From ipfw@ya3.so-net.ne.jp  Tue May 29 16:07:16 2001
Return-Path: <ipfw@ya3.so-net.ne.jp>
Received: from mgate11.so-net.ne.jp (mgate11.so-net.ne.jp [210.139.254.158])
	by hub.freebsd.org (Postfix) with ESMTP id 3A1F037B422
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 29 May 2001 16:07:15 -0700 (PDT)
	(envelope-from ipfw@ya3.so-net.ne.jp)
Received: from mail.ya3.so-net.ne.jp (mspool11.so-net.ne.jp [210.139.248.11])
	by mgate11.so-net.ne.jp (8.9.3/3.7W01050922) with ESMTP id IAA12484
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 May 2001 08:07:13 +0900 (JST)
Received: from localhost (pdf4822.kngwnt01.ap.so-net.ne.jp [202.223.72.34])
	by mail.ya3.so-net.ne.jp  with ESMTP id f4TN7C426341
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 May 2001 08:07:12 +0900 (JST)
Message-Id: <20010530080644E.koya@pluto.math.yokohama-cu.ac.jp>
Date: Wed, 30 May 2001 08:06:44 +0900
From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
Sender: Yoshihiro Koya <koya@math.yokohama-cu.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org
Subject: Wrong format specifiers in chpass(1)
X-Send-Pr-Version: 3.113

>Number:         27757
>Category:       bin
>Synopsis:       chapss(1) converts a large uid to a negative one
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    mike
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 29 16:10:02 PDT 2001
>Closed-Date:    Thu Aug 2 07:39:14 PDT 2001
>Last-Modified:  Thu Aug 02 07:39:52 PDT 2001
>Originator:     Yoshihiro Koya
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
Dept. of Math. Sci, Yokohama City Univ.
>Environment:
System: FreeBSD presario.my.domain 4.3-STABLE FreeBSD 4.3-STABLE #0: Wed May 23 23:23:02 JST 2001 root@presario.my.domain:/usr/obj/usr/src/sys/presario i386

Also for 5.0-CURRENT as of May 30
>Description:
	A wrong format specifier of snprintf used in sources of
	chpass(1) generate a negative uid as a string.
>How-To-Repeat:

# vipw
(add some user with arbitrary uid)
# chapss foo
(edit as follows, for example)

#Changing user database information for foo.
Login: foo
Password: *
Uid [#]: 4294967295
Gid [# or name]: 20
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /home/foo
Shell: /bin/csh
Full Name: User &
Office Location:
Office Phone:
Home Phone:
Other information:

(quit the editor. Then you would have ...)
/etc/pw.CRUoUQ: 15 lines, 291 characters.
chpass: -1 > recommended max uid value (65535)
chpass: updating the database...
pwd_mkdb: -1 > recommended max uid value (65535)
chpass: done

Also, you would find the following entry in your /etc/master.passwd

foo:*:-1:20:User &:/home/foo:/bin/csh

>Fix:

Index: edit.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/chpass/edit.c,v
retrieving revision 1.18
diff -u -r1.18 edit.c
--- edit.c	2000/09/06 18:16:46	1.18
+++ edit.c	2001/05/29 21:53:59
@@ -255,7 +255,7 @@
 		pw->pw_gecos[len - 1] = '\0';
 
 	if (snprintf(buf, sizeof(buf),
-	    "%s:%s:%d:%d:%s:%ld:%ld:%s:%s:%s",
+	    "%s:%s:%u:%u:%s:%ld:%ld:%s:%s:%s",
 	    pw->pw_name, pw->pw_passwd, pw->pw_uid, pw->pw_gid, pw->pw_class,
 	    pw->pw_change, pw->pw_expire, pw->pw_gecos, pw->pw_dir,
 	    pw->pw_shell) >= sizeof(buf)) {
Index: pw_copy.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/chpass/pw_copy.c,v
retrieving revision 1.9
diff -u -r1.9 pw_copy.c
--- pw_copy.c	1999/09/06 17:30:02	1.9
+++ pw_copy.c	2001/05/29 22:18:06
@@ -64,8 +64,8 @@
 	char chgstr[20];
 	char expstr[20];
 
-	snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid);
-	snprintf(gidstr, sizeof(gidstr), "%d", pw->pw_gid);
+	snprintf(uidstr, sizeof(uidstr), "%u", pw->pw_uid);
+	snprintf(gidstr, sizeof(gidstr), "%u", pw->pw_gid);
 	snprintf(chgstr, sizeof(chgstr), "%ld", (long)pw->pw_change);
 	snprintf(expstr, sizeof(expstr), "%ld", (long)pw->pw_expire);
 
>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/27757: Wrong format specifiers in chpass(1)
Date: Wed, 30 May 2001 20:51:53 +1000 (EST)

 On Wed, 30 May 2001, Yoshihiro Koya wrote:
 
 > >Description:
 > 	A wrong format specifier of snprintf used in sources of
 > 	chpass(1) generate a negative uid as a string.
 > 
 > Index: edit.c
 > ===================================================================
 > RCS file: /home/ncvs/src/usr.bin/chpass/edit.c,v
 > retrieving revision 1.18
 > diff -u -r1.18 edit.c
 > --- edit.c	2000/09/06 18:16:46	1.18
 > +++ edit.c	2001/05/29 21:53:59
 > @@ -255,7 +255,7 @@
 >  		pw->pw_gecos[len - 1] = '\0';
 >  
 >  	if (snprintf(buf, sizeof(buf),
 > -	    "%s:%s:%d:%d:%s:%ld:%ld:%s:%s:%s",
 > +	    "%s:%s:%u:%u:%s:%ld:%ld:%s:%s:%s",
 >  	    pw->pw_name, pw->pw_passwd, pw->pw_uid, pw->pw_gid, pw->pw_class,
 >  	    pw->pw_change, pw->pw_expire, pw->pw_gecos, pw->pw_dir,
 >  	    pw->pw_shell) >= sizeof(buf)) {
 
 There are some other printf format errors here.  The default promotion of
 uid_t and gid_t is assumed to be u_int.  This just happens to be corect
 on all supported machines.  The default promotion of time_t is assumed to
 be long.  This happens to be incorrect on all supported machines (but may
 magically work).
 
 Bruce
 
Responsible-Changed-From-To: freebsd-bugs->mike 
Responsible-Changed-By: mike 
Responsible-Changed-When: Wed Jul 18 08:27:40 PDT 2001 
Responsible-Changed-Why:  

I'll take a look at this PR. 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27757 

From: Mike Barcroft <mike@FreeBSD.org>
To: Bruce Evans <bde@zeta.org.au>
Cc: freebsd-gnats-submit@FreeBSD.org,
	Yoshihiro.Koya@math.yokohama-cu.ac.jp
Subject: Re: bin/27757: Wrong format specifiers in chpass(1)
Date: Wed, 18 Jul 2001 23:10:11 -0400

 Bruce,
 Would you mind reviewing the patch at the end of this message?  I
 believe it addresses your concerns regarding the orginator's patch
 in PR #27757.
 
 Best regards,
 Mike Barcroft
 
 ----------------------------------------------------------------------
 
 Index: chpass/chpass.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/chpass/chpass.c,v
 retrieving revision 1.17
 diff -u -r1.17 chpass.c
 --- chpass/chpass.c	2000/09/06 18:16:46	1.17
 +++ chpass/chpass.c	2001/07/19 00:39:41
 @@ -173,7 +173,8 @@
  #else
  		case 0:
  			if (!(pw = getpwuid(uid)))
 -				errx(1, "unknown user: uid %u", uid);
 +				errx(1, "unknown user: uid %lu",
 +				    (unsigned long)uid);
  			break;
  		case 1:
  			if (!(pw = getpwnam(*argv)))
 Index: chpass/edit.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/chpass/edit.c,v
 retrieving revision 1.18
 diff -u -r1.18 edit.c
 --- chpass/edit.c	2000/09/06 18:16:46	1.18
 +++ chpass/edit.c	2001/07/19 00:39:41
 @@ -115,8 +115,9 @@
  #endif /* YP */
  		(void)fprintf(fp, "Login: %s\n", pw->pw_name);
  		(void)fprintf(fp, "Password: %s\n", pw->pw_passwd);
 -		(void)fprintf(fp, "Uid [#]: %d\n", pw->pw_uid);
 -		(void)fprintf(fp, "Gid [# or name]: %d\n", pw->pw_gid);
 +		(void)fprintf(fp, "Uid [#]: %lu\n", (unsigned long)pw->pw_uid);
 +		(void)fprintf(fp, "Gid [# or name]: %lu\n",
 +		    (unsigned long)pw->pw_gid);
  		(void)fprintf(fp, "Change [month day year]: %s\n",
  		    ttoa(pw->pw_change));
  		(void)fprintf(fp, "Expire [month day year]: %s\n",
 @@ -255,9 +256,10 @@
  		pw->pw_gecos[len - 1] = '\0';
  
  	if (snprintf(buf, sizeof(buf),
 -	    "%s:%s:%d:%d:%s:%ld:%ld:%s:%s:%s",
 -	    pw->pw_name, pw->pw_passwd, pw->pw_uid, pw->pw_gid, pw->pw_class,
 -	    pw->pw_change, pw->pw_expire, pw->pw_gecos, pw->pw_dir,
 +	    "%s:%s:%lu:%lu:%s:%ld:%ld:%s:%s:%s",
 +	    pw->pw_name, pw->pw_passwd, (unsigned long)pw->pw_uid, 
 +	    (unsigned long)pw->pw_gid, pw->pw_class, (long)pw->pw_change,
 +	    (long)pw->pw_expire, pw->pw_gecos, pw->pw_dir,
  	    pw->pw_shell) >= sizeof(buf)) {
  		warnx("entries too long");
  		free(p);
 Index: chpass/pw_copy.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/chpass/pw_copy.c,v
 retrieving revision 1.9
 diff -u -r1.9 pw_copy.c
 --- chpass/pw_copy.c	1999/09/06 17:30:02	1.9
 +++ chpass/pw_copy.c	2001/07/19 00:39:41
 @@ -64,8 +64,8 @@
  	char chgstr[20];
  	char expstr[20];
  
 -	snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid);
 -	snprintf(gidstr, sizeof(gidstr), "%d", pw->pw_gid);
 +	snprintf(uidstr, sizeof(uidstr), "%lu", (unsigned long)pw->pw_uid);
 +	snprintf(gidstr, sizeof(gidstr), "%lu", (unsigned long)pw->pw_gid);
  	snprintf(chgstr, sizeof(chgstr), "%ld", (long)pw->pw_change);
  	snprintf(expstr, sizeof(expstr), "%ld", (long)pw->pw_expire);
  
State-Changed-From-To: open->closed 
State-Changed-By: mike 
State-Changed-When: Thu Aug 2 07:39:14 PDT 2001 
State-Changed-Why:  

This has been fixed in -CURRENT and -STABLE. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27757 
>Unformatted:
