From nobody@FreeBSD.org  Fri Aug 16 14:19:09 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 73AF237B400
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Aug 2002 14:19:09 -0700 (PDT)
Received: from www.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3771F43E6A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Aug 2002 14:19:09 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.4/8.12.4) with ESMTP id g7GLIPOT065418
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Aug 2002 14:18:25 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.4/8.12.4/Submit) id g7GLIPEm065417;
	Fri, 16 Aug 2002 14:18:25 -0700 (PDT)
Message-Id: <200208162118.g7GLIPEm065417@www.freebsd.org>
Date: Fri, 16 Aug 2002 14:18:25 -0700 (PDT)
From: Branson Matheson <branson@windborne.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pw_mkdb creates uid 0 accounts for improper UID 
X-Send-Pr-Version: www-1.0

>Number:         41721
>Category:       bin
>Synopsis:       pw_mkdb creates uid 0 accounts for improper UID
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 16 14:20:01 PDT 2002
>Closed-Date:    Mon Nov 11 01:03:53 PST 2002
>Last-Modified:  Mon Nov 11 01:03:53 PST 2002
>Originator:     Branson Matheson
>Release:        4.6-STABLE
>Organization:
Windborne Producitons, Inc
>Environment:
FreeBSD jane.inside 4.6-STABLE FreeBSD 4.6-STABLE #2: Tue Aug  6 13:41:03 EDT 2002     branson@jane.inside:/usr/obj/usr/src/sys/JANE  i386

>Description:
When using vipw to create an account.. if a letter is in the third field of the temporary password file( the UID field ), when vipw exits and mk_pwdb runs against the resulting temporary file, the account is given uid 0. The same happens for the GID field.
>How-To-Repeat:
run vipw, add the following line:
test:*:i123:20::0:0:Test User:/home/test:/sbin/nologin
exit
root@jane # grep test /etc/passwd 
test:*:0:20:Test User:/home/test:/sbin/nologin

>Fix:
mk_pwdb needs to validate the format of the UID and GID fields and throw an exception if the field contains any /D type characters. 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->wes 
Responsible-Changed-By: wes 
Responsible-Changed-When: Fri Aug 16 14:29:03 PDT 2002 
Responsible-Changed-Why:  
Fix parser, issue a warning if a non-numeric character is found in 
the UID or GID field. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41721 

From: "Artem 'Zazoobr' Ignatjev" <timon@memphis.mephi.ru>
To: Branson Matheson <branson@windborne.net>,
	freebsd-gnats-submit@FreebSD.org
Cc:  
Subject: Re: bin/41721: pw_mkdb creates uid 0 accounts for improper UID
Date: Sat, 17 Aug 2002 01:36:12 +0400

 On Fri, Aug 16, 2002 at 02:18:25PM -0700, Branson Matheson wrote:
 > 
 > >Number:         41721
 > >Category:       bin
 > >Synopsis:       pw_mkdb creates uid 0 accounts for improper UID
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Originator:     Branson Matheson
 > >Release:        4.6-STABLE
 > 
 > >Description:
 > When using vipw to create an account.. if a letter is in the third field of the temporary password file( the UID field ), when vipw exits and mk_pwdb runs against the resulting temporary file, the account is given uid 0. The same happens for the GID field.
 > >How-To-Repeat:
 > run vipw, add the following line:
 > test:*:i123:20::0:0:Test User:/home/test:/sbin/nologin
 > exit
 > root@jane # grep test /etc/passwd 
 > test:*:0:20:Test User:/home/test:/sbin/nologin
 > 
 > >Fix:
 > mk_pwdb needs to validate the format of the UID and GID fields and throw an exception if the field contains any /D type characters. 
 	Could you please try following patch?
 
 ==== Begin screendump ====
 [timon@memphis edquota]$ cat /home/timon/patches/patch-pw_scan.c-nondigit-id
 --- usr.sbin/pwd_mkdb/pw_scan.c	Sat Aug 17 01:26:56 2002
 +++ usr.sbin/pwd_mkdb/pw_scan.c	Sat Aug 17 01:30:36 2002
 @@ -76,6 +76,8 @@
  	uid_t id;
  	int root;
  	char *p, *sh;
 +	
 +	char *end;
  
  	if (pw_big_ids_warning == -1)
  		pw_big_ids_warning = getenv("PW_SCAN_BIG_IDS") == NULL ? 1 : 0;
 @@ -101,7 +103,11 @@
  			return (0);
  		}
  	}
 -	id = strtoul(p, (char **)NULL, 10);
 +	id = strtoul(p, &end, 10);
 +	if (*end != ':') {
 +		warnx("uid of %s must be integer", pw->pw_name);
 +		return (0);
 +	}
  	if (errno == ERANGE) {
  		warnx("%s > max uid value (%u)", p, ULONG_MAX);
  		return (0);
 @@ -119,9 +125,13 @@
  	if (!(p = strsep(&bp, ":")))			/* gid */
  		goto fmt;
  	if(p[0]) pw->pw_fields |= _PWF_GID;
 -	id = strtoul(p, (char **)NULL, 10);
 +	id = strtoul(p, &end, 10);
  	if (errno == ERANGE) {
  		warnx("%s > max gid value (%u)", p, ULONG_MAX);
 +		return (0);
 +	}
 +	if (*end != ':') {
 +		warnx("primary gid of %s must be integer", pw->pw_name);
  		return (0);
  	}
  	if (pw_big_ids_warning && id > USHRT_MAX) {
 ==== End screendump ====
 			Sinceherely yours, Artem 'Zazoobr' Ignatjev.
State-Changed-From-To: open->patched 
State-Changed-By: maxim 
State-Changed-When: Wed Sep 25 01:49:53 PDT 2002 
State-Changed-Why:  
Fixed in rev. 1.22 src/lib/libc/gen/pw_scan.c in -current. 


Responsible-Changed-From-To: wes->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Wed Sep 25 01:49:53 PDT 2002 
Responsible-Changed-Why:  
MFC reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41721 
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Mon Nov 11 00:57:51 PST 2002 
State-Changed-Why:  
Fixed in rev. 1.22 src/lib/libc/gen/pw_scan.c in -CURRENT and in 
rev. 1.14.2.1 src/usr.sbin/pwd_mkdb/pw_scan.c in -STABLE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41721 
>Unformatted:
