-alert archive
[linux-security] SECURITY: passwd problem (second edition)
daemon@ATHENA.MIT.EDU (Savochkin Andrey Vladimirovich)
Mon Jan 27 14:44:49 1997
From: Savochkin Andrey Vladimirovich <saw@shade.msu.ru>
To: linux-security@redhat.com
Date: Mon, 27 Jan 1997 13:10:07 +0300 (MSK)
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
[Mod: Other lists removed from the headers. The patch looks okay but I did
not really checked it line by line -- alex]
Last night I sent to redhat-list a letter with a patch. After sleeping a little
I found that my patch is not enough correct.
Now I post the new patch and description of the problem.
In redhat distribution passwd program uses PAM, namely, pam_unix_passwd.so.
This module use cracklib to check password for satisfying several conditions.
I found a bug in cracklib which can cause passwd to perform accesses
to random addresses in the task memory.
This potentially can cause a security problem (and passwd of course
doesn't change password after performing random accesses).
The quick fix of the problem is disable 'fascist' mode of pam_unix_passwd
module in pam.conf.
The patch below should be by applied to cracklib then cracklib should
be rebuild, reinstalled and then pam_unix_passwd should be rebuilded.
Andrey V.
Savochkin
diff -r -u cracklib25_small.orig/cracklib/fascist.c cracklib25_small/cracklib/fascist.c
--- cracklib25_small.orig/cracklib/fascist.c Mon Jan 27 12:21:13 1997
+++ cracklib25_small/cracklib/fascist.c Mon Jan 27 12:24:28 1997
@@ -223,39 +223,17 @@
wc = 0;
ptr = gbuffer;
- while (*ptr)
+ while (*ptr && wc < STRINGSIZE-1)
{
- while (*ptr && ISSKIP(*ptr))
- {
- ptr++;
- }
-
- if (ptr != gbuffer)
- {
- ptr[-1] = '\0';
- }
-
+ while (*ptr && ISSKIP(*ptr)) ptr++;
+ if (!*ptr) break;
uwords[wc++] = ptr;
-
- if (wc == STRINGSIZE)
- {
- uwords[--wc] = (char *) 0; /* to hell with it */
- break;
- } else
- {
- uwords[wc] = (char *) 0;
- }
-
- while (*ptr && !ISSKIP(*ptr))
- {
- ptr++;
- }
-
- if (*ptr)
- {
- *(ptr++) = '\0';
- }
+ while (*ptr && !ISSKIP(*ptr)) ptr++;
+ if(*ptr) *ptr++ = '\0';
}
+ if (!wc) return ((char *) 0);
+ uwords[wc] = (char *) 0;
+
#ifdef DEBUG
for (i = 0; uwords[i]; i++)
{