Date: Wed, 30 May 2001 08:06:44 +0900 From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/27757: Wrong format specifiers in chpass(1) Message-ID: <20010530080644E.koya@pluto.math.yokohama-cu.ac.jp>
next in thread | raw e-mail | index | archive | help
>Number: 27757
>Category: bin
>Synopsis: chapss(1) converts a large uid to a negative one
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue May 29 16:10:02 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Yoshihiro Koya
>Release: FreeBSD 4.3-STABLE i386
>Organization:
Dept. of Math. Sci, Yokohama City Univ.
>Environment:
System: FreeBSD presario.my.domain 4.3-STABLE FreeBSD 4.3-STABLE #0: Wed May 23 23:23:02 JST 2001 root@presario.my.domain:/usr/obj/usr/src/sys/presario i386
Also for 5.0-CURRENT as of May 30
>Description:
A wrong format specifier of snprintf used in sources of
chpass(1) generate a negative uid as a string.
>How-To-Repeat:
# vipw
(add some user with arbitrary uid)
# chapss foo
(edit as follows, for example)
#Changing user database information for foo.
Login: foo
Password: *
Uid [#]: 4294967295
Gid [# or name]: 20
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /home/foo
Shell: /bin/csh
Full Name: User &
Office Location:
Office Phone:
Home Phone:
Other information:
(quit the editor. Then you would have ...)
/etc/pw.CRUoUQ: 15 lines, 291 characters.
chpass: -1 > recommended max uid value (65535)
chpass: updating the database...
pwd_mkdb: -1 > recommended max uid value (65535)
chpass: done
Also, you would find the following entry in your /etc/master.passwd
foo:*:-1:20:User &:/home/foo:/bin/csh
>Fix:
Index: edit.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/chpass/edit.c,v
retrieving revision 1.18
diff -u -r1.18 edit.c
--- edit.c 2000/09/06 18:16:46 1.18
+++ edit.c 2001/05/29 21:53:59
@@ -255,7 +255,7 @@
pw->pw_gecos[len - 1] = '\0';
if (snprintf(buf, sizeof(buf),
- "%s:%s:%d:%d:%s:%ld:%ld:%s:%s:%s",
+ "%s:%s:%u:%u:%s:%ld:%ld:%s:%s:%s",
pw->pw_name, pw->pw_passwd, pw->pw_uid, pw->pw_gid, pw->pw_class,
pw->pw_change, pw->pw_expire, pw->pw_gecos, pw->pw_dir,
pw->pw_shell) >= sizeof(buf)) {
Index: pw_copy.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/chpass/pw_copy.c,v
retrieving revision 1.9
diff -u -r1.9 pw_copy.c
--- pw_copy.c 1999/09/06 17:30:02 1.9
+++ pw_copy.c 2001/05/29 22:18:06
@@ -64,8 +64,8 @@
char chgstr[20];
char expstr[20];
- snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid);
- snprintf(gidstr, sizeof(gidstr), "%d", pw->pw_gid);
+ snprintf(uidstr, sizeof(uidstr), "%u", pw->pw_uid);
+ snprintf(gidstr, sizeof(gidstr), "%u", pw->pw_gid);
snprintf(chgstr, sizeof(chgstr), "%ld", (long)pw->pw_change);
snprintf(expstr, sizeof(expstr), "%ld", (long)pw->pw_expire);
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010530080644E.koya>