[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Format string vulnerability in libutil pw_error(3) function
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Format string vulnerability in libutil pw_error(3) function
- From: josh <dorqus_(_at_)_bsdfreek_(_dot_)_com>
- Date: Wed, 4 Oct 2000 13:21:19 -0400
Alex de Joode wrote...
> -A format string vulnerability present in the pw_error() function of
> -OpenBSD 2.7's libutil library can yield localhost users root access
> -through the setuid /usr/bin/chpass utility. This particular vulnerability
> -was repaired three months ago on June 30th in OpenBSD-current during a
> -complete source tree audit for format string problems.
> Maybe an obvious question but, is OpenBSD 2.6 also vunrable ?
Yes, it is. As are OpenBSD 2.5, FreeBSD 3.4/3.5/4.0-RELEASE and NetBSD 1.4.2.
I have tested the exploit against OpenBSD 2.6, 2.7 and FreeBSD 4.0
and it works.
> If so will there be a patch for 2.6 ?
> (Or does the 2.7 patch work for 2.6 also ?)
Same patch for 2.7 works for 2.6.
Or just edit /usr/src/lib/libutil/passwd.c
at line 582, change:
Then do a "make clean && make depend && make && make install"
and you'll be patched.
josh at bsdfreek.com