[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Format string vulnerability in libutil pw_error(3) function



Alex de Joode wrote...
> -SYNOPSIS
> -
> -A format string vulnerability present in the pw_error() function of
> -OpenBSD 2.7's libutil library can yield localhost users root access
> -through the setuid /usr/bin/chpass utility. This particular vulnerability
> -was repaired three months ago on June 30th in OpenBSD-current during a
> -complete source tree audit for format string problems.
> 
> 
> Maybe an obvious question but, is OpenBSD 2.6 also vunrable ?

Yes, it is. As are OpenBSD 2.5, FreeBSD 3.4/3.5/4.0-RELEASE and NetBSD 1.4.2.
I have tested the exploit against OpenBSD 2.6, 2.7 and FreeBSD 4.0
and it works.

> If so will there be a patch for 2.6 ? 
> (Or does the 2.7 patch work for 2.6 also ?)

Same patch for 2.7 works for 2.6.
Or just edit /usr/src/lib/libutil/passwd.c 
at line 582, change:
                warn(name);
to
		warn("%s", name);

Then do a "make clean && make depend && make && make install"
and you'll be patched.

--
josh at bsdfreek.com