Fix chpasswd and chgpasswd stack overflow. Based on Fedora's shadow-4.0.18.1-overflow...

diff --git a/ChangeLog b/ChangeLog
index 50193bdcf39ec0e3338162408eae427e6d1b2788..7e70f78da85fefff6a33407c55f02e9ae3c732a2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,12 @@
 2007-11-10  Nicolas François  <nicolas.francois@centraliens.net>
 
-       * NEWS, src/useradd.c: allow non numerical group identifier to be
+       * NEWS, src/chgpasswd.c, src/chpasswd.c: Fix chpasswd and
+       chgpasswd stack overflow. Based on Fedora's
+       shadow-4.0.18.1-overflow.patch.
+
+2007-11-10  Nicolas François  <nicolas.francois@centraliens.net>
+
+       * NEWS, src/useradd.c: Allow non numerical group identifier to be
        specified with useradd's -g option. Applied Debian patch
        397_non_numerical_identifier. Thanks also to Greg Schafer
        <gschafer@zip.com.au>.

diff --git a/NEWS b/NEWS
index 69f16c5a5a42da44c8d7bc30caa7fd1001931ffb..3b2449c04ad558f471312118c3ca837e4357aeb7 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2                                      UNRELEASED
 - useradd: Allow non numerical group identifier to be specified with
   useradd's -g option. Applied Debian patch 397_non_numerical_identifier.
   Thanks also to Greg Schafer <gschafer@zip.com.au>.
+- chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow. Based on
+  Fedora's shadow-4.0.18.1-overflow.patch.
 
 shadow-4.0.18.1 -> shadow-4.0.18.2                                     28-10-2007
 

diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index a9ea4a0e116dca62b952cb693e85d7730fc3c155..a3326bf949cdc4bd7490e8e392105eb1579f6ca3 100644 (file)
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -243,9 +243,13 @@ int main (int argc, char **argv)
                newpwd = cp;
                if (!eflg) {
                        if (md5flg) {
-                               char salt[12] = "$1$";
+                               char tmp[12];
+                               char salt[15] = "";
 
-                               strcat (salt, crypt_make_salt ());
+                               strcat (tmp, crypt_make_salt ());
+                               if (!strncmp (tmp, "$1$", 3))
+                                       strcat (salt, "$1$");
+                               strcat (salt, tmp);
                                cp = pw_encrypt (newpwd, salt);
                        } else
                                cp = pw_encrypt (newpwd, crypt_make_salt ());

diff --git a/src/chpasswd.c b/src/chpasswd.c
index 5e159c3f980a6d9ad3941bf85eb97bd6c74a765d..2836ef73ebcc8862fcfe5f271ed38bddcb868e33 100644 (file)
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -239,9 +239,13 @@ int main (int argc, char **argv)
                newpwd = cp;
                if (!eflg) {
                        if (md5flg) {
-                               char salt[12] = "$1$";
+                               char tmp[12];
+                               char salt[15] = "";
 
-                               strcat (salt, crypt_make_salt ());
+                               strcat (tmp, crypt_make_salt ());
+                               if (!strncmp (tmp, "$1$", 3))
+                                       strcat (salt, "$1$");
+                               strcat (salt, tmp);
                                cp = pw_encrypt (newpwd, salt);
                        } else
                                cp = pw_encrypt (newpwd, crypt_make_salt ());