From nobody  Sun Oct 27 07:47:04 1996
Received: (from nobody@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA27722;
          Sun, 27 Oct 1996 07:47:04 -0800 (PST)
Message-Id: <199610271547.HAA27722@freefall.freebsd.org>
Date: Sun, 27 Oct 1996 07:47:04 -0800 (PST)
From: tqbf@enteract.com
To: freebsd-gnats-submit@freebsd.org
Subject: /usr/bin/su is not careful enough in verifying command line input
X-Send-Pr-Version: www-1.0

>Number:         1904
>Category:       bin
>Synopsis:       /usr/bin/su is not careful enough in verifying command line input
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 27 07:50:02 PST 1996
>Closed-Date:    Mon May 25 23:40:20 PDT 1998
>Last-Modified:  Mon May 25 23:43:34 PDT 1998
>Originator:     Thomas Ptacek
>Release:        FreeBSD 2.1.5-RELEASE
>Organization:
EnterAct, L.L.C.
>Environment:
FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep  9 03:07:45 CDT 1996
tqbf@adam:/home1/src/sys/compile/ADAMSTOMP  i386
>Description:
su takes an argument (the name of the user to 'su' to). It verifies 
that this name is sane by calling getpwnam() on it; if getpwnam() 
returns NULL, the username is considered insane and the program 
terminates. If getpwnam() returns anything besides NULL, the username
is considered valid.

If getpwnam() can be made to match any user as a result of an
overly long, wacky string, that wacky string will be tossed around
'su' without bounds checking. 'su' should make a local copy of the
pwent->pw_name from the record it matched, and use that instead.

I can only see a problem with this on systems with a broken 
syslog() (the "user" variable, which is a pointer to an argument
from the command line, is passed verbatim to syslog() in the event
of a successful getpwnam() on it) - however, there's enough of 
those systems floating around for this to be of concern.


>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: phk 
State-Changed-When: Mon May 25 00:48:32 PDT 1998 
State-Changed-Why:  
awaiting committer 
State-Changed-From-To: suspended->closed 
State-Changed-By: danny 
State-Changed-When: Mon May 25 23:40:20 PDT 1998 
State-Changed-Why:  
Fixed in -current and in -stable. 
>Unformatted:
