[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS: cvs.openbsd.org: src

To: source-changes@cvs.openbsd.org
Subject: CVS: cvs.openbsd.org: src
From: Jason Wright <jason@cvs.openbsd.org>
Date: Tue, 3 Oct 2000 18:44:22 -0600 (MDT)

CVSROOT:	/cvs
Module name:	src
Changes by:	jason@cvs.openbsd.org	2000/10/03 18:44:22

Modified files:
	lib/libutil    : Tag: OPENBSD_2_7 passwd.c 

Log message:
Pull in patch from current:
Errata:
A format string vulnerability exists in the pw_error(3) function. This
manifests itself as a security hole in the chpass utility.
Fix:
warnx?/errx? paranoia (use "%s" not a bare string unless it is a
constant).  These are not security holes but it is worth fixing
them anyway both for robustness and so folks looking for examples
in the tree are not misled into doing something potentially dangerous.
Furthermore, it is a bad idea to assume that pathnames will not
include '%' in them and that error routines don't return strings
with '%' in them (especially in light of the possibility of locales).

Prev by Date: CVS: cvs.openbsd.org: src
Next by Date: CVS: cvs.openbsd.org: ports
Prev by thread: CVS: cvs.openbsd.org: src
Next by thread: CVS: cvs.openbsd.org: src
Index(es):
- Date
- Thread