From ptm@ns.tr.ukrtel.net Thu Apr 3 05:14:45 2003 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D62E737B401 for ; Thu, 3 Apr 2003 05:14:45 -0800 (PST) Received: from mail.tr.ukrtel.net (ns.tr.ukrtel.net [195.5.27.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A48A43F3F for ; Thu, 3 Apr 2003 05:14:43 -0800 (PST) (envelope-from ptm@ns.tr.ukrtel.net) Received: from ns.tr.ukrtel.net (localhost.tr.ukrtel.net [127.0.0.1]) by mail.tr.ukrtel.net (8.12.6/8.12.6) with ESMTP id h33DEcZx025551 for ; Thu, 3 Apr 2003 16:14:38 +0300 (EEST) (envelope-from ptm@ns.tr.ukrtel.net) Received: (from root@localhost) by ns.tr.ukrtel.net (8.12.6/8.12.6/Submit) id h33DEYrq025549; Thu, 3 Apr 2003 16:14:34 +0300 (EEST) Message-Id: <200304031314.h33DEYrq025549@ns.tr.ukrtel.net> Date: Thu, 3 Apr 2003 16:14:34 +0300 (EEST) From: Taras Panchyshyn Reply-To: Taras Panchyshyn To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: two records about user in master.passwd after usage command "chsh" X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 50563 >Category: bin >Synopsis: two records about user in master.passwd after usage command "chsh" >Confidential: no >Severity: serious >Priority: high >Responsible: des >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 03 05:20:17 PST 2003 >Closed-Date: Thu Jun 05 23:37:32 PDT 2003 >Last-Modified: Thu Jun 05 23:37:32 PDT 2003 >Originator: Taras Panchyshyn >Release: FreeBSD 5.0-RELEASE i386 >Organization: Ukrtelecom >Environment: System: FreeBSD ns.tr.ukrtel.net 5.0-RELEASE FreeBSD 5.0-RELEASE #0: Thu Jan 16 22:16:53 GMT 2003 root@hollin.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386 >Description: I'm use a command chsh to change user information ns# chsh emsternopil #Changing user information for emsternopil. Login: emsternopil Password: $1$nlqz3wgz$dIkazFbakjPpdodx.jlRX1 Uid [#]: 2075 Gid [# or name]: 1038 Change [month day year]: Expire [month day year]: Class: Home directory: /services/ftp Shell: /bin/csh Full Name: 584. Tern. Vuzol spec-zvjazku Office Location: s. Strilciv 6 Office Phone: 22-32-79 Home Phone: Other information: :wq After edition of information about user and save and update the information in the user's database (master.passwd) appear two records about this user :old record and record whitch changes that was made by chsh: ns# more /etc/master.passwd | grep emsternopil emsternopil:$1$nlqz3wgz$dIkazFbakjPpdodx.jlRX1:2075:1038::0:0:584. Tern. Vuzol spec-zvjazku,s. Strilciv 6,22-32-79:/services/ftp:/bin/csh emsternopil:$1$nlqz3wgz$dIkazFbakjPpdodx.jlRX1:2075:1038::0:0:584. Tern. Vuzol spec-zvjazku,s. Strilciv 6,33-90-22 22-32-79,43-59-80:/services/ftp:/bin/csh In the older version of FreeBSD (4.3 - 4.7) command chsh work properly. >How-To-Repeat: ns# adduser Username: Username adduser dialog ... ns# chsh Username editing of gecos field ... ns# chsh Username editing of gecos field ... The problem appear when fields "Office Location:" and "Office Phone:" was edited more than once by command "chpass" >Fix: >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-bugs->tjr Responsible-Changed-By: tjr Responsible-Changed-When: Fri Apr 4 04:27:27 PST 2003 Responsible-Changed-Why: I'll handle this. http://www.freebsd.org/cgi/query-pr.cgi?pr=50563 Responsible-Changed-From-To: tjr->des Responsible-Changed-By: tjr Responsible-Changed-When: Tue Apr 8 03:16:00 PDT 2003 Responsible-Changed-Why: This bug seems to have been caused by src/lib/libutil/pw_util.c revision 1.24, and I don't have time to finish testing my patch for the problem. Please notify security-officer@ when the bugs have been fixed so that an advisory may be issued. http://www.freebsd.org/cgi/query-pr.cgi?pr=50563 From: Tim Robbins To: freebsd-gnats-submit@freebsd.org Cc: Subject: Re: bin/50563: two records about user in master.passwd after usage command "chsh" Date: Tue, 8 Apr 2003 20:20:57 +1000 Here is a patch that seems to fix the security bug in libutil and the non-security data corruption bug in chpass. pw_util.c: Restore code to detect entries that have been modified while the editor was running. edit.c: Avoid clobbering pw_gecos with strsep() in display(); it is used for comparison later, and will cause changes to the GECOS field to be handled incorrectly. Index: src/lib/libutil/pw_util.c =================================================================== RCS file: /home/ncvs/src/lib/libutil/pw_util.c,v retrieving revision 1.28 diff -u -p -r1.28 pw_util.c --- src/lib/libutil/pw_util.c 17 Mar 2003 02:12:55 -0000 1.28 +++ src/lib/libutil/pw_util.c 4 Apr 2003 12:34:18 -0000 @@ -473,14 +473,19 @@ pw_copy(int ffd, int tfd, struct passwd *q = '\0'; fpw = pw_scan(r, PWSCAN_MASTER); *q = t; - if ((old_pw && !pw_equal(fpw, old_pw)) || - (!old_pw && strcmp(fpw->pw_name, pw->pw_name))) { + if (strcmp(fpw->pw_name, pw->pw_name)) { /* nope */ free(fpw); if (write(tfd, p, q - p + 1) != q - p + 1) goto err; ++q; continue; + } + if (old_pw && !pw_equal(fpw, old_pw)) { + warnx("entry inconsistent"); + free(fpw); + errno = EINVAL; /* hack */ + goto err; } free(fpw); Index: src/usr.bin/chpass/edit.c =================================================================== RCS file: /home/ncvs/src/usr.bin/chpass/edit.c,v retrieving revision 1.22 diff -u -p -r1.22 edit.c --- src/usr.bin/chpass/edit.c 8 May 2002 00:54:28 -0000 1.22 +++ src/usr.bin/chpass/edit.c 5 Apr 2003 02:43:19 -0000 @@ -109,7 +109,7 @@ static int display(const char *tfn, struct passwd *pw) { FILE *fp; - char *bp, *p; + char *bp, *gecos, *p; if ((fp = fopen(tfn, "w")) == NULL) { warn("%s", tfn); @@ -152,7 +152,12 @@ display(const char *tfn, struct passwd * *pw->pw_shell ? pw->pw_shell : _PATH_BSHELL); else list[E_SHELL].restricted = 1; - bp = pw->pw_gecos; + + if ((bp = gecos = strdup(pw->pw_gecos)) == NULL) { + warn(NULL); + fclose(fp); + return (-1); + } p = strsep(&bp, ","); p = strdup(p ? p : ""); @@ -182,6 +187,8 @@ display(const char *tfn, struct passwd * list[E_OTHER].save = bp; if (!list[E_OTHER].restricted || master_mode) (void)fprintf(fp, "Other information: %s\n", bp); + + free(gecos); (void)fchown(fileno(fp), getuid(), getgid()); (void)fclose(fp); State-Changed-From-To: open->feedback State-Changed-By: des State-Changed-When: Wed Apr 9 11:33:57 PDT 2003 State-Changed-Why: Fixed in -CURRENT. http://www.freebsd.org/cgi/query-pr.cgi?pr=50563 State-Changed-From-To: feedback->closed State-Changed-By: des State-Changed-When: Thu Jun 5 23:37:31 PDT 2003 State-Changed-Why: Fixed. http://www.freebsd.org/cgi/query-pr.cgi?pr=50563 >Unformatted: