From ptm@ns.tr.ukrtel.net  Thu Apr  3 05:14:45 2003
Return-Path: <ptm@ns.tr.ukrtel.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D62E737B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  3 Apr 2003 05:14:45 -0800 (PST)
Received: from mail.tr.ukrtel.net (ns.tr.ukrtel.net [195.5.27.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8A48A43F3F
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  3 Apr 2003 05:14:43 -0800 (PST)
	(envelope-from ptm@ns.tr.ukrtel.net)
Received: from ns.tr.ukrtel.net (localhost.tr.ukrtel.net [127.0.0.1])
	by mail.tr.ukrtel.net (8.12.6/8.12.6) with ESMTP id h33DEcZx025551
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 3 Apr 2003 16:14:38 +0300 (EEST)
	(envelope-from ptm@ns.tr.ukrtel.net)
Received: (from root@localhost)
	by ns.tr.ukrtel.net (8.12.6/8.12.6/Submit) id h33DEYrq025549;
	Thu, 3 Apr 2003 16:14:34 +0300 (EEST)
Message-Id: <200304031314.h33DEYrq025549@ns.tr.ukrtel.net>
Date: Thu, 3 Apr 2003 16:14:34 +0300 (EEST)
From: Taras Panchyshyn <ptm@ns.tr.ukrtel.net>
Reply-To: Taras Panchyshyn <ptm@ns.tr.ukrtel.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: two records about user in master.passwd after usage command "chsh"
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         50563
>Category:       bin
>Synopsis:       two records about user in master.passwd after usage command "chsh"
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 03 05:20:17 PST 2003
>Closed-Date:    Thu Jun 05 23:37:32 PDT 2003
>Last-Modified:  Thu Jun 05 23:37:32 PDT 2003
>Originator:     Taras  Panchyshyn
>Release:        FreeBSD 5.0-RELEASE i386
>Organization:
Ukrtelecom
>Environment:
System: FreeBSD ns.tr.ukrtel.net 5.0-RELEASE FreeBSD 5.0-RELEASE #0: Thu Jan 16 22:16:53 GMT 2003 root@hollin.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386

>Description:
I'm use a command chsh to change user information
 
ns# chsh emsternopil
#Changing user information for emsternopil.
Login: emsternopil
Password: $1$nlqz3wgz$dIkazFbakjPpdodx.jlRX1
Uid [#]: 2075
Gid [# or name]: 1038
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /services/ftp
Shell: /bin/csh
Full Name: 584. Tern. Vuzol spec-zvjazku
Office Location: s. Strilciv 6
Office Phone: 22-32-79
Home Phone:
Other information:

:wq

After edition of information about user and save and update the information in the user's database (master.passwd) appear two records about this user :old record  and record whitch changes that was made by chsh:
 
ns# more /etc/master.passwd | grep emsternopil

emsternopil:$1$nlqz3wgz$dIkazFbakjPpdodx.jlRX1:2075:1038::0:0:584. Tern. Vuzol spec-zvjazku,s. Strilciv 6,22-32-79:/services/ftp:/bin/csh
emsternopil:$1$nlqz3wgz$dIkazFbakjPpdodx.jlRX1:2075:1038::0:0:584. Tern. Vuzol spec-zvjazku,s. Strilciv 6,33-90-22 22-32-79,43-59-80:/services/ftp:/bin/csh
 
In the older version of FreeBSD (4.3 - 4.7) command chsh work properly. 

>How-To-Repeat:
ns# adduser
Username: Username
adduser dialog ...

ns# chsh Username
editing of gecos field ...

ns# chsh Username
editing of gecos field ...

The problem appear when fields "Office Location:" and  "Office Phone:" was edited more than once by command "chpass"

>Fix:

	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->tjr 
Responsible-Changed-By: tjr 
Responsible-Changed-When: Fri Apr 4 04:27:27 PST 2003 
Responsible-Changed-Why:  
I'll handle this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50563 
Responsible-Changed-From-To: tjr->des 
Responsible-Changed-By: tjr 
Responsible-Changed-When: Tue Apr 8 03:16:00 PDT 2003 
Responsible-Changed-Why:  
This bug seems to have been caused by src/lib/libutil/pw_util.c revision 1.24, 
and I don't have time to finish testing my patch for the problem. Please 
notify security-officer@ when the bugs have been fixed so that an advisory may 
be issued. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50563 

From: Tim Robbins <tjr@FreeBSD.ORG>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/50563: two records about user in master.passwd after usage command "chsh"
Date: Tue, 8 Apr 2003 20:20:57 +1000

 Here is a patch that seems to fix the security bug in libutil and the
 non-security data corruption bug in chpass.
 
 
 pw_util.c: Restore code to detect entries that have been modified
 while the editor was running.
 
 edit.c: Avoid clobbering pw_gecos with strsep() in display(); it is
 used for comparison later, and will cause changes to the GECOS field
 to be handled incorrectly.
 
 
 Index: src/lib/libutil/pw_util.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libutil/pw_util.c,v
 retrieving revision 1.28
 diff -u -p -r1.28 pw_util.c
 --- src/lib/libutil/pw_util.c	17 Mar 2003 02:12:55 -0000	1.28
 +++ src/lib/libutil/pw_util.c	4 Apr 2003 12:34:18 -0000
 @@ -473,14 +473,19 @@ pw_copy(int ffd, int tfd, struct passwd 
  		*q = '\0';
  		fpw = pw_scan(r, PWSCAN_MASTER);
  		*q = t;
 -		if ((old_pw && !pw_equal(fpw, old_pw)) ||
 -		    (!old_pw && strcmp(fpw->pw_name, pw->pw_name))) {
 +		if (strcmp(fpw->pw_name, pw->pw_name)) {
  			/* nope */
  			free(fpw);
  			if (write(tfd, p, q - p + 1) != q - p + 1)
  				goto err;
  			++q;
  			continue;
 +		}
 +		if (old_pw && !pw_equal(fpw, old_pw)) {
 +			warnx("entry inconsistent");
 +			free(fpw);
 +			errno = EINVAL; /* hack */
 +			goto err;
  		}
  		free(fpw);
  
 Index: src/usr.bin/chpass/edit.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/chpass/edit.c,v
 retrieving revision 1.22
 diff -u -p -r1.22 edit.c
 --- src/usr.bin/chpass/edit.c	8 May 2002 00:54:28 -0000	1.22
 +++ src/usr.bin/chpass/edit.c	5 Apr 2003 02:43:19 -0000
 @@ -109,7 +109,7 @@ static int
  display(const char *tfn, struct passwd *pw)
  {
  	FILE *fp;
 -	char *bp, *p;
 +	char *bp, *gecos, *p;
  
  	if ((fp = fopen(tfn, "w")) == NULL) {
  		warn("%s", tfn);
 @@ -152,7 +152,12 @@ display(const char *tfn, struct passwd *
  		    *pw->pw_shell ? pw->pw_shell : _PATH_BSHELL);
  	else
  	  list[E_SHELL].restricted = 1;
 -	bp = pw->pw_gecos;
 +
 +	if ((bp = gecos = strdup(pw->pw_gecos)) == NULL) {
 +		warn(NULL);
 +		fclose(fp);
 +		return (-1);
 +	}
  
  	p = strsep(&bp, ",");
  	p = strdup(p ? p : "");
 @@ -182,6 +187,8 @@ display(const char *tfn, struct passwd *
  	list[E_OTHER].save = bp;
  	if (!list[E_OTHER].restricted || master_mode)
  	  (void)fprintf(fp, "Other information: %s\n", bp);
 +
 +	free(gecos);
  
  	(void)fchown(fileno(fp), getuid(), getgid());
  	(void)fclose(fp);
State-Changed-From-To: open->feedback 
State-Changed-By: des 
State-Changed-When: Wed Apr 9 11:33:57 PDT 2003 
State-Changed-Why:  
Fixed in -CURRENT. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50563 
State-Changed-From-To: feedback->closed 
State-Changed-By: des 
State-Changed-When: Thu Jun 5 23:37:31 PDT 2003 
State-Changed-Why:  
Fixed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50563 
>Unformatted:
