* libmisc/salt.c: Make sure the salt string is terminated at the

   right place (either 8th, or 11th position).
 * NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does
   not need 15 chars. No need for a temporary buffer.
   This change the fix committed on 2007-11-10. The salt provided to
   pw_encrypt could have been too long.

diff --git a/ChangeLog b/ChangeLog
index d1a4e6bd4b8889a0c56a490bd51136499e1708da..2534c488026483f306729f63569fabc222b0ca4c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2007-11-10  Nicolas François  <nicolas.francois@centraliens.net>
+
+       * libmisc/salt.c: Make sure the salt string is terminated at the
+       right place (either 8th, or 11th position).
+       * NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does
+       not need 15 chars. No need for a temporary buffer.
+       This change the fix committed on 2007-11-10. The salt provided to
+       pw_encrypt could have been too long.
+
 2007-11-16  Nicolas François  <nicolas.francois@centraliens.net>
 
        * man/fr/fr.po: Fix typo: missing / in <placeholder-1/>. This

diff --git a/NEWS b/NEWS
index 38f35c18a3c164cc2e5d1c681dad3c18f50f1fc7..5d0fa96b3723f3a9c162be59022e0346e60dd49d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2                                      UNRELEASED
   useradd's -g option. Applied Debian patch 397_non_numerical_identifier.
   Thanks also to Greg Schafer <gschafer@zip.com.au>.
 - chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow. Based on
-  Fedora's shadow-4.0.18.1-overflow.patch.
+  the Fedora's shadow-4.0.18.1-overflow.patch and Debian's
+  495_salt_stack_smash patches.
 - newgrp: Don't ask for a password if there are no group passwords. Just
   directly give up.
 - The permissions of the suid binaries is now configurable in

diff --git a/libmisc/salt.c b/libmisc/salt.c
index 3ea8ae644b5ab7802685025e9c7a015117986031..4ccf36ccee77af7615b3e0dd855ef3c7c9bf992c 100644 (file)
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -62,11 +62,13 @@ char *crypt_make_salt (void)
 {
        struct timeval tv;
        static char result[40];
+       int max_salt_len = 8;
 
        result[0] = '\0';
 #ifndef USE_PAM
        if (getdef_bool ("MD5_CRYPT_ENAB")) {
                strcpy (result, "$1$"); /* magic for the new MD5 crypt() */
+               max_salt_len += 3;
        }
 #endif
 
@@ -77,8 +79,8 @@ char *crypt_make_salt (void)
        strcat (result, l64a (tv.tv_usec));
        strcat (result, l64a (tv.tv_sec + getpid () + clock ()));
 
-       if (strlen (result) > 3 + 8)    /* magic+salt */
-               result[11] = '\0';
+       if (strlen (result) > max_salt_len)     /* magic+salt */
+               result[max_salt_len] = '\0';
 
        return result;
 }

diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index 1318badc14fce0a3fb2e89b803ad28bd48cf673b..e9c24f56670c10f75e83923c4ee87b6d34c4f21b 100644 (file)
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -243,14 +243,15 @@ int main (int argc, char **argv)
                newpwd = cp;
                if (!eflg) {
                        if (md5flg) {
-                               char tmp[12];
-                               char salt[15] = "";
-
-                               strcat (tmp, crypt_make_salt ());
-                               if (!strncmp (tmp, "$1$", 3))
-                                       strcat (salt, "$1$");
-                               strcat (salt, tmp);
-                               cp = pw_encrypt (newpwd, salt);
+                               char md5salt[12] = "$1$";
+                               char *salt = crypt_make_salt ();
+
+                               if (strncmp (salt, "$1$", 3) == 0) {
+                                       strncpy (md5salt, salt, 11);
+                               } else {
+                                       strncat (md5salt, salt, 8);
+                               }
+                               cp = pw_encrypt (newpwd, md5salt);
                        } else
                                cp = pw_encrypt (newpwd, crypt_make_salt ());
                }

diff --git a/src/chpasswd.c b/src/chpasswd.c
index d1889e1fc4acccb3e54893213ae959689cf95767..c6bea6565ad70529db68edbfe976aa2655af0269 100644 (file)
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -239,13 +239,14 @@ int main (int argc, char **argv)
                newpwd = cp;
                if (!eflg) {
                        if (md5flg) {
-                               char tmp[12];
-                               char salt[15] = "";
-
-                               strcat (tmp, crypt_make_salt ());
-                               if (!strncmp (tmp, "$1$", 3))
-                                       strcat (salt, "$1$");
-                               strcat (salt, tmp);
+                               char md5salt[12] = "$1$";
+                               char *salt = crypt_make_salt ();
+
+                               if (strncmp (salt, "$1$", 3) == 0) {
+                                       strncpy (md5salt, salt, 11);
+                               } else {
+                                       strncat (md5salt, salt, 8);
+                               }
                                cp = pw_encrypt (newpwd, salt);
                        } else
                                cp = pw_encrypt (newpwd, crypt_make_salt ());