[1405] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] SECURITY: passwd problem (second edition)

daemon@ATHENA.MIT.EDU (Savochkin Andrey Vladimirovich)
Mon Jan 27 14:44:49 1997

From: Savochkin Andrey Vladimirovich <saw@shade.msu.ru>
To: linux-security@redhat.com
Date: Mon, 27 Jan 1997 13:10:07 +0300 (MSK)
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

[Mod: Other lists removed from the headers. The patch looks okay but I did
not really checked it line by line -- alex]


Last night I sent to redhat-list a letter with a patch. After sleeping a little
I found that my patch is not enough correct.
Now I post the new patch and description of the problem.

In redhat distribution passwd program uses PAM, namely, pam_unix_passwd.so.
This module use cracklib to check password for satisfying several conditions.
I found a bug in cracklib which can cause passwd to perform accesses
to random addresses in the task memory.
This potentially can cause a security problem (and passwd of course
doesn't change password after performing random accesses).

The quick fix of the problem is disable 'fascist' mode of pam_unix_passwd
module in pam.conf.

The patch below should be by applied to cracklib then cracklib should
be rebuild, reinstalled and then pam_unix_passwd should be rebuilded.

					Andrey V.
					Savochkin

diff -r -u cracklib25_small.orig/cracklib/fascist.c cracklib25_small/cracklib/fascist.c
--- cracklib25_small.orig/cracklib/fascist.c	Mon Jan 27 12:21:13 1997
+++ cracklib25_small/cracklib/fascist.c	Mon Jan 27 12:24:28 1997
@@ -223,39 +223,17 @@
     wc = 0;
     ptr = gbuffer;
 
-    while (*ptr)
+    while (*ptr && wc < STRINGSIZE-1)
     {
-	while (*ptr && ISSKIP(*ptr))
-	{
-	    ptr++;
-	}
-
-	if (ptr != gbuffer)
-	{
-	    ptr[-1] = '\0';
-	}
-
+	while (*ptr && ISSKIP(*ptr)) ptr++;
+	if (!*ptr) break;
 	uwords[wc++] = ptr;
-
-	if (wc == STRINGSIZE)
-	{
-	    uwords[--wc] = (char *) 0;	/* to hell with it */
-	    break;
-	} else
-	{
-	    uwords[wc] = (char *) 0;
-	}
-
-	while (*ptr && !ISSKIP(*ptr))
-	{
-	    ptr++;
-	}
-
-	if (*ptr)
-	{
-	    *(ptr++) = '\0';
-	}
+	while (*ptr && !ISSKIP(*ptr)) ptr++;
+	if(*ptr) *ptr++ = '\0';
     }
+    if (!wc) return ((char *) 0);
+    uwords[wc] = (char *) 0;
+
 #ifdef DEBUG
     for (i = 0; uwords[i]; i++)
     {


home help back first fref pref prev next nref lref last post