Date: Wed, 30 May 2001 08:06:44 +0900 From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/27757: Wrong format specifiers in chpass(1) Message-ID: <20010530080644E.koya@pluto.math.yokohama-cu.ac.jp>
next in thread | raw e-mail | index | archive | help
>Number: 27757 >Category: bin >Synopsis: chapss(1) converts a large uid to a negative one >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 29 16:10:02 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Yoshihiro Koya >Release: FreeBSD 4.3-STABLE i386 >Organization: Dept. of Math. Sci, Yokohama City Univ. >Environment: System: FreeBSD presario.my.domain 4.3-STABLE FreeBSD 4.3-STABLE #0: Wed May 23 23:23:02 JST 2001 root@presario.my.domain:/usr/obj/usr/src/sys/presario i386 Also for 5.0-CURRENT as of May 30 >Description: A wrong format specifier of snprintf used in sources of chpass(1) generate a negative uid as a string. >How-To-Repeat: # vipw (add some user with arbitrary uid) # chapss foo (edit as follows, for example) #Changing user database information for foo. Login: foo Password: * Uid [#]: 4294967295 Gid [# or name]: 20 Change [month day year]: Expire [month day year]: Class: Home directory: /home/foo Shell: /bin/csh Full Name: User & Office Location: Office Phone: Home Phone: Other information: (quit the editor. Then you would have ...) /etc/pw.CRUoUQ: 15 lines, 291 characters. chpass: -1 > recommended max uid value (65535) chpass: updating the database... pwd_mkdb: -1 > recommended max uid value (65535) chpass: done Also, you would find the following entry in your /etc/master.passwd foo:*:-1:20:User &:/home/foo:/bin/csh >Fix: Index: edit.c =================================================================== RCS file: /home/ncvs/src/usr.bin/chpass/edit.c,v retrieving revision 1.18 diff -u -r1.18 edit.c --- edit.c 2000/09/06 18:16:46 1.18 +++ edit.c 2001/05/29 21:53:59 @@ -255,7 +255,7 @@ pw->pw_gecos[len - 1] = '\0'; if (snprintf(buf, sizeof(buf), - "%s:%s:%d:%d:%s:%ld:%ld:%s:%s:%s", + "%s:%s:%u:%u:%s:%ld:%ld:%s:%s:%s", pw->pw_name, pw->pw_passwd, pw->pw_uid, pw->pw_gid, pw->pw_class, pw->pw_change, pw->pw_expire, pw->pw_gecos, pw->pw_dir, pw->pw_shell) >= sizeof(buf)) { Index: pw_copy.c =================================================================== RCS file: /home/ncvs/src/usr.bin/chpass/pw_copy.c,v retrieving revision 1.9 diff -u -r1.9 pw_copy.c --- pw_copy.c 1999/09/06 17:30:02 1.9 +++ pw_copy.c 2001/05/29 22:18:06 @@ -64,8 +64,8 @@ char chgstr[20]; char expstr[20]; - snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid); - snprintf(gidstr, sizeof(gidstr), "%d", pw->pw_gid); + snprintf(uidstr, sizeof(uidstr), "%u", pw->pw_uid); + snprintf(gidstr, sizeof(gidstr), "%u", pw->pw_gid); snprintf(chgstr, sizeof(chgstr), "%ld", (long)pw->pw_change); snprintf(expstr, sizeof(expstr), "%ld", (long)pw->pw_expire); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010530080644E.koya>