NetBSD Security Advisory 2000-015 - The pw_error() function of the system libutil library, used by several programs including the setuid passwd program, was vulnerable to a format string attack resulting in local root compromise.
0bd58837c2ea7980937b6ae199b243b9a170c7e4f70bff757e2e5df990146a4b-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2000-015
=================================
Topic: format-string bugs in passwd/libutil
Version: all releases up to and including 1.4.2
Severity: local root compromise possible
Fixed: 2000/10/03 in -current and netbsd-1-5 branches
2000/10/04 in netbsd-1-4 branch.
fix will be in the 1.4.3 and 1.5 releases
Abstract
========
The pw_error() function of the system libutil library, used by several
programs including the setuid passwd program, was vulnerable to a
format string attack.
Technical Details
=================
pw_error passed its first argument to the warn(3) function, which
interprets its first argument as a format string. in certain
circumstances, passwd(1) passes a value derived from untrusted user
input to pw_error().
Solutions and Workarounds
=========================
The problem was fixed in NetBSD-current on 2000/10/03; systems running
NetBSD-current dated from before that date should be upgraded to
NetBSD-current dated 2000/10/04 or later. The two active release
branches were both fixed by 2000/10/05.
Systems running releases older than NetBSD 1.4 should be upgraded to
NetBSD 1.4.2 before applying the fixes described here.
Systems running 1.4.2 should apply the following patch to
lib/libutil/passwd.c usign the patch(1), and rebuild and reinstall the
"libutil" library. On systems which do not support shared libraries,
you should then rebuild and reinstall the "passwd" command.
- --- lib/libutil/passwd.c 1999/12/04 20:00:55 1.15.2.1
+++ lib/libutil/passwd.c 2000/10/04 14:11:02 1.15.2.2
@@ -319,7 +319,7 @@
int err, eval;
{
if (err)
- - warn(name);
+ warn("%s", name);
warnx("%s: unchanged", _PATH_MASTERPASSWD);
pw_abort();
Revision History
================
20001024 Initial draft of advisory.
More Information
================
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2000-015.txt,v 1.3 2000/10/26 15:22:01 sommerfeld Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOfhMIT5Ru2/4N2IFAQFsPQP+P0d5nzIuDDlXFeS/8Oksb91uGaGoPrZl
sd2JASfLXcgPAemQVLzuAqNsJwxjcDpKlwvbDUrySSrvi4FxJ8scjlUl4g7XCf3G
MfY/NqB2bfoLJIUv3PT3Vx/bHi5rYodu4uqopXQZwWg/PfmXEa0LRgDk/UOuxoNC
+yq0nhXqsOE=
=iNoz
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed