Date: Tue, 03 Oct 2000 22:38:41 -0700 From: Peter Wemm <peter@netplex.com.au> To: Mike Silbersack <silby@silby.com> Cc: Matt Heckaman <matt@ARPA.MAIL.NET>, Mike Tancsa <mike@sentex.net>, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: BSD chpass Message-ID: <200010040538.e945cfH18681@netplex.com.au> In-Reply-To: <Pine.BSF.4.21.0010040022390.35602-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
4.1-RELEASE and 4.1.1-RELEASE are not vulnerable to this. The following change in usr.sbin/vipw/pw_util.c fixed the problem: revision 1.18 date: 2000/07/12 00:49:40; author: kris; state: Exp; lines: +2 -2 Don't call warn() without a format string. and it was MFC'ed prior to 4.1-REL: revision 1.17.2.1 date: 2000/07/20 10:35:27; author: kris; state: Exp; lines: +1 -1 MFC: Don't call vfprintf-like functions without a format string. It just goes to show how an innocent quirk can break things. (You can verify that this was the overflow by reverting the change and then the exploit either works or causes a segfault) Anybody know about the openbsd-specific ptmp bug? Does that affect us too? Mike Silbersack wrote: > > On Wed, 4 Oct 2000, Matt Heckaman wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > I've confirmed this to work on 3.5-STABLE as of Sep 21. It did NOT work on > > my 4.1-STABLE or 4.1.1-RELEASE machines, but they could still be > > vulnerable in a method outside the scope of the posted exploit. I just > > found out about this 5 minutes and ran to turn off the suid bit :P > > Unless the nsswitch changes fixed it, 4.1.1 should still be vulnerable - > there are no messages in the cvs logs for chpass indicating any > security-related changes recently. (For both FreeBSD and OpenBSD.) > > Looks like the guy didn't want to talk to vendors before posting. > > Mike "Silby" Silbersack > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010040538.e945cfH18681>