0 | |
From: mancha <mancha1@hush.com>
|
1 | |
Date: Thu, 11 Jul 2013 10:08:07 +0100
|
2 | |
Subject: Handle NULL returns from glibc 2.17+ crypt()
|
3 | |
|
4 | |
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
|
5 | |
(w/ NULL return) if the salt violates specifications. Additionally,
|
6 | |
on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords
|
7 | |
passed to crypt() fail with EPERM (w/ NULL return).
|
8 | |
|
9 | |
When using glibc's crypt(), check return value to avoid a possible
|
10 | |
NULL pointer dereference.
|
11 | |
|
12 | |
Patch by mancha1@hush.com.
|
13 | |
---
|
14 | |
pwcheck/pwcheck_getpwnam.c | 3 ++-
|
15 | |
pwcheck/pwcheck_getspnam.c | 4 +++-
|
16 | |
saslauthd/auth_getpwent.c | 4 +++-
|
17 | |
saslauthd/auth_shadow.c | 8 +++-----
|
18 | |
4 files changed, 11 insertions(+), 8 deletions(-)
|
19 | |
|
20 | |
diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c
|
21 | |
index 4b34222..400289c 100644
|
22 | |
--- a/pwcheck/pwcheck_getpwnam.c
|
23 | |
+++ b/pwcheck/pwcheck_getpwnam.c
|
24 | |
@@ -32,6 +32,7 @@ char *userid;
|
25 | |
char *password;
|
26 | |
{
|
27 | |
char* r;
|
28 | |
+ char* crpt_passwd;
|
29 | |
struct passwd *pwd;
|
30 | |
|
31 | |
pwd = getpwnam(userid);
|
32 | |
@@ -41,7 +42,7 @@ char *password;
|
33 | |
else if (pwd->pw_passwd[0] == '*') {
|
34 | |
r = "Account disabled";
|
35 | |
}
|
36 | |
- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
|
37 | |
+ else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) {
|
38 | |
r = "Incorrect password";
|
39 | |
}
|
40 | |
else {
|
41 | |
diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c
|
42 | |
index 2b11286..6d607bb 100644
|
43 | |
--- a/pwcheck/pwcheck_getspnam.c
|
44 | |
+++ b/pwcheck/pwcheck_getspnam.c
|
45 | |
@@ -32,13 +32,15 @@ char *userid;
|
46 | |
char *password;
|
47 | |
{
|
48 | |
struct spwd *pwd;
|
49 | |
+ char *crpt_passwd;
|
50 | |
|
51 | |
pwd = getspnam(userid);
|
52 | |
if (!pwd) {
|
53 | |
return "Userid not found";
|
54 | |
}
|
55 | |
|
56 | |
- if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) {
|
57 | |
+ crpt_passwd = crypt(password, pwd->sp_pwdp);
|
58 | |
+ if (!crpt_passwd || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) {
|
59 | |
return "Incorrect password";
|
60 | |
}
|
61 | |
else {
|
62 | |
diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c
|
63 | |
index fc8029d..d4ebe54 100644
|
64 | |
--- a/saslauthd/auth_getpwent.c
|
65 | |
+++ b/saslauthd/auth_getpwent.c
|
66 | |
@@ -77,6 +77,7 @@ auth_getpwent (
|
67 | |
{
|
68 | |
/* VARIABLES */
|
69 | |
struct passwd *pw; /* pointer to passwd file entry */
|
70 | |
+ char *crpt_passwd; /* encrypted password */
|
71 | |
int errnum;
|
72 | |
/* END VARIABLES */
|
73 | |
|
74 | |
@@ -105,7 +106,8 @@ auth_getpwent (
|
75 | |
}
|
76 | |
}
|
77 | |
|
78 | |
- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
|
79 | |
+ crpt_passwd = crypt(password, pw->pw_passwd);
|
80 | |
+ if (!crpt_passwd || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) {
|
81 | |
if (flags & VERBOSE) {
|
82 | |
syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
|
83 | |
}
|
84 | |
diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c
|
85 | |
index d0efa9a..c00faa3 100644
|
86 | |
--- a/saslauthd/auth_shadow.c
|
87 | |
+++ b/saslauthd/auth_shadow.c
|
88 | |
@@ -211,8 +211,8 @@ auth_shadow (
|
89 | |
RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
|
90 | |
}
|
91 | |
|
92 | |
- cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
|
93 | |
- if (strcmp(sp->sp_pwdp, cpw)) {
|
94 | |
+ cpw = crypt(password, sp->sp_pwdp);
|
95 | |
+ if (!cpw || strcmp(sp->sp_pwdp, (const char *)cpw)) {
|
96 | |
if (flags & VERBOSE) {
|
97 | |
/*
|
98 | |
* This _should_ reveal the SHADOW_PW_LOCKED prefix to an
|
99 | |
@@ -222,10 +222,8 @@ auth_shadow (
|
100 | |
syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
|
101 | |
sp->sp_pwdp, cpw);
|
102 | |
}
|
103 | |
- free(cpw);
|
104 | |
RETURN("NO Incorrect password");
|
105 | |
}
|
106 | |
- free(cpw);
|
107 | |
|
108 | |
/*
|
109 | |
* The following fields will be set to -1 if:
|
110 | |
@@ -287,7 +285,7 @@ auth_shadow (
|
111 | |
RETURN("NO Invalid username");
|
112 | |
}
|
113 | |
|
114 | |
- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
|
115 | |
+ if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) {
|
116 | |
if (flags & VERBOSE) {
|
117 | |
syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
|
118 | |
password, upw->upw_passwd);
|