* libmisc/salt.c: Make sure the salt string is terminated at the

right place (either 8th, or 11th position).
 * NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does
   not need 15 chars. No need for a temporary buffer.
   This change the fix committed on 2007-11-10. The salt provided to
   pw_encrypt could have been too long.
This commit is contained in:
nekral-guest 2007-11-16 19:02:00 +00:00
parent e163c5fe9c
commit 449f17385a
5 changed files with 30 additions and 16 deletions

View File

@ -1,3 +1,12 @@
2007-11-10 Nicolas François <nicolas.francois@centraliens.net>
* libmisc/salt.c: Make sure the salt string is terminated at the
right place (either 8th, or 11th position).
* NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does
not need 15 chars. No need for a temporary buffer.
This change the fix committed on 2007-11-10. The salt provided to
pw_encrypt could have been too long.
2007-11-16 Nicolas François <nicolas.francois@centraliens.net>
* man/fr/fr.po: Fix typo: missing / in <placeholder-1/>. This

3
NEWS
View File

@ -7,7 +7,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2 UNRELEASED
useradd's -g option. Applied Debian patch 397_non_numerical_identifier.
Thanks also to Greg Schafer <gschafer@zip.com.au>.
- chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow. Based on
Fedora's shadow-4.0.18.1-overflow.patch.
the Fedora's shadow-4.0.18.1-overflow.patch and Debian's
495_salt_stack_smash patches.
- newgrp: Don't ask for a password if there are no group passwords. Just
directly give up.
- The permissions of the suid binaries is now configurable in

View File

@ -62,11 +62,13 @@ char *crypt_make_salt (void)
{
struct timeval tv;
static char result[40];
int max_salt_len = 8;
result[0] = '\0';
#ifndef USE_PAM
if (getdef_bool ("MD5_CRYPT_ENAB")) {
strcpy (result, "$1$"); /* magic for the new MD5 crypt() */
max_salt_len += 3;
}
#endif
@ -77,8 +79,8 @@ char *crypt_make_salt (void)
strcat (result, l64a (tv.tv_usec));
strcat (result, l64a (tv.tv_sec + getpid () + clock ()));
if (strlen (result) > 3 + 8) /* magic+salt */
result[11] = '\0';
if (strlen (result) > max_salt_len) /* magic+salt */
result[max_salt_len] = '\0';
return result;
}

View File

@ -243,14 +243,15 @@ int main (int argc, char **argv)
newpwd = cp;
if (!eflg) {
if (md5flg) {
char tmp[12];
char salt[15] = "";
char md5salt[12] = "$1$";
char *salt = crypt_make_salt ();
strcat (tmp, crypt_make_salt ());
if (!strncmp (tmp, "$1$", 3))
strcat (salt, "$1$");
strcat (salt, tmp);
cp = pw_encrypt (newpwd, salt);
if (strncmp (salt, "$1$", 3) == 0) {
strncpy (md5salt, salt, 11);
} else {
strncat (md5salt, salt, 8);
}
cp = pw_encrypt (newpwd, md5salt);
} else
cp = pw_encrypt (newpwd, crypt_make_salt ());
}

View File

@ -239,13 +239,14 @@ int main (int argc, char **argv)
newpwd = cp;
if (!eflg) {
if (md5flg) {
char tmp[12];
char salt[15] = "";
char md5salt[12] = "$1$";
char *salt = crypt_make_salt ();
strcat (tmp, crypt_make_salt ());
if (!strncmp (tmp, "$1$", 3))
strcat (salt, "$1$");
strcat (salt, tmp);
if (strncmp (salt, "$1$", 3) == 0) {
strncpy (md5salt, salt, 11);
} else {
strncat (md5salt, salt, 8);
}
cp = pw_encrypt (newpwd, salt);
} else
cp = pw_encrypt (newpwd, crypt_make_salt ());